China privacy law comparison to GDPR

The Personal Information Protection Law is set to take effect on the 1st of November. It is interesting to compare four aspects of the PIPL with their equivalent rules under the GDPR.

Data localization

The PIPL requires that a controller of large-scale personal data or a critical information infrastructure operator (CIIO) (any information that may seriously harm national security, economy, people’s livelihoods, or public interest) to store personal data within China, and any cross-border transfer of such shall be subjected to a security assessment by the Cyberspace Administration of China (CAC).

Small scale data controllers may conduct a cross-border transfer under one of the legitimate approaches recognized by the PIPL, such as a one supported by a contract with overseas data recipients (template to be provided by the CAC). This is comparable to the Standard Contractual Clauses for data transfers as provided by the GDPR. In addition, a controller must obtain standalone consent of data subjects and conduct a data protection impact assessment (DPIA) prior to the cross-border transfer.

Standalone Consent

The PIPL obligates a controller to obtain standalone consent of data subjects under specific circumstances, such as the processing of sensitive personal data and cross-border transfer of personal data. The PIPL does not provide a definition for “standalone consent,” in a best practice approach this consent should be separated from the general consent given by the data subject (e.g., a separate signature or checkbox for each distinct action requiring standalone consent). This is somewhat similar to explicit consent under GDPR, but the standard seems to be higher as the consent will need to be given for each and every action.

Data Protection Impact Assessment

The PIPL requires a DPIA in specific circumstances, for example, automated decision-making and processing sensitive personal data which is comparable to the GDPR. However, the PIPL introduces additional scenarios where a DPIA will be required such as cross-border transfers of personal data, when engaging with a third-party data processor, when transferring data to another controller, and making personal data publicly available.

Data Breach Notification

The GDPR specifies that a data breach notification to the authorities should be made within 72hours of discovery, the PIPL on the other hand specifies that remedial action and notification to the authorities should take place immediately.

The clear takeaway from these brief examples is that GDPR compliance does not equate to PIPL compliance, and that a reliance upon the policies and standards drafted for the GDPR may leave companies open to liabilities in China.