The GDPR vs China's PIPL
If you target individuals for commercial purposes, and the individuals are based in the EU or China, then you need to know how two laws affect your business:
- General Data Protection Regulation (GDPR)
- Personal Information Protection Law of the People's Republic of China (PIPL)
In many ways these laws are very similar, although they do differ in a few key ways.
Below, we break down the similarities and differences between each piece of legislation and summarize how to ensure compliance in both instances.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. In Brief: The GDPR
- 2. In Brief: China's PIPL
- 3. Territorial Scope
- 3.1. Application of the GDPR
- 3.2. Application of China's PIPL
- 4. Definition of Personal Data
- 4.1. Personal Data: GDPR
- 4.2. Personal Data: PIPL
- 4.3. GDPR and Sensitive Data
- 4.4. PIPL and Sensitive Data
- 5. Personal Information Handler vs Data Controllers
- 5.1. Personal Information Handler - PIPL
- 5.2. Data Controllers and Processors - GDPR
- 6. Basis for Personal Data Processing
- 6.1. GDPR: Lawful Processing Grounds
- 6.1.1. Special Category Data
- 6.2. PIPL: Grounds for Personal Data Processing
- 7. Individual Rights Under the GDPR and PIPL
- 7.1. Rights Under the GDPR
- 7.2. Rights Under China's PIPL
- 8. Consent Under the GDPR and China's PIPL
- 8.1. GDPR Consent
- 8.2. PIPL Consent
- 9. Company Obligations
- 9.1. GDPR Obligations
- 9.2. PIPL Obligations
- 10. Penalties for Breaching the GDPR and China's PIPL
- 10.1. GDPR Penalties
- 10.2. PIPL Penalties
- 11. Conclusion
In Brief: The GDPR
The GDPR came into force back in 2015, but all companies had until May 25, 2018 to fully comply with the regulation. The idea behind the GDPR is to give EU residents control over how businesses capture, process, and share their personal data. Now, EU residents have a whole host of privacy rights which we'll cover below.
Although the UK is no longer a part of the EU, the GDPR still applies to British residents.
In Brief: China's PIPL
China's PIPL became law in November of 2021. Like the GDPR, the PIPL is designed to help Chinese citizens control what happens to their personal and sensitive information. It gives citizens more power to decide how much data companies can access, and who those companies share that information with.
To view the law yourself, you can find a translated version of the PIPL over at the DigiChina Project from Stanford University.
To comply with the GDPR and China's PIPL, you need to understand:
- Who the laws protect
- Which businesses must comply with these laws
When it comes to both the GDPR and PIPL, it doesn't matter if your business is physically located in the EU or China. It only matters if you're targeting protected individuals.
Let's break down how each law applies.
Application of the GDPR
The scope rules are set out in the GDPR's Article 3. It basically applies to any business processing personal data belonging to EU residents, whether you're selling them goods or services, or you target them in some other way e.g. behavioral monitoring:
It doesn't apply to personal data processing conducted by private individuals for domestic or personal purposes (Article 2).
Application of China's PIPL
The PIPL's territorial scope is set out in Article 3. China's PIPL applies to:
- The handling of personal information within China's borders
- Any handling of personal data outside China if it's related to selling goods or services to people within China
You're also expected to comply with the PIPL if you analyze data relating to Chinese individuals, even if you're outside China.
So, any business handling personal data relating to Chinese individuals should comply with the law.
Definition of Personal Data
The definition of personal and sensitive data is similar between both laws, but the PIPL does go slightly further than the GDPR when it comes to defining sensitive data.
Personal Data: GDPR
The GDPR defines personal data in Article 4 as information concerning a person which makes them directly or indirectly identifiable.
Although Article 4 gives some examples of personal data, such as a name or location data, it's not a finite list.
Personal Data: PIPL
China's PIPL defines personal information as data which can identify a person, but Article 4 specifically makes an exception for anonymized information.
GDPR and Sensitive Data
Article 9 describes sensitive data as a "special category" of personal information. It includes, for example, racial, political, sexual, and health data.
Although this definition doesn't specifically include data relating to minors, you should still treat personal information belonging to teenagers and children with care.
PIPL and Sensitive Data
Under China's PIPL, what counts as "sensitive data" is broadly the same as the GDPR. However, the PIPL definition goes slightly further, classing sensitive data as any information which may cause material harm to an individual if it's leaked or illegally used.
Some of the examples given in PIPL include:
- Financial account information
- Biometrics characteristics
- Medical health
- Religious beliefs
So, although the definitions are similar, the PIPL definition is broader.
Personal Information Handler vs Data Controllers
A personal information handler (PIPL) and data controller (GDPR) are similar, but they're not exactly the same.
Here's how they're defined.
Personal Information Handler - PIPL
Personal information handlers under the PIPL are responsible for:
- Handling personal data
- Determining the purposes for handling data
- Deciding how personal data is handled
Personal information handlers are defined in Articles 9 and 73 of the PIPL.
Unlike with the GDPR, there's no clear distinction between the company which captures the data and determines the data handling purposes, and the company which processes the data.
Data Controllers and Processors - GDPR
Under the GDPR, data controllers decide how data should be processed and for what purposes. Like personal information handlers, they're responsible for ensuring sufficient cybersecurity measures are in place at all times.
Data processors, on the other hand, physically process the data on behalf of controllers.
There may be occasions where you're both a processor and a controller, in which case you should understand the different duties you have in each case.
The full definition of a controller is set out in GDPR Article 24, while you can learn more about processors in GDPR Article 28.
Basis for Personal Data Processing
Under both the GDPR and China's PIPL, you can't process data without a legitimate reason for doing so. The grounds, however, differ slightly depending on which law applies.
GDPR: Lawful Processing Grounds
You can't process data under the GDPR without a lawful basis. According to Article 6, you can't process data unless one of the following is met:
- You have someone's consent
- You need the data to fulfill a mutual contract e.g. sell the customer goods
- The data is necessary to comply with legal obligations
- It's in the public interest to process the data
- You're handling the data to protect the individual's vital interests
- There's a legitimate commercial interest for processing the data
So, although you can ask for consent before processing data, you don't need consent if you can point to another lawful basis for processing.
Special Category Data
If you want to process "special" or sensitive data, you need:
- A lawful basis from Article 6, and
- A justifiable reason for processing, under Article 9
The Article 9 grounds are very similar, but they also include research and statistical purposes. If you process any sensitive data, though, it must always be proportionate i.e. you can't process more sensitive data than you need for a specified purpose.
PIPL: Grounds for Personal Data Processing
The PIPL sets out its personal data handling rules in Article 13. Although the grounds are virtually the same as the GDPR Article 6 lawful bases, the PIPL makes specific reference to news reporting. Meaning, you can collect personal data for journalistic purposes.
Under Article 29, you can't handle sensitive data without explicit consent, which is slightly different from the GDPR. What's more, even if you already obtained consent to data processing, you need additional consent to processing any sensitive data.
Individual Rights Under the GDPR and PIPL
Again, both laws confer specific individual rights on the individual. The GDPR, however, goes slightly further than the PIPL.
Rights Under the GDPR
The GDPR gives people eight specific rights regarding their personal data. People have the right to:
- Know if you're collecting personal data
- Access the data held on them
- Ask you to rectify their data
- Stop you from using the data in a certain way
- Object to marketing
- Ask you to delete their data
- Object to profiling and automated decision-making
Rights Under China's PIPL
Under the PIPL, citizens have the right to:
- Know your data policies
- Withdraw consent to data processing
- Non-discrimination if they withdraw consent
- Make decisions regarding their data
- Request copies of their data
- Refuse automated profiling
- Amend their data
- Delete their data
While the rights look similar, there are key differences. For one thing, PIPL doesn't specify how long businesses have to respond to access requests, whereas the GDPR imposes a firm deadline. The GDPR language is also more precise, which works in favor of individuals.
Consent Under the GDPR and China's PIPL
As mentioned, you don't always need consent to personal data processing under either law. However, when you do need consent, the rules are fairly similar in both instances.
Consent isn't valid under the GDPR unless it's expressly given, clear, voluntary, and informed. It involves affirmative action. Implied consent is not good enough.
If you're relying on consent, you need to use checkboxes which individuals can click if they're happy to consent to data processing.
Here's an example from the Krispy Kreme UK website that gets consent to enroll someone in a rewards program:
If you're unsure whether you can rely on consent, find another lawful basis to rely on.
Again, consent under PIPL must be voluntary, explicit, and informed. This is set out in Article 14.
You will need to use a checkbox or other similar method to secure PIPL-compliant consent.
Broadly speaking, both laws place similar obligations on organizations.
Companies have similar responsibilities under the GDPR, although there are one or two differences.
- Comply with GDPR principles
- Get affirmative consent when needed
- Ensure there's a binding contract in place between controllers and processors
- Implement proper security practices
- Keep a record of processing activities (if applicable)
- Report data breaches within 72 hours
The GDPR goes slightly further than the PIPL in terms of the obligations placed on companies.
And, like the PIPL, the GDPR imposes an obligation to perform data protection impact assessments to help companies minimize the data they collect, and the risks involved in the process. However, it's really only necessary for processing high-risk i.e. sensitive data (Article 35).
According to the PIPL, companies must:
- Get consent to sensitive data processing
- Help people exercise their privacy rights
- Comply with any relevant authorities
- Complete regular compliance audits
- Protect data and train staff in cybersecurity
You must also perform an impact assessment if you plan on handling sensitive data, or sending data overseas. The rules are set out in Articles 55 and 56 of the PIPL.
Penalties for Breaching the GDPR and China's PIPL
The penalties for breaching either law are steep, but China's PIPL imposes especially harsh penalties.
GDPR penalties can reach up to 20 million Euros or 4% of your annual turnover, whichever amount is highest. Affected individuals can also bring a private right of action against businesses which breach their privacy rights.
Penalties under the PIPL can be up to 5% of your annual turnover. What's more, any infringement can be recorded in China's credit file system, which is like a type of social credit score. This could seriously damage your company's reputation.
The GDPR and China's PIPL are both designed to protect users' privacy rights when they use the internet or buy goods and services online. On the whole, they're very similar:
- Both laws protect personal data, and set out lawful grounds for processing
- Each law requires clear and affirmative consent at times
- Both laws require companies to mitigate and minimize their data processing, where possible
- In both cases, companies must perform impact assessments and protect data from risk
However, there are some key differences:
- The GDPR gives individuals more specific privacy rights
- The GDPR sets out a timescale for reporting and responding to data breaches
- Sensitive data is less clearly defined by the GDPR
- PIPL has stricter consent requirements
- PIPL penalties are more severe
To help ensure compliance:
- Use unmarked checkboxes to obtain express consent to process data
- Collect only the data as you need to perform a legitimate task
- Help people exercise their privacy rights