The Personal Information Protection Law: China’s Version of the GDPR?
The Personal Information Protection Law (PIPL) is China’s first comprehensive legislation on personal information and data privacy. While similar to the European Union’s General Data Protection Regulation in many ways, China’s PIPL notably contains a number of ambiguities that have yet to be interpreted, thereby generating regulatory uncertainty. It remains to be seen how stringent the PIPL will truly be and the extent of its impact.
By: Julia Zhu, Staff Member
On November 1, 2021, China’s new Personal Information Protection Law (PIPL) came into effect. Consisting of 74 articles spanning eight chapters, the PIPL is China’s first comprehensive legislation regulating the protection of personal information and data of “natural persons” located within China. With China being home to 1.01 billion internet users—the largest online community in the world—the PIPL is poised to have an enormous impact internationally and change the ways in which parties conduct business both within and outside of China.
Similarities to the European Union’s GDPR
China’s PIPL has received attention for a number of reasons, one of which is the way it closely resembles a number of aspects of the European Union’s General Data Protection Regulation (GDPR). The GDPR is one of the strictest data privacy and security laws in the world.
Like the GDPR, the PIPL is extraterritorial in scope, covering all individuals, organizations, and corporations that handle the personal information of individuals within China’s borders (Article 3). The PIPL also allows individuals to access and copy their personal data, request rectification of data inaccuracies, and withdraw their consent (Chapter IV).
Furthermore, the PIPL contains many concepts and definitions reminiscent of those in the GDPR. For example, the PIPL requires any “personal information processor” outside of China to establish a dedicated entity or appoint a representative within China to be responsible for relevant matters of personal information protection (Article 53). This “personal information processor” is akin to a “data controller” under the GDPR. Similarly, PIPL’s “entrusted parties,” or entities that process personal information on behalf of the “personal information processors,” are comparable to the GDPR’s “data processors.”
Differences from the GDPR
But while there are many similarities between the PIPL and the GDPR, the PIPL diverges from the EU’s data privacy law in a number of ways that may make it stricter than the GDPR. For one, the PIPL does not provide a “legitimate interest” processing basis, which is the most flexible of the GDPR’s six legal bases for processing personal data. Under the GDPR, companies are allowed to process personal data as long as the data was collected legally and with a justifiable basis.
With this legal basis noticeably missing from the PIPL, companies that do business in China must obtain an individual’s consent before handling their personal information unless their reason fits into one of the six exceptions delineated in Article 13. The last exception states that parties can handle personal information without an individual’s consent when there are “other circumstances provided in laws and administrative regulations.” However, it remains unclear under what circumstances companies will be eligible for this exception. This may give the Chinese government more flexibility and authority to either broaden or narrow the scope of the PIPL as they wish in the future.
Moreover, unlike the GDPR, the PIPL also has a strong data localization provision, requiring that personal information reaching certain quantities be stored within China and that transfer of such data overseas be subject to a security assessment by the Cyberspace Administration of China prior to transfer (Article 40). The PIPL does not specify the quantity threshold, nor does it provide more information on the nature of the security assessment and its evaluative components.
Another notable difference from the GDPR is the penalties set by the PIPL. The GDPR sets a maximum fine of 20 million Euros (22.6 million USD), or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The PIPL imposes a maximum fine of up to 50 million Yuan (7.8 million USD), or 5% of the annual revenue of the preceding financial year (Article 66). Importantly, the PIPL does not specify whether the “annual revenue” in its provisions refers to worldwide turnover, as in the GDPR, or to annual revenue in China only.
Regulatory Uncertainty and Global Implications of the PIPL
While the PIPL does not differ drastically from the GDPR on paper, the ambiguities that exist in some of its provisions give the PIPL the potential to be a much stricter data privacy law. There is currently a high level of regulatory uncertainty, as it remains unclear how strictly the PIPL will be enforced and what aspects the Chinese government will focus on. Simply put, whether or not the PIPL will be a GDPR-like legislation or a much harsher one will fundamentally depend on how the Chinese government decides to implement and execute these provisions and on the interests that are driving the government’s actions.
Notably, China’s political environment and strict internet censorship regulations are both drastically different from those of many western nations, which will almost surely affect the way the PIPL is implemented. While U.S. and European data privacy laws such as the GDPR are largely grounded in fundamental rights and consumer privacy, some data privacy and cybersecurity lawyers have pointed out that China’s PIPL is closely linked to national security interests, as evidenced by the strong data localization provision.
Indeed, the PIPL comes in the midst of China’s large-scale crackdown on both domestic and foreign private businesses. Over the past year, Chinese companies like Alibaba, Tencent, and Bilibili have been slapped with fines for violating anti-monopoly legislation. The day that the PIPL took effect, Yahoo ended its presence in China due to the “increasingly challenging business and legal environment.” LinkedIn similarly shut down its China platform earlier in October, citing a “challenging operating environment.”
In light of the circumstances surrounding the PIPL’s enactment, it is clear that the legislation will force parties that operate in China to confront new challenges. For example, most recently, Grindr pulled its app from Apple’s App Store in China due to difficulties complying with the new regulations. Additionally, just two weeks after the PIPL took effect, some domestic providers in China stopped providing information on shipping data—data that companies rely on for information on cargo volumes and for determining logistics—to foreign companies. Considering China is vitally important in global supply chains and is home to many of the world’s largest container ports, these gaps in shipping information are likely detrimental to the global economy. It would not be surprising to see similar disruptions in the coming months, and multinational organizations will have to re-assess compliance costs and reputational risks—both of which will likely be higher with the PIPL in place—in order to determine the manner of future operations in China.
Conclusion
With a broad extraterritorial scope grounded in national security interests, China’s first comprehensive data privacy law is bound to have a massive impact beyond the borders within which it was enacted. How the Chinese government decides to enforce and interpret the PIPL remains to be seen, and only time will tell whether the PIPL is an equivalent of the GDPR or a much stricter piece of legislation. Until then, parties hoping to do business in China will have to be cautious about the legislation’s ambiguities as they navigate this new era of data privacy in China.
Julia Zhu is a second-year student at Columbia Law School and a Staff member of the Columbia Journal of Transnational Law. She graduated from Yale University in 2019.