The EU's GDPR versus China's PIPL

China's Personal Information Privacy Law (PIPL) is a set of privacy rules with many similarities to Europe's General Data Protection Regulation (GDPR).

If you already comply with the GDPR, you are well on the way to being ready for the PIPL.

However, you do need to prepare for some differences between the two laws.

In this article, we'll take a look at these differences and outline what you'll need to do to comply.

Basic Concepts of the GDPR and PIPL

The GDPR and PIPL both have broadly similar aims and concepts:

• Both set out specific data rights for individuals, with the law aiming to uphold these rights.
• Both set out specific responsibilities for data processors.
• Both are laws of a specific geographic area but can apply to data processors anywhere in the world in some circumstances.
• Both work on the key principle that processing personal data is only lawful in specific circumstances known as bases.

Legal Statuses of the GDPR vs PIPL

The GDPR is a European Union regulation that took effect on 25 May 2018. As an EU regulation, it automatically has legal force in all countries that are EU members, without the need for new national laws. (At the time of writing, the measures of the GDPR also apply in the United Kingdom through its national laws.)

The PIPL is a proposed national law in China. The government published a first draft in October 2020 and, following consultation, a revised second draft in April 2021.

Following a final consultation, it's likely a third and final draft will go to the Chinese legislature in late 2021 and, once approved by lawmakers, take effect at some point in 2022.

The Scope of the GDPR vs PIPL

Both the GDPR and PIPL cover any personal data processing that physically takes place in the European Union or China, respectively.

The GDPR also applies if either the processor or the data subject (the person the data is about) is in the EU.

Meanwhile, the PIPL also applies, regardless of the processor's location, if the processing is done to provide products or services to people in China, or is done to assess or analyze people in China.

Key Definitions of the GDPR vs PIPL

Both laws are based around "personal data" (GDPR) or "personal information" (PIPL), which have the same basic definition: Any information about an identified or identifiable person. In both cases this must be a natural person, meaning a human rather than a legal entity such as a corporation.

The GDPR only covers living people. Under the PIPL, the lawful basis rule and the general processor obligations only cover living people. However, the close family of a deceased person can exercise the rights that person held over their data when they were alive, for example to access it or ask for it to be deleted.

Both laws govern "processing" of data with a broad definition covering any use of data, including collecting or disclosing it.

Although the two laws distinguish between making decisions on processing and carrying out those decisions, they use different terminology, which could risk confusion:

Somebody who decides how data is processed (whether or not they physically do the processing) is called a "data controller" under the GDPR but a "data processor" under the PIPL.

Somebody who physically processes data on somebody else's behalf and following their instructions is called a "data processor" under the GDPR and an "entrusted party" under the PIPL.

Both laws have special rules for handling sensitive personal information. The PIPL simply defines this as information that could lead to discrimination or serious danger to safety if it was leaked or used without authorization. The GDPR uses the term "special category data" and covers any information that reveals or relates to a person's:

• Ethnic or racial origin
• Political opinions
• Philosophical or religious beliefs
• Trade union membership
• Biometric data (for identification)
• Genetic data
• Health
• Sex life
• Sexual orientation

Data Subject Rights Under the GDPR vs PIPL

Both laws set out specific rights that individuals have over their personal data. These are key to the law as they could affect how any ambiguities in the wording or any arguments over interpretation are determined by a government agency or court.

Both laws give people the following rights:

• To know what data is held about them and to see a copy
• To know how and why their personal data is processed
• To correct inaccurate or incomplete personal information
• To complain about a breach of the relevant law
• To object to their data being used for automated decision making (such as profiling)

The PIPL also gives people the right to object to their data being used for direct marketing.

The GDPR also gives people the right to obtain a copy of their data in a format they can easily transfer to another processor.

Both laws give people the right to ask you to delete data in certain circumstances:

• It's no longer needed for the stated purpose
• The person has withdrawn their consent for processing
• You've breached a relevant law or contract
• A law or court order says you must delete the data

The PIPL also lets people tell you to delete their data if:

• They were a customer but you no longer provide them goods or services, or
• You gave a time period for using it and that period has expired

The GDPR also lets users ask you to delete their data if:

• You did so on the legal basis of "legitimate interests" and those interests no longer outweigh the person's data rights, or
• You processed the data to offer "information society services" to a child

GDPR vs PIPL Rules For Legal Bases

Both laws say you can only process personal information under specific conditions, each known as a lawful basis. You must know which basis you are relying on before you process data.

Consent

With both laws, a business is most likely to rely on the basis of the data subject giving consent.

This consent must be freely-given and informed. That means the person knows what data you are collecting and why you are using it, and they have a genuine choice whether or not to give consent.

You cannot refuse to serve a customer who does not give consent unless the relevant processing is genuinely necessary to provide a product or service.

Both laws say people have the right to withdraw consent. Once this happens you can no longer use the data.

Luxoft's Privacy Notice details the implications of giving or refusing consent and the right to withdraw it:

The GDPR has extra conditions for consent. It must be active and affirmative, meaning the user does something to clearly indicate consent. You cannot use an opt-out consent system with the GDPR, though this appears to be acceptable with the current draft of the PIPL.

The minimum age for giving consent is 18 for the GDPR, 14 for the PIPL and 13 in the United Kingdom. For children below these ages you will need the consent of a parent or legal guardian.

Other Legal Bases

As well as consent, the two laws both allow the following lawful bases:

• You are processing the data to fulfil a contract with the data subject (for example, using an address to ship an order)
• A law or court order says you must do the processing
• You are protecting somebody's vital interests (GDPR) or physical interests (PIPL). In both cases this usually applies to medical emergencies, for example dealing with a pandemic or accessing the medical records of somebody who is unconscious.
• You are exercising a legal or public authority power

The GDPR (but not the PIPL) has a legal basis called legitimate interests. This is where the processing is a key part of your business and you have concluded this legitimate interest outweighs the person's data rights. As a rule of thumb, this is most appropriate for situations where the person would reasonably expect you to carry out the processing and you've minimized the effects on their privacy.

The Woodland Trust gives examples of its legitimate interests:

The PIPL (but not the GDPR) has a lawful basis for processing to report news or carry out public supervision for the public interest.

GDPR vs PIPL Rules For Transferring Data

Both laws limit how you transfer data to third parties or other countries.

If you pass data on to a third party for processing (a data processor under the GDPR and an entrusted party under the PIPL), you must have a binding agreement. This must set out your respective responsibilities and require the third party to follow the relevant law. It must also say that if your processing arrangements end, the third party must return or delete the data.

Both laws also say you must safeguard data when transferring it outside of the European Union (the GDPR) or China (the PIPL).

Acceptable safeguards under the GDPR include:

• The EU has issued an "adequacy decision" that says the other country's data laws offer equivalent protections
• You have binding corporate rules when transferring to an organization that's part of the same corporate group
• You have a legally binding agreement with the recipient that says they will protect the data in line with the GDPR

eBay uses all three of these methods:

Acceptable safeguards under the PIPL include:

• You're transferring to a "critical information infrastructure operator" and have completed a risk assessment under China's existing cybersecurity law
• You have a legally binding agreement with the recipient that says they will protect the data in line with the PIPL and you have a way to monitor this
• You have a certification from a body approved by China's cybersecurity administrative authorities

Unlike with the GDPR, the PIPL not only requires this safeguard but also says you must get the data subject's specific consent to make the transfer.

GDPR vs PIPL Rules on Impact Assessments

Both laws require you to carry out an impact assessment in certain circumstances. This is where you consider the risks that your processing poses to the subject's data rights and security.

It's usually up to you whether to proceed with the processing after carrying out an impact assessment and whether to take any actions to mitigate the risk. You should keep the results of the assessment on file as you may need to show them to data regulators if you are accused of breaching the rules.

The GDPR requires a privacy impact assessment in cases which create a high risk to the subject. This is a combination of the likelihood of harm and the level of harm that might occur. It's up to you to decide when this is the case, but common examples include large scale processing, processing of sensitive data, automated decision making and systematic monitoring.

The PIPL requires a privacy impact assessment, kept on file for three years, for the following:

• Processing sensitive personal information
• Using an individual's personal information for automated decision making
• Sharing personal information with a third party
• Transferring personal information outside of China

Privacy Policies Under the GDPR vs PIPL

The GDPR specifically requires that you publish a notice such as a GDPR Privacy Policy. It must include:

• Your name and contact details and those of your data protection officer (if you have one)
• What data you collect and the purpose of processing
• What legal basis you rely on. (If it's "legitimate interests" you must detail them)
• Who, if anyone, you share data with
• Whether you transfer data outside of the EU and, if so, how you protect it
• How long you keep data (or how you decide when to delete it)
• The data subject's rights and how to exercise them
• Whether the data subject is legally or contractually required to provide information and the consequences of refusing to do so
• Whether you use the data for automated decision making such as profiling

Cynozure details the types of data it collects:

CNN explains how people can exercise their data rights:

Stephensons gives clear examples of how long it keeps data in a range of scenarios:

The PIPL gives data subjects the rights to see your rules and procedures for handling data. While this effectively means having a Privacy Policy, the current draft of the law doesn't have any specific requirements for what should be in the policy.

Handling Data Breaches Under the GDPR vs PIPL

Both laws have rules for handling a data breach, though the GDPR's are more detailed.

The GDPR defines a breach as any unauthorized access, alteration or deletion of data. After a breach you must tell the relevant supervisory authority as soon as possible. If you can't do so within 72 hours of discovering the breach, you must say why. If you believe the breach creates a high risk to people's data rights, you must tell them as soon as possible. "High risk" takes into account the likelihood of harm and the potential damage.

The PIPL says you must tell the relevant authorities about a breach, but there's no timescale in the current draft. You must tell affected individuals if there is any risk of harm. If you decide there is no risk of harm, the authorities can order you to tell affected individuals anyway.

Penalties for Breaching the GDPR vs PIPL

Breaching the GDPR carries a maximum penalty depending on the nature of the breach. For more administrative errors it is €10 million or two percent of worldwide turnover from the previous financial year, whichever is greater.

For more fundamental and serious breaches of the GDPR such as those involving the data subject's rights, the maximum fine is €20 million or four percent of worldwide turnover from the previous financial year, whichever is greater.

Breaching the PIPL carries a maximum penalty of 50 million Chinese yuan or five percent of turnover from the previous financial year.

Summary

Let's recap what you need to know about the GDPR and PIPL:

• The GDPR is already in force. The PIPL is expected to become Chinese law and take force at some point in 2022.
• The two laws are broadly similar in concept, aiming to establish and uphold individual data rights, enforce responsibilities for data processors, and only allow processing under specific conditions called legal bases.
• The GDPR applies if you, the data subject (the person the data is about) or the processing itself is in a European Union country. The PIPL applies if you or the data subject is in China, or if the processing is to provide products or services in China or analyze people in China.

• The laws have many similarities that mean if you already comply with the GDPR, you will comply with many requirements of the PIPL. Some extra steps you need to take to comply with the PIPL include:

  • Be prepared for close relatives exercising the data rights of a deceased person.
  • Delete data if the data subject asks you to because they have stopped being a customer or because the original deadline you gave for holding on to the data has expired.
  • Only transfer data outside of China if you have a binding agreement with the recipient to protect it, you have certification from the authorities to do so, or you have completed a risk assessment under existing Chinese cybersecurity law. In all three cases you must also get the user's consent.
  • Carry out a risk assessment before sharing personal information with a third party, transferring personal information outside of China, processing sensitive personal information, or using personal information for automated decision making.