The GDPR vs China's PIPL

If you target individuals for commercial purposes, and the individuals are based in the EU or China, then you need to know how two laws affect your business:

• General Data Protection Regulation (GDPR)
• Personal Information Protection Law of the People's Republic of China (PIPL)

In many ways these laws are very similar, although they do differ in a few key ways.

Below, we break down the similarities and differences between each piece of legislation and summarize how to ensure compliance in both instances.

In Brief: The GDPR

The GDPR came into force back in 2015, but all companies had until May 25, 2018 to fully comply with the regulation. The idea behind the GDPR is to give EU residents control over how businesses capture, process, and share their personal data. Now, EU residents have a whole host of privacy rights which we'll cover below.

Although the UK is no longer a part of the EU, the GDPR still applies to British residents.

In Brief: China's PIPL

China's PIPL became law in November of 2021. Like the GDPR, the PIPL is designed to help Chinese citizens control what happens to their personal and sensitive information. It gives citizens more power to decide how much data companies can access, and who those companies share that information with.

To view the law yourself, you can find a translated version of the PIPL over at the DigiChina Project from Stanford University.

Territorial Scope

To comply with the GDPR and China's PIPL, you need to understand:

• Who the laws protect
• Which businesses must comply with these laws

When it comes to both the GDPR and PIPL, it doesn't matter if your business is physically located in the EU or China. It only matters if you're targeting protected individuals.

Let's break down how each law applies.

Application of the GDPR

The scope rules are set out in the GDPR's Article 3. It basically applies to any business processing personal data belonging to EU residents, whether you're selling them goods or services, or you target them in some other way e.g. behavioral monitoring:

It doesn't apply to personal data processing conducted by private individuals for domestic or personal purposes (Article 2).

Application of China's PIPL

The PIPL's territorial scope is set out in Article 3. China's PIPL applies to:

• The handling of personal information within China's borders
• Any handling of personal data outside China if it's related to selling goods or services to people within China

You're also expected to comply with the PIPL if you analyze data relating to Chinese individuals, even if you're outside China.

So, any business handling personal data relating to Chinese individuals should comply with the law.

Definition of Personal Data

The definition of personal and sensitive data is similar between both laws, but the PIPL does go slightly further than the GDPR when it comes to defining sensitive data.

Personal Data: GDPR

The GDPR defines personal data in Article 4 as information concerning a person which makes them directly or indirectly identifiable.

Although Article 4 gives some examples of personal data, such as a name or location data, it's not a finite list.

Personal Data: PIPL

China's PIPL defines personal information as data which can identify a person, but Article 4 specifically makes an exception for anonymized information.

GDPR and Sensitive Data

Article 9 describes sensitive data as a "special category" of personal information. It includes, for example, racial, political, sexual, and health data.

Although this definition doesn't specifically include data relating to minors, you should still treat personal information belonging to teenagers and children with care.

PIPL and Sensitive Data

Under China's PIPL, what counts as "sensitive data" is broadly the same as the GDPR. However, the PIPL definition goes slightly further, classing sensitive data as any information which may cause material harm to an individual if it's leaked or illegally used.

Some of the examples given in PIPL include:

• Financial account information
• Biometrics characteristics
• Medical health
• Religious beliefs

So, although the definitions are similar, the PIPL definition is broader.

Personal Information Handler vs Data Controllers

A personal information handler (PIPL) and data controller (GDPR) are similar, but they're not exactly the same.

Here's how they're defined.

Personal Information Handler - PIPL

Personal information handlers under the PIPL are responsible for:

• Handling personal data
• Determining the purposes for handling data
• Deciding how personal data is handled

Personal information handlers are defined in Articles 9 and 73 of the PIPL.

Unlike with the GDPR, there's no clear distinction between the company which captures the data and determines the data handling purposes, and the company which processes the data.

Data Controllers and Processors - GDPR

Under the GDPR, data controllers decide how data should be processed and for what purposes. Like personal information handlers, they're responsible for ensuring sufficient cybersecurity measures are in place at all times.

Data processors, on the other hand, physically process the data on behalf of controllers.

There may be occasions where you're both a processor and a controller, in which case you should understand the different duties you have in each case.

The full definition of a controller is set out in GDPR Article 24, while you can learn more about processors in GDPR Article 28.

Basis for Personal Data Processing

Under both the GDPR and China's PIPL, you can't process data without a legitimate reason for doing so. The grounds, however, differ slightly depending on which law applies.

GDPR: Lawful Processing Grounds

You can't process data under the GDPR without a lawful basis. According to Article 6, you can't process data unless one of the following is met:

• You have someone's consent
• You need the data to fulfill a mutual contract e.g. sell the customer goods
• The data is necessary to comply with legal obligations
• It's in the public interest to process the data
• You're handling the data to protect the individual's vital interests
• There's a legitimate commercial interest for processing the data

So, although you can ask for consent before processing data, you don't need consent if you can point to another lawful basis for processing.

Special Category Data

If you want to process "special" or sensitive data, you need:

• A lawful basis from Article 6, and
• A justifiable reason for processing, under Article 9

The Article 9 grounds are very similar, but they also include research and statistical purposes. If you process any sensitive data, though, it must always be proportionate i.e. you can't process more sensitive data than you need for a specified purpose.

PIPL: Grounds for Personal Data Processing

The PIPL sets out its personal data handling rules in Article 13. Although the grounds are virtually the same as the GDPR Article 6 lawful bases, the PIPL makes specific reference to news reporting. Meaning, you can collect personal data for journalistic purposes.

Under Article 29, you can't handle sensitive data without explicit consent, which is slightly different from the GDPR. What's more, even if you already obtained consent to data processing, you need additional consent to processing any sensitive data.

Individual Rights Under the GDPR and PIPL

Again, both laws confer specific individual rights on the individual. The GDPR, however, goes slightly further than the PIPL.

Rights Under the GDPR

The GDPR gives people eight specific rights regarding their personal data. People have the right to:

• Know if you're collecting personal data
• Access the data held on them
• Ask you to rectify their data
• Stop you from using the data in a certain way
• Object to marketing
• Ask you to delete their data
• Object to profiling and automated decision-making

You should set out these rights, and how people can exercise these rights, in a Privacy Policy.

Rights Under China's PIPL

Under the PIPL, citizens have the right to:

• Know your data policies
• Withdraw consent to data processing
• Non-discrimination if they withdraw consent
• Make decisions regarding their data
• Request copies of their data
• Refuse automated profiling
• Amend their data
• Delete their data

While the rights look similar, there are key differences. For one thing, PIPL doesn't specify how long businesses have to respond to access requests, whereas the GDPR imposes a firm deadline. The GDPR language is also more precise, which works in favor of individuals.

Consent Under the GDPR and China's PIPL

As mentioned, you don't always need consent to personal data processing under either law. However, when you do need consent, the rules are fairly similar in both instances.

GDPR Consent

Consent isn't valid under the GDPR unless it's expressly given, clear, voluntary, and informed. It involves affirmative action. Implied consent is not good enough.

If you're relying on consent, you need to use checkboxes which individuals can click if they're happy to consent to data processing.

Here's an example from the Krispy Kreme UK website that gets consent to enroll someone in a rewards program:

If you're unsure whether you can rely on consent, find another lawful basis to rely on.

PIPL Consent

Again, consent under PIPL must be voluntary, explicit, and informed. This is set out in Article 14.

You will need to use a checkbox or other similar method to secure PIPL-compliant consent.

Company Obligations

Broadly speaking, both laws place similar obligations on organizations.

GDPR Obligations

Companies have similar responsibilities under the GDPR, although there are one or two differences.

• Comply with GDPR principles
• Draft a GDPR-compliant Privacy Policy
• Get affirmative consent when needed
• Ensure there's a binding contract in place between controllers and processors
• Implement proper security practices
• Keep a record of processing activities (if applicable)
• Report data breaches within 72 hours

The GDPR goes slightly further than the PIPL in terms of the obligations placed on companies.

And, like the PIPL, the GDPR imposes an obligation to perform data protection impact assessments to help companies minimize the data they collect, and the risks involved in the process. However, it's really only necessary for processing high-risk i.e. sensitive data (Article 35).

PIPL Obligations

According to the PIPL, companies must:

• Provide a Privacy Policy
• Get consent to sensitive data processing
• Help people exercise their privacy rights
• Comply with any relevant authorities
• Complete regular compliance audits
• Protect data and train staff in cybersecurity

You must also perform an impact assessment if you plan on handling sensitive data, or sending data overseas. The rules are set out in Articles 55 and 56 of the PIPL.

Penalties for Breaching the GDPR and China's PIPL

The penalties for breaching either law are steep, but China's PIPL imposes especially harsh penalties.

GDPR Penalties

GDPR penalties can reach up to 20 million Euros or 4% of your annual turnover, whichever amount is highest. Affected individuals can also bring a private right of action against businesses which breach their privacy rights.

PIPL Penalties

Penalties under the PIPL can be up to 5% of your annual turnover. What's more, any infringement can be recorded in China's credit file system, which is like a type of social credit score. This could seriously damage your company's reputation.

Conclusion

The GDPR and China's PIPL are both designed to protect users' privacy rights when they use the internet or buy goods and services online. On the whole, they're very similar:

• Both laws protect personal data, and set out lawful grounds for processing
• Each law requires clear and affirmative consent at times
• Both laws require companies to mitigate and minimize their data processing, where possible
• In both cases, companies must perform impact assessments and protect data from risk

However, there are some key differences:

• The GDPR gives individuals more specific privacy rights
• The GDPR sets out a timescale for reporting and responding to data breaches
• Sensitive data is less clearly defined by the GDPR
• PIPL has stricter consent requirements
• PIPL penalties are more severe

To help ensure compliance:

• Draft a Privacy Policy
• Use unmarked checkboxes to obtain express consent to process data
• Collect only the data as you need to perform a legitimate task
• Help people exercise their privacy rights