On August 20th, 2021 the Standing Committee of China’s National People’s Congress passed China’s first comprehensive data privacy law, the Personal Information Protection Law (PIPL), which will go into effect on November 1st, 2021.
Similar in size and scope to the EU’s General Data Protection Regulation (GDPR), the PIPL Imposes serious restrictions on how personal data can be collected, used, and managed.
Along with China’s Data Security Law, the PIPL will form a framework that will give China’s government broad enforcement capabilities and create a strict compliance environment for the nation’s Big Tech companies—and international businesses operating in China—for years to come.
In this post, we’ll break down what we know about the PIPL, its requirements for data processing and consent, and see how it stacks up to the GDPR.
What are the Goals of the PIPL?
According to the language of the law, the goals of the PIPL are to “protect the rights and interests of individuals” and facilitate the “reasonable use” of personal information through the regulation of personal information processing activities.
The four official declared goals of the law are:
- To protect the rights and interests of individuals.
- To regulate personal information processing activities.
- To safeguard the lawful and “orderly flow” of data.
- To facilitate reasonable use of personal information (Art. 1).
Who Does the PPIL Apply To?
The rules set forth by the PIPL apply to any organization that processes the personal information of Chinese citizens for the purpose of providing them with products or services, analyzing or assessing their behavior, or for “other purposes to be specified by laws and regulations.”
The law applies not only to Chinese companies but to foreign firms processing such data, even if the processing occurs outside of China. In order to process the data of Chinese citizens, Foreign “personal information processing entities” must follow certain guidelines and requirements to do so, as outlined below.
The PIPL will not prevent China’s government from accessing or processing personal data.
A Note on Language: While the PIPL largely mirrors the roles of Data Processor and Data Controller set up by the GDPR, the nomenclature has been changed. Under the PIPL, what would normally be called a Data Controller is a Processor, and what we would typically call a Processor is ca;;ed a trusted entity. For clarity, I will be using the original GDPR terms throughout this article.
What is Considered Lawful Basis for Data Processing Under the PIPL?
Like the GDPR before it, under China's PIPL, any organization that processes personal information must have a lawful basis to do so. In Article 6, the law stipulates that any personal information processing "have a clear and reasonable purpose," and shall be "limited to the smallest scope for realizing the processing purpose."
In addition to consent, which we will cover in more detail in the next section, the following are considered a lawful basis for processing under the PIPL:
- Processing necessary to enter into or perform a contract to which the individual is party.
- Processing necessary to conduct human resources management under labor rules formulated and collective contracts entered into in accordance with laws.
- Processing necessary to respond to public health emergencies, or to protect the safety of an individual's health and property in an emergency.
- Processing for purposes of carrying out news reporting and media monitoring for public interests, to a reasonable extent.
- Other circumstances required by law
What Consent Requirements Exist Under the PIPL?
Consent requirements under the PIPL largely mirror the requirements set forth by the GDPR. User consent is only considered valid if it is knowingly and explicitly granted, with full information of the extent of personal information processing. Users also have the right to withdraw their consent at any time, and an easy option to do so must be made available.
The PIPL also stipulates that consent must be obtained when processing personal information such as medical or health information, biometrics, or financial records.
For practical purposes, that means consent banners and opt-outs set up for GDPR compliance will likely pass muster under PIPL. Finally, consent will also be required to conduct marketing to individuals through personal information processing. The PIPL stipulates that businesses must offer consumers options that do not target personal data, or offer a way to reject the processing of said data. Any application which illegally processes personal data without consent is subject to suspension or termination.
What Requirements and Constraints Exist for Data Processing?For organizations that have proven a legal basis for personal information processing, the PIPL sets forth a series of requirements and constraints that dictate the rules for processing, including special rules for international organizations operating within China or targeting Chinese citizens for data processing. The PIPL stipulates that:
- Organizations based in mainland China or Hong Kong must set up a specialized agency or appoint a representative for data compliance.
- Cross-border data transfers must be submitted for approval by the Cyberspace Administration of China
- Foreign companies operating in China must appoint a local representative who will bear responsibility for PIPL compliance.
- Data processing contracts are required between controllers and processors
- "Large data handlers" must localize data within mainland China. The CAC will determine what constitutes a large data processor.
- Organizations must conduct risk assessments before processing sensitive data, transferring data abroad, or using sensitive data for automated decision-making.
- Online platforms must appoint privacy review committees and publish social responsibility reports.
Is There a Private Right of Action Under the PIPL?
There is no private right of action under the PIPL. However, violators of the law are required to compensate individuals for any harms, including statutory damages, caused by their violations.
What are the Penalties for Noncompliance with the PIPL? How Will it be Enforced?
Violations of the law will incur fines ranging between $7.7 million up to 5% of the previous year's business revenue. The law will be enforced by the Cyberspace Administration of China (CAC), the nation’s cyber and data protection regulator.
Is the PIPL a GDPR Copy?
At a glance, The PIPL’s framework is very similar to the European Union’s General Data Protection Regulation: both laws require lawful purpose for data collection and processing, both require consumer consent to process data, and both laws give consumers the right to access or delete their information.
But the Chinese law’s approach to international organizations and data transfers is more restrictive than the GDPR--it would not be unfair to characterize the law as national security legislation, at least in regards to international organizations. Companies that need to transfer data internationally will need state-approved contracts, will need data processing practices certified by a state-approved body, and may need to undergo a security review by Chinese regulators.
And, as noted above, organizations China considers “critical information infrastructure operators,” or handle large amounts of user data, will need to store data inside China.
Bans on Algorithmic Discrimination
One interesting distinction from the GDPR is the PIPL's ban on algorithmic price discrimination. According to the law, if personal information is used in automated decision-making, that process has to be transparent, and individuals cannot be subject to different transaction terms. That means platforms cannot show users different prices based on an algorithm’s assumptions on a user’s situation, or ability or willingness to pay.
An Accelerated Timeline
Finally, the biggest distinction between the GDPR and PIPL could simply be the accelerated timeline of the Chinese Law. The PIPL passed on August 20th and will go into effect November 1st. That gives businesses a little over two months to prepare for the law. The GDPR, on the other hand, was a long, drawn out process, which gave organizations years to prepare.
How Ensighten can help
As guidelines and regulations continue to evolve, marketers and site owners must remain vigilant in updating and maintaining compliance. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the PIPL, GDPR, CCPA, LGPD, and many more laws and frameworks.
With Ensighten Consent Management Plus (CMP+), you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.
Unlike most consent management platforms, Ensighten CMP+ offers real-time enforcement, so user preferences are applied instantaneously, and no cookies or tracking measures are fired before consent is given.
And it’s easy to use. Our bootstrap, zero-integration deployment means Ensighten CMP+ can be added to every iteration of your website with a simple line of code.
You can also use Ensighten to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use and identify potential security or compliance issues.
Request a demo today to see how Ensighten can help your organization stay compliant with evolving regulations worldwide.