On 20 August 2021, the Standing Committee of China’s National People’s Congress passed the “Personal Information Protection Law” (“PIPL”). This was a significant step towards legal safeguards for personal data and privacy. After only two-months, the PIPL came into force on 1 November 2021.
This two-month transition was an ambitious deadline for businesses operating in China to take the necessary steps to comply with the PIPL. However, the requirements set forth in the PIPL should not have been a total surprise, as China already implemented a CyberSecurity Law on 1 June 2017 and a Data Security Law on 1 September 2021.
The Cyber-Security Law of China primarily addresses IT, network security, and critical information infrastructures. It also governs the protection of personal data with an emphasis on national security. Critiques of the law point to ambiguities in the application of the relevant provisions concerning foreign companies that engage in or plan to engage in business in China. The legal sanctions for failure to comply are severe compared to those imposed for noncompliance with the EU’s legislation. These severe consequences of noncompliance include temporary suspension of operations, suspension of business for corrections, closing down websites, cancellation of relevant operation permits, or cancellation of business licenses. Similar to the Cyber-Security Law, the Data Security Law addresses data protection from a national security perspective. It stipulates a graded data protection system based on the importance of the data in Article 21.
China enacted the PIPL after the implementation of the Cyber-Security Law and Data Security Law. When the structure and content of the PIPL are reviewed, it is possible to observe influence from the General Data Protection Regulation (“GDPR”) of the European Union (“EU”). However, despite this influence, the PIPL still has its sui generis structure and content. It also differs from the data protection regime under the Turkish Data Protection Law (“TDPL”) in many respects. At this point, foreign companies need to make a careful examination to determine whether their activities are subject to the PIPL.
The Territorial Scope of the PIPL
The territorial scope of the PIPL is similar to that of the GDPR, but the main difference is the PIPL’s extraterritorial applicability in the circumstances required by laws or administrative regulations. However, there is no specific guidance as to which laws or administrative regulations may require extraterritorial application of the PIPL, while under the TDPL, there is no clause determining the territorial scope.
Fundamental Concepts under the PIPL
The definition and scope of fundamental concepts such as personal data, processing, and parties (i.e., the data processor, data controller, data subjects, etc.) under the PIPL, the GDPR and the TDPL are not the same, but they are similar.
Transfer and Localization of Personal Data under the PIPL
Cross-border data transfers are regulated in a multi-layered manner under the PIPL. However, it is significantly different from that of the GDPR. Conversely, the provisions of cross-border data transfers are similar to the TDPL, especially in terms of the localization of critical information as seen below.
Data Subject’s Rights Under the PIPL
The scope of rights is quite different under the PIPL, the GDPR, and the TDPL. However, in order to enable effective protection and extensive control for individuals on their personal data, China preferred a similar approach with the GDPR and TDPL for the regulation of rights.
With the enactment of the PIPL, China has made a significant effort to implement an effective and up-to-date data protection framework. The content and structure of the PIPL share similarities with the GDPR and the TDPL; however, it also has remarkable differences, especially in terms of processing conditions and data transfer and localization requirements. Despite the PIPL providing a wide range of data processing conditions, the scope of such conditions is not exactly the same as the GDPR and the TDPL. Furthermore, data transfer and localization requirements differ to a considerable extent between the PIPL and the GDPR. Therefore, companies that carry on or plan to carry on business in China should take the provisions of the PIPL into consideration and follow recent developments in this space.