A sneak peek at China’s Personal Information Protection Law (PIPL)
On Monday, November 1, 2021, China’s Personal Information Protection Law (PIPL) took effect, months after it was promulgated by the Standing Committee of China’s National People’s Congress. This is China’s first comprehensive law in the personal information protection area and it is based on the Constitution. The law in Article 1 aims to “protect the rights and interests of individuals, regulate personal information processing activities,” and “facilitate reasonable use of personal information”.
While the PIPL resembles the GDPR (General Data Protection Regulation), which is hailed as the global standard, it has some provisions that differ from it.
A few notable similarities between the PIPL and GDPR include:
- They are both extraterritorial.
- They both define personal data as involving identified and identifiable natural persons.
- They both use the lawful basis approach to data processing. This is distinct from other Asian privacy laws that use the consent-based approach or an approach akin to the US approach of notice-and-choice.
- They both have special protections for sensitive data, but they differ on the types of data they recognize as sensitive.
- They both have a data breach notification requirement.
- They both recognize many of the same rights.
- They both require DPOs under certain circumstances
- They both require data protection impact assessments (DPIAs) in certain situations.
A few notable differences between the PIPL and GDPR include:
- PIPL has a strong data localization requirement.
- The PIPL has a post-mortem right for personal data after death.
- The PIPL requires a representative in China for foreign data handlers.
- The PIPL has less stringent requirements for cross-border data transfer than the GDPR.
- Under the PIPL, a data breach notification must be “immediate” unlike the GDPR’s 72-hour deadline.
- Last but not least, the PIPL has fines of up to 5% of annual revenue. This is higher than GDPR’s 2% and 4% of annual revenue.
- The GDPR looks at worldwide annual revenue; the PIPL is unclear about whether the fine is based on annual revenue in China or worldwide annual revenue.
According to the 2021 Digital Economy Report, a Nikkei survey using ITU and TeleGeography statistics showed that, in 2019, cross-border data flows of China – including Hong Kong, China – far outstripped any of the other 10 countries/territories and regions examined, including the United States. China accounted for 23% of global cross-border data flows, while the United States ranked second at 12%.
This points out to the likely impact the PIPL will have since it is also extraterritorial like the GDPR. China’s approach to the digital economy and cross-border data transfers is that of promoting national and public security, championing digital development. Their policymakers control data and information, not only across borders, but also within the country, so as to maintain social stability and nurture knowledge-based sectors.
With Chinese expansion into Africa through the Belt and Road Initiative (BRI), it will be interesting to see if the PIPL will have an impact on African nations such as Kenya. China has been exceptionally successful in building its domestic digital sector and the Kenyan ICT Policy shows that Kenya has similar ambitions. In the East African region, Rwanda has also been keen on developing their technology sector and their privacy law has a strong data localisation component as China’s. However, just as it is the case in China, economic interest will eventually prevail and the strong data localisation requirements may be set aside.