GDPR and PIPL: similarities and divergences
The PIPL is China's first Personal Information Protection Law and came into force on 1st November 2021. It is the first law in China to complete the personal information protection framework. Other relevant laws are the Cybersecurity Law that came into effect on 1st June 2017, the Data Security Law that came into effect on 1st September 2021, and all other regulations and measures of the Cyberspace Administration of China (“CAC”).
An analysis of the PIPL certainly indicates the impact of the GDPR.
Even though the PIPL and the GDPR have similarities in various aspects, there are, on the other hand, several provisions and obligations that differs from the EU Regulation 2016/679 (“GDPR”).
Applicable scope
In line with the GDPR, the PIPL, as provided in Article 3(2), applies to the processing of personal information outside the border of the People’s Republic of China of natural persons within the borders of the Chinese territory, where one of the following circumstances is present:
- where the purpose is to provide products or services to natural persons inside the borders;
- where analyzing or assessing activities of natural persons inside the borders; or
- in other circumstances provided by Chinese laws or administrative regulations.
The scope of the PIPL appears to be modeled on the GDPR since it applies extraterritorially to companies that offer goods or services or monitor the behavior of data subjects. However, the applicable scope of the GDPR, may be broader given that the PIPL provides wide discretion to Chinese regulatory authorities to prescribe additional circumstances in which it is applicable.
A noticeable impact of the GDPR can also be noticed in the requirement for companies based outside China to establish a dedicated entity or appoint a representative within the borders of the People’s Republic of China to be responsible for matters related to the personal information they process, as well as to act as a contact point for the Chinese supervisory authority when the PIPL applies according to Article 3(2) of the PIPL.
Cross-border data transfer
The PIPL, similarly to the GDPR, also imposes restrictions on cross-border data transfers. Therefore, a company that intends to transfer personal data outside the territory of China must, in addition to having obtained separate and informed consent from the data subject and having previously conducted a Personal Information Protection Impact Assessment (“PIPIA”), adopt one of the following mechanisms:
- pass a security assessment organized and conducted by the CAC;
- obtain a certification issued by a specialized agency;
- enter into a contract with the overseas recipient according to the standard contract template issued by the CAC;
- other conditions provided for by other laws, administrative regulation of by the CAC.
The mechanism to be adopted by the company should be identified on the basis of specific conditions, such as the type of processed or transferred personal data (important data, common or sensitive data) and/or the type of company (such as if it is identified as a critical information infrastructure operators).
Specifically, the security assessment conducted by the CAC must be requested by (i) data controllers who transfer important data; (ii) operators of critical information infrastructure or data controllers who process personal data of more than 1 million data subjects; (iii) data controllers who, since 1 January of the previous year, have made transfers abroad of common personal data of more than 100.000 data subjects or sensitive personal data of more than 10.000 data subjects; or (iv) other circumstances in which it is necessary to conduct the security assessment, according to specific regulations.
The security assessment shall be conducted by the Chinese national internet regulator: the CAC.
The procedure is divided into the following phases:
- conduction of a self-assessment by the data controller;
- submission of the application to the local Cybespace Administration (“local CA”);
- acceptance or rejection by the local CA of the application, where the local CA check the submitted materials;
- once acceptance is complete, forwarding of the documentation to the CAC;
- conduction of the security assessment by the CAC;
- integration/correction of the submitted materials (if required);
- conclusion of the procedure and notification of the outcome to the data controller.
The approval by the CAC is valid for 2 years and can be renewed, subject to the submission of a new application, within a specific deadline.
If the above conditions are not met, the data controller may enter into a contract with the overseas recipient according to the standard contract template issued by the CAC.
Before entering into an agreement with the overseas recipient, the data controller must conduct a PIPIA, considering several elements required by the legislation. The assessment must be supplemented by a report, which must be retained for at least 3 years. After signing the standard contract, which may contain additional clauses, but not in conflict with the terms of the standard contract template issued by the CAC, the data controller must file the documentation (the PIPIA report and the signed contract) to the local CA, within 10 working days after the signed contract take effect.
In addition, multinational companies that intend to transfer personal data outside the Chinese territory between their own subsidiaries or affiliated companies or data controllers to which the PIPL applies pursuant to Article 3(2) may apply for the certification issued by a specialized agency.
At this stage, the China Cybersecurity Review Technology and Certification Center (“CCRC”) is the only official agency authorized to conduct the certification process for cross border data transfer.
In order to obtain certification, the Chinese regulation provides for the following steps:
- adoption of specific measures (such as internal organizational measures, appointment of a person in charge of personal data protection with technical and management experience and risk assessment) and submission of documentation (such as the agreement signed with the overseas recipient or other documentation specified by the agency) to the certification agency by the data controller;
- assessment of the submitted materials and feedback to the data controller;
- technical verification by the agency (even by means of third parties) and drafting of a technical verification report;
- on-site audit by the certification agency and drafting of a report;
- assessment by the certification agency on the basis of the documentation collected and all the reports drafter, with notification of the outcome to the data controller. The certification agency may issue the certification or may require integration/correction to the data controller.
The certification, unless revoked, is valid for three years and can be renewed.
On the light of the above, compared to the GDPR, the PIPL provides wide discretion to administrative bodies to prescribe and authorize (or limit) cross-border data transfers.
Conclusions
The PIPL is, on several points, similar to the GDPR regulation. Therefore, multinationals that are already GDPR-compliant will face less challenges complying than SMEs that operate mostly domestically.
However, unlike the GDPR, the PIPL offers wide discretion to the government and administrative bodies with regard to personal data and the promotion of national security interests, as they may hinder the transfer of data outside China.
In any case, it is necessary to pay attention to this legislation, since like the GDPR, penalties (financial and non-financial) are provided for in the event of violations, which can be imposed not only on data controllers, but also on managements officers.