In August 2021, China passed the Personal Information Protection Law (PIPL), which takes effect in November 2021, a short grace period for companies to adapt. The new law is a fundamental element in the mosaic of regulations relating to privacy and cybersecurity in China. Although there are similarities between PIPL and GDPR, it is crucial to consider the differences if your company wants to do business in one of the most relevant consumer markets in the world.
To better understand the new challenges posed by the PIPL, we highlighted a few key differences between the PIPL and GDPR, so companies can start to prepare and form a risk-based approach towards privacy compliance in China.
Heavy Focus on Consent
From the European Data Protection Directive in 1995 to nowadays, the privacy regulations around the world are slowly shifting from a heavily consent-based system to one that allows for a different legal basis for the processing of personal data. Accountability and transparency gain strength, while the effects of consent fatigue are broadly recognized.
China’s PIPL, on the other hand, is heavily focused on consent. Separate consent is mandatory for the sharing of personal data (article 21). It is the only legal basis for the processing of sensitive personal data (article 29). And as a rule, it is also needed for disclosure of personal data (article 23). It is also worth noting that in PIPL, legitimate interest doesn’t exist as a legal basis. Due to that, it is fair to say that China has one of the strictest privacy laws in the world.
However, in PIPL it is possible to handle information that has been previously disclosed by the data subject, except if there is a major influence on individual rights and interests, in which case consent will still be required (article 27).
China at the forefront of the privacy debate?
Similar to the GDPR, PIPL considers sensitive data personal information that can cause harm to the dignity of data subjects. But in addition, PIPL also considers sensitive data that could threaten the security of private property, such as data related to financial accounts.
Other peculiarities of the PIPL are specific articles related to the equipment of image collection (article 26); the data subject rights of deceased people by their next of kin (article 49), which, for instance, directly impact the debates around social media accounts; and specific obligations for “important internet platform services” (China is not messing around with big tech regulation!) (article 58).
Although heavily influenced by GDPR in certain aspects, the law is much more strict and is attentive to the recent impacts and issues related to emerging technologies. It should be interesting to see how the singularities in PIPL influences other legislation around the world.
What to consider when doing business in China?
The PIPL may apply to your business not only if you do business in China directly. But also when you process personal information of individuals residing in China. So now more than ever the development of a preliminary regulatory strategy is essential.
First, there is the need for all personal information handlers outside the borders of China to designate an entity or representative within the borders (article 53). From the beginning of your China expansion strategy, you should consider a playbook to address foreign regulators’ requests.
If your company is GDPR compliant, it should be easier to be PIPL compliant, although, without a roadmap for addressing the changes between the two, you won’t go far. The first step will be conducting a new data mapping, and preparing a RoPA, as well as changing the legal basis, especially legitimate interest. You will also need to do a deep gap analysis, review the contracts, prepare new policies and know the different regulators and their respective responsibilities.