A sneak peek at China’s Personal Information Protection Law (PIPL)

November 5, 2021 - Reading Time: 2 minutes - By Amrit Labhuram

On Monday, November 1, 2021, China’s Personal Information Protection Law (PIPL) took effect, months after it was promulgated by the Standing Committee of China’s National People’s Congress. This is China’s first comprehensive law in the personal information protection area and it is based on the Constitution. The law in Article 1 aims to “protect the rights and interests of individuals, regulate personal information processing activities,” and “facilitate reasonable use of personal information”.

While the PIPL resembles the GDPR (General Data Protection Regulation), which is hailed as the global standard, it has some provisions that differ from it.

A few notable similarities between the PIPL and GDPR include:

  • They are both extraterritorial.
  • They both define personal data as involving identified and identifiable natural persons.
  • They both use the lawful basis approach to data processing. This is distinct from other Asian privacy laws that use the consent-based approach or an approach akin to the US approach of notice-and-choice.
  • They both have special protections for sensitive data, but they differ on the types of data they recognize as sensitive.
  • They both have a data breach notification requirement.
  • They both recognize many of the same rights.
  • They both require DPOs under certain circumstances
  • They both require data protection impact assessments (DPIAs) in certain situations.

A few notable differences between the PIPL and GDPR include:

  • PIPL has a strong data localization requirement.
  • The PIPL has a post-mortem right for personal data after death.
  • The PIPL requires a representative in China for foreign data handlers.
  • The PIPL has less stringent requirements for cross-border data transfer than the GDPR.
  • Under the PIPL, a data breach notification must be “immediate” unlike the GDPR’s 72-hour deadline.
  • Last but not least, the PIPL has fines of up to 5% of annual revenue. This is higher than  GDPR’s  2% and 4% of annual revenue.
  • The GDPR looks at worldwide annual revenue; the PIPL is unclear about whether the fine is based on annual revenue in China or worldwide annual revenue.

According to the 2021 Digital Economy Report, a Nikkei survey using ITU and TeleGeography statistics showed that, in 2019, cross-border data flows of China – including Hong Kong, China – far outstripped any of the other 10 countries/territories and regions examined, including the United States. China accounted for 23% of global cross-border data flows, while the United States ranked second at 12%. 

This points out to the likely impact the PIPL will have since it is also extraterritorial like the GDPR. China’s approach to the digital economy and cross-border data transfers is that of promoting national and public security, championing digital development. Their policymakers control data and information, not only across borders, but also within the country, so as to maintain social stability and nurture knowledge-based sectors.

With Chinese expansion into Africa through the Belt and Road Initiative (BRI), it will be interesting to see if the PIPL will have an impact on African nations such as Kenya. China has been exceptionally successful in building its domestic digital sector and the Kenyan ICT Policy shows that Kenya has similar ambitions. In the East African region, Rwanda has also been keen on developing their technology sector and their privacy law has a strong data localisation component as China’s. However, just as it is the case in China, economic interest will eventually prevail and the strong data localisation requirements may be set aside.

Spread the love

    Who is Who

  • James Mworia’s interview: Centum Investments and designation of Two Rivers as SEZ

    The Centum Investment company is listed on the Nairobi Securities Exchange and the Uganda Securities Exchange. It is a diversified portfolio with assets of about Ksh 50 billion and debt of about Ksh 2 billion.  Since its inception in 1967, Centum Investments has been able

    Spread the love
    More ..
  • WHO IS WHO: New NIS director-general Noordin Haji

    Noordin Haji was on Wednesday, June 14, sworn in as the Director-General of the National Intelligence Service (NIS). This followed his nomination by President William Ruto on May 16 and his approval by Parliament’s Defence and Foreign Relations Committee on Tuesday, June 13.  Mr Haji

    Spread the love
    More ..
  • WHO IS WHO- New Kemsa Board Chairperson Irungu Nyakera

    In a bid to rectify the deep-rooted corruption and mismanagement of medical supplies within the Kenya Medical Supplies Agency (Kemsa), President William Ruto appointed a new board chairperson, Mr Irungu Nyakera. With a track record of academic excellence and a diverse professional background, Mr Nyakera

    Spread the love
    More ..