China issued its comprehensive data protection law, the Personal Information Protection Law (“PIPL”), on August 20, 2021. The PIPL will come into effect on November 1, 2021. This marks a new era in China’s data protection development. Before the PIPL, the main legislations regulating data processing activities in China are the Cybersecurity Law, the Data Security Law and the Civil Code. Even in these legislations, there is only a small portion of data protection regulation. Against this background, the data protection practice in China was stagnant for a long time. With the PIPL, a comprehensive legal framework for data protection has been established. Companies who have businesses in China, regardless of having an establishment in China or not, should be aware of the compliance risks.
The application scope of the PIPL
Similar to the GDPR, the PIPL applies extraterritorially. § 3 sentence 1 PIPL first makes clear that processing personal data of natural persons from inside China is subject to the PIPL. § 3 sentence 2 then continues to state that processing personal data of natural persons located in China from outside China is also subject to the PIPL, provided that a.) the data controller aims to provide products or services to natural persons located in China; or b.) the data controller analyses, evaluates the behaviour of natural persons located in China; or c.) it is otherwise stated in laws or regulations.
This means in practice that, first, if a company has facilities or personnel in China and process personal data through these facilities or personnel, the data processing falls under the PIPL. Second, even if a foreign company has no facility, personnel or whatsoever in China, as long as it carries out data processing activities that meet the conditions set out in § 3 sentence 2, it would be subject to the PIPL too. In the second case, the company is obliged to appoint a data protection representative within China and report the name and contact info of that representative to the Chinese supervisory authority (§ 53 PIPL).
In how far does the PIPL differ from the GDPR?
Being subject to the PIPL means having to comply with the obligations set out there, which could be a headache for companies and law practisers who are not familiar with Chinese law. If one wishes to take a quick glimpse of the PIPL, it might help to read it under the light of the GDPR. In parallel to the GDPR, the PIPL also lays down the general principles for processing personal data, the rights of the data subjects, the obligations of the data controllers, the ground rules for international data transfer and the liabilities arising from violations.
While showing a similar framework to the GDPR, the PIPL does have its own characters. In terms of the legal basis for data processing, for example, the PIPL explicitly allows the processing of personal data that is necessary for human resource administration in accordance with the Chinese labour law or collective contracts (§ 13 (2)), as well as the processing of personal data that is publicly disclosed by the data subject itself or otherwise publicly disclosed in a legitimate way within reasonable bounds (§ 13 (6)). Meanwhile, in contrast to the GDPR, the legitimate interest of the data controller or processor is not recognized as a separate legal basis. Other major differences from the GDPR are for example the categories of sensitive data and the conditions for processing them, the thresholds for appointing a DPO, the criteria for conducting a data protection risk assessment etc. In this sense, compliance with the PIPL poses new challenges to companies that are active on the Chinese market.