On 1 November 2021, the Personal Information Protection Law (PIPL) came into force in China, which transfers many principles from the General Data Protection Regulation (GDPR). The new law closes many data protection gaps, as personal data will be comprehensively protected for the first time in China. The main purpose of this law is to prevent the misuse of data by private companies. The PIPL thus poses considerable challenges for many companies in China.
However, the Chinese data protection law also has an effect outside the territorial borders of the People’s Republic and thus European entrepreneurs are also partly forced to act.
Similarities to the GDPR
The similarities of the PIPL to the GDPR become apparent relatively quickly. Among other things, the following principles of the GDPR can be found in Chinese data protection law:
Type of data
The definition of personal data is the gateway to the application of data protection laws. Under the GDPR, the term means any information relating to an identified or identifiable individual. This now also applies in China. This means that data with a simple personal reference is also protected, such as the IP address.
Data protection principles
The PIPL further sets out the overarching principles of data processing, similar to Art. 5 GDPR. General data protection principles are regulated, such as purpose limitation and data minimisation.
The permissibility of processing in China now also follows the principle of prohibition with reservation of permission. Without a legal basis, processing is unlawful. Accordingly, the processing of personal data in China is only lawful if one of the following conditions is met:
- The data subject has given consent and this consent must also meet certain criteria in the People’s Republic, as under the GDPR, in order to be effective;
- the processing is necessary for the conclusion or performance of a contract;
- the processing is necessary for compliance with legal obligations;
- the processing is necessary to respond to sudden public health incidents or to protect the life and health of natural persons or the security of their property;
- the personal data is processed to a reasonable extent to carry out news reporting, monitoring of public opinion and other activities in the public interest;
- the personal data has already been lawfully disclosed by the data subject himself or otherwise, to a reasonable extent and in accordance with the provisions of the PIPL;
- other circumstances provided for in laws and administrative regulations in China.
The legal bases provided for in the PIPL are very similar to the GDPR. However, a new legal basis for the processing of personal data is enshrined in the penultimate point, which states that consent is not mandatory for the processing of previously disclosed personal data within a logical scope.
Special categories of personal data
The handling of special categories of personal data (e.g. health data) is also regulated similarly to the GDPR.
A distinction is made between special categories of personal data (i.e. sensitive data) and general personal data. Sensitive data in the law includes information on biometric characteristics, religious beliefs, health status, financial accounts, tracking of individual location, and personal data of minors under 14 years of age.
High protection requirements apply to the handling of sensitive data, so that their processing is only possible for certain purposes and is only permissible with the separate consent of the data subject.
Data subjects’ rights
Chapter IV of the Chinese Data Protection Law regulates the rights of data subjects. Among other things, data subjects have the right to decide about their data and, under certain circumstances, to restrict or refuse processing.
In future, companies will have to fulfil certain information obligations towards data subjects. Similar to the GDPR, the information must be provided to the data subject in full and in easily understandable language before the processing takes place.
Data subjects are entitled to the following information:
- the contact details of the person responsible,
- the purpose of the processing,
- the processing methods,
- the categories of data concerned,
- the storage period,
- Methods and procedures for exercising the rights provided for in the PIPL,
- other items provided for in laws or administrative regulations must also be notified.
In future, when commissioning third parties to process personal data, an agreement must be concluded on the purpose, the time limit, the categories of personal data, the protection measures, the rights and obligations of both parties and the monitoring of the processing. These requirements bear a strong resemblance to Art. 28 GDPR.
Video recordings are only permitted after prior information. The placement of a sign is mandatory.
Standard Contractual Clauses
Standard Contractual Clauses (SCCs) are also to be used in the future to ensure that the cross-border processing of personal data is as legally secure as possible. However, the SCCs are currently being finalised.
The GDPR was also used as a model for the imposition of fines. Article 66 of the Chinese Data Protection Law now provides for severe fines for data protection violations. Companies that violate the requirements of the PIPL face fines of up to 50 million yuan (EUR 6.6 million) or up to 5 percent of their annual turnover.
But the high penalties do not only apply to legal entities. Fines of between 100,000 and one million yuan can be imposed on the person directly responsible and other directly responsible employees. Furthermore, it can also be decided that they are subject to a ban on activities for a period of time and are not allowed to hold their positions as director, supervisor, high-ranking manager or data protection officer.
Differences to the GDPR and problems
It is noticeable that the new law in China, which is strongly inspired by the GDPR, also has some differences to it.
The biggest difference is probably the scope of application of the Chinese law. The GDPR applies to both public and non-public entities. Meanwhile, the Chinese law is only limited to private companies. Only in a subsidiary way does PIPL also apply to state bodies.
Another important difference is that China does not have a constitutional tradition of data protection. The PIPL is also not a right with constitutional status. Above all, the state may continue to have all the freedoms to monitor its citizens extensively. The situation in Europe is different. Privacy and data protection are two fundamental rights enshrined in the EU Treaties and in the EU Charter of Fundamental Rights. The Charter contains an explicit right to the protection of personal data (Article 8).
Finally, it is also worth mentioning that the supervisory authorities in China are not independent. A prerequisite for the effectiveness of supervisory authorities in Europe is their independence, which is laid down in Art. 52 GDPR. It is crucial that EU supervisory authorities are free from instructions and legal supervision in the performance of their tasks and the exercise of their powers and are not subject to any influence.
China has always had problems effectively enforcing data protection among businesses and individuals. It is possible to threaten heavy fines and sanctions as a result of data protection violations, but ultimately any law is only as effective as its intensity of control.
What European companies need to pay attention to
The PIPL does not only pose new challenges to Chinese responsible entities. European companies doing business in the People’s Republic of China are also affected.
As a first step, European companies in China should therefore adapt their data protection regulations to the new legal requirements of the PIPL.
Article 53 of China’s Data Protection Law further stipulates that companies handling personal data outside China’s borders must appoint a representative in China who is responsible for matters relating to the personal data they handle. The appointment of a local contact person is thus mandatory by law.
For internet platform operators, there are also particularly strict obligations which are regulated in Art. 58 of the Chinese Data Protection Law. For example, an independent supervisory committee is to be appointed and reports on social responsibility in the area of data protection are to be published regularly.
With the entry into force of the Chinese Data Protection Law, data protection rights of data subjects in China are strengthened and at the same time strict obligations are imposed on companies. The law creates additional compliance work for companies doing business in China and violations can be very expensive, similar to the GDPR. Internationally operating companies should therefore familiarise themselves well with the legal requirements of the PIPL and take appropriate measures.