China’s upcoming personal data protection law – a comparison with GDPR

The draft Personal Information Protection Law (PIPL) of China concluded its second public consultation in late May. Being the country's first umbrella law on the protection of personal data, PIPL is now one step closer to finalisation and is likely to be promulgated very soon.

The draft PIPL applies to the processing of both internal employee data as well as processing of external customer / user data. It borrows many key concepts from the GDPR, though at the same time maintains its unique features to reflect local regulatory and business needs.

Different terminology

One thing to note at the very beginning, the draft PIPL does not adopt the GDPR concepts of "data controller" and "data processor". Instead it uses the term "data processor" to refer to any organisation or individual who controls and determines the purpose and method of its processing of personal data, ie the "data controller" under the GDPR. Under the draft law, the data processor can further engage a third party to process data on its behalf and that third party is defined as an "entrusted party".

Extra-territorial effect

The draft PIPL proposes extra-territorial effect on overseas processing of personal data of China-based individuals for the purpose of offering products or services to, or for analysing and assessing the behaviour of such individuals. This means, if an international company without presences in China is offering products or services to China-based individual users, overseas processing of such individuals' personal data will still be subject to this law.

This extraterritorial effect is similar to that of the GDPR but slightly narrower. There is no equivalent concept of EU establishment under this draft.

Legal bases of data processing

A welcomed change is that the draft PIPL adds more legal bases for personal data processing, in addition to consent, which is the only lawful basis under existing law.

These new lawful bases include: (1) the processing is necessary for entering into or performing a contract to which the data subject is a party; (2) compliance with legal duties and obligations to which the data processor is subject; (3) in response to public health incidents or to protect the vital interests of natural persons; (4) the processing of publicised personal data within a reasonable scope; and (5) to the extent reasonably necessary, for news reporting and media supervision for purpose of protecting public interest.  

A key divergence from the GDPR is that "legitimate interest" is not recognised as one of the legal bases, despite of the lobby efforts of many organisations. Reason for the conservation may be that the regulators are concerned this concept likely opens the door for too much room for the data processors to be able to collect and use data.

Cross-border data transfer

Cross-border data transfer is a key concern for international companies. Under the existing law, operators of Critical Information Infrastructure (CII) should complete a security assessment prior to any cross-border transfer of personal data. The draft PIPL further stipulates some new provisions on this topic.

First of all, a prior separate informed consent must be obtained from data subjects. Unlike the GDPR, this consent requirement is not a derogation but the preliminary legal ground required for all transfer.

In terms of appropriate safeguards, the draft PIPL has taken a very different approach from the GDPR. Under the GDPR, the destination matters. If the data transferee is located in a jurisdiction with "adequacy decisions", the cross-border transfer will be fine. If not, the transfer must rely on other safeguards, such as the approved Standard Contractual Clauses (SCCs) or Binding Corporate Rules, or with additional guarantee, as recommended by the European Data Protection Board. However, it does not matter whether the data transferor is a large company or not, which sector it is in, or how much personal data is to be transferred.                                                                            

But under the draft PIPL, the data transferor matters. If the transferor is a CII operator, or if the amount of personal data processed by the transferor reaches a certain threshold, it is subject to security assessment organised by the Cyberspace Administration of China (CAC). If the transferor is a non-CII operator and if it does not reach the quantity threshold, it can transfer personal data out of China following multiple routes, eg a voluntary security assessment, certification by designated agencies, or entering into a standard transfer agreement formulated by the CAC (similar concept to the SCCs). In other words, "with greater power comes greater responsibility".  

We believe such differentiation between large and smaller processors will be helpful to ease the compliance burden of small enterprises and start-ups. But it is less significant to entities operating in important or sensitive sectors such as finance, telecoms, life sciences etc, given such entities are likely to be recognised as a CII operator under Chinese law so subject to the mandatory security assessment.

Privacy impact assessment

The draft PIPL proposes new requirements of "risk assessments", which are similar to the data protection impact assessment (DPIA) under the GDPR but with lower triggering thresholds.

For example, prior risk assessments are required for the processing of sensitive personal data (not necessarily on large scale); automated decision; entrusted processing, sharing data with third parties; cross-border data transfer; and other activities that may have material impact on data subjects.

The draft PIPL requires data processors to retain the records of risk assessments for at least three years. Such retention period is not provided under the GDPR.

Note that for cross-border data transfer, it is on one hand subject to this risk assessment, on the other hand subject to the security assessment (or alternative routes), depending on the nature of the data transferor. These two assessments are not replacing each other. 

Data subject rights

The draft PIPL sets out obligations to respond to data subject rights requests, which are very similar to those under the GDPR. Most GDPR-provided data subject rights are also recognised by the draft PIPL, except the right of data portability.

One key divergence lies in the data subject rights of deceased persons. Such concept is rarely seen in other privacy laws including the GDPR, but has caught wide attention from businesses and academics already. The draft PIPL proposes that when a natural person is deceased, his or her rights in the processing of personal data shall be exercised by his or her close relatives.

Appointment of DPO and China representative

Similar to the GDPR, the draft PIPL requires certain data processors to appoint a personal data protection officer and if they don't have a local presence, a China representative.

Additional obligations of large platforms

The draft PIPL establishes self-regulatory obligations for online platforms used by other product and / or service providers. Though not provided under the GDPR, these requirements trace the "gatekeeper" concept for platform companies in EU's Digital Market Act and Digital Services Act.

Large platforms are required to: (1) set up an independent body formed by external members to oversee the processing activities of personal data; (2) cease providing services to those in-platform product / service providers with unlawful processing activities; and (3) publish a social responsibility report on personal data protection regularly.

Penalties

Similar to the GDPR, the draft PIPL sets out a very high threshold of administrative fines, up to 5% of the annual turnover or RMB 50 million (approx. GBP 5.6 million or EUR 6.4 million), only secondary to competition law violations in China which can be subject to up to 10% of the relevant annual turnover. However, this 5% calculation is not based on the international group turnover, which is a key difference from the GDPR. It is unclear yet whether it is based on annual turnover of the group in China or of the data processing entity only.

Another thing to note is that serious breach of data protection rules may be subject to criminal liabilities.

Public interest litigations

The draft law proposes a special form of civil proceeding - the procurator and data regulator may file a "public interest litigation" against illegal data processors whose activities have infringed the rights and interests of many data subjects. If impacted data subjects choose to sue the same data processor for the same reason afterwards, they will not need to provide evidence for the illegal activities that have been concluded during the "public interest litigation". This means the burden of proof for such individuals will be reduced significantly. Some regional procurators and consumer protection bodies have already filed several such public interest litigations on grounds of data in the past two years.

Implications for businesses

China's legal regime for data protection is evolving at an extremely quick pace. The newly promulgated Data Security Law has gone through the whole legislation process in less than a year. Multiple lower-level regulations, rules and national / industrial standards have also been promulgated in the recent years. Understanding the complexity and features of China's data protection legal regime and implementing local compliance policies will be a challenge.

On the other hand, Chinese regulators are increasingly active in data privacy enforcement. The implementation of the PIPL will provide them with a much more powerful enforcement tool. Data compliance in the China market should be a key compliance focus for international companies in the coming years. 

The good news is that a considerable number of stipulations under the draft PIPL share similarities with the GDPR. This would help international companies, especially those GDPR-compliant already,  to maintain a largely consistent mechanism of data compliance globally.