The major laws governing data protection and cybersecurity in China are the PIPL, the Cybersecurity Law, and the Data Security Law.
While the PIPL resembles the GDPR, it contains substantive responsibilities that vary from the GDPR, as well as obligations included in the GDPR that are not included in the PIPL.
Terminology
Both the PIPL and the GDPR define “personal information” and “processing of personal information” in the same way. According to the PIPL, sensitive personal information is “personal information that, once leaked or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, and personal information of minors under the age of 14.” (Article 28).
It is important to note that anonymized information is not considered personal information under the PIPL, and “anonymization” refers to the process by which personal information cannot be used to identify individual natural people and cannot be recovered after processing (Articles 4 & 73).
The term “personal information processing entity” is defined under the PIPL as “an organization or individual that independently chooses the goals and methods of processing personal information” (Article 73). This seems to be the Chinese legal counterpart of the GDPR’s “data controller” notion. Furthermore, the PIPL use the term “entrusted party” to refer to a “data processor” as defined by the GDPR.
Legal foundation for processing
The PIPL, like the GDPR, requires enterprises to have a legal basis for processing personal information. However, unlike the GDPR, the PIPL does not include “legitimate interests” as a legal ground for processing. Instead of consent, Article 13 of the PIPL provides the following non-consent basis:
• Required to enter into or fulfill a contract to which the person is a party, or to manage human resources in accordance with legally formed internal labor policies and legally completed collective labor contracts.
• Required to carry out legal duties or obligations.
• Required to react to a public health emergency or to safeguard persons’ health and property in an emergency.
• To a reasonable degree, for the objectives of news reporting and media monitoring in the public interest.
• Processing of personal information that has previously been revealed by persons or that has been legitimately disclosed in compliance with the PIPL, within a reasonable extent.
• Other instances as specified by law
The PIPL’s definition of consent broadly coincides with the GDPR’s strong consent standards, namely that it must be informed, freely provided, proved by a clear action of the subject, and may subsequently be revoked (Articles 14 & 15). The PIPL, on the other hand, requires separate consent for certain processing activities, such as when a processing entity I shares personal information with other processing entities; (ii) publicly discloses personal information; (iii) processes sensitive personal information; or (iv) transfers personal information overseas (Articles 23, 25, 29 and 39).
Personal information rights
While the PIPL generally conforms with the GDPR in terms of personal information rights, it lacks more specific GDPR wording addressing such rights, such as when certain limits or exemptions may apply. Furthermore, the PIPL merely requires processing entities to react “timely” to requests rather than establishing a particular deadline for response. One notable change brought about by the final version of the PIPL is that people will be allowed to sue processing companies if they refuse the persons’ requests to exercise their rights (Article 50). Together with the provision that shifts the burden of proof in privacy-related suits and allows individuals to be compensated based on the actual damage or illegal profit obtained by processing entities (Article 69), this provision may provide additional incentives for individuals to exercise their personal information rights and file suits in Chinese courts if their requests are denied.
Personal information sharing across borders
The PIPL shares several elements with the GDPR in terms of cross-border transfer of personal information, but it also includes some additional requirements, particularly if the exporter operates Critical Information Infrastructure or processes large amounts of personal information.
In general, a processing entity that intends to transfer personal information to entities outside of China must I provide individuals with specific information about the transfers and obtain separate consent (Article 39), (ii) take the necessary steps to ensure that the overseas recipients provide the same level of protection as required by the PIPL (Article 38), and (iii) conduct a personal information protection impact assessment (Article 55).
Furthermore, CII operators or companies that handle a considerable volume of personal information must keep personal information locally. If it is required to send such personal information abroad, it must pass a security assessment conducted by the CAC (Article 40).
Other processing companies may receive a personal information protection certification or enter into an agreement with the overseas recipient based on a standard contract provided by the CAC for their transfers (Article 38). It is presently unknown when the CAC will issue the standard contract or to what extent such a contract would resemble the usual contractual conditions under the GDPR.
Personal information protection impact assessment
Personal information processing entities are required by Article 55 of the PIPL to conduct personal information protection impact assessments and preserve processing records for at least three years for the following processing activities:
• The handling of sensitive personal information.
• Personal information processing for automated decision-making.
• Entrusting personal information to suppliers, exchanging personal information with other processing organizations, or publicly exposing personal information.
• Sending personal information abroad.
• Other personal information processing activities that may have a major effect on persons’ rights and interests.
While the duties to undertake previous personal information protection impact assessments are similar to the GDPR’s “data protection impact assessments,” the processing actions that would trigger such an evaluation are not. Furthermore, there is no need under the PIPL to contact a regulator if a business believes, after conducting such an assessment, that it cannot remediate certain residual risks identified.
Penalties and private action
If a processing business breaches the PIPL’s rules, authorities may compel remedial activities, give warnings, seize unlawful money, halt services, or levy a fine. The penalties may be up to 50 million RMB, or 5% of the previous fiscal year’s annual revenue (Article 66). The PIPL, unlike the GDPR, does not define whether the yearly revenue relates to global turnover or income produced in China.
Meanwhile, since the PIPL does not specify a minimum punishment, authorities are free to levy whatever fines they see fit. In addition to monetary sanctions, breaches may be noted in the processing entity’s “credit files” under China’s national social credit system (Article 67).
Furthermore, if the processing companies violate the rights and interests of personal information, they will be responsible for tort damages (Art. 69). If the processing entities violate a substantial number of people’s rights and interests, the People’s Procuratorate and other approved groups may launch public interest litigation (Article 70).
