China’s PIPL, Cybersecurity Law, and Data Security Law provide the overall framework governing data protection, cybersecurity and data security in China for generations to come. 

China’s new Personal Information Protection Law (PIPL) represents the biggest shake-up of Chinese data privacy legislation in the nation’s history.

The new law imposes fines of up to 5% of a company’s worldwide revenue or ¥50M (almost USD 12 million) – whichever is higher – for non-compliance.

At this stage, PIPL does not specify whether this annual revenue refers to the worldwide turnover or the revenue generated in China, and as it does not set a minimum penalty, regulators have discretion as to the penalties that will be imposed on violations.

While PIPL has similarities to GDPR, there are some key differences that all businesses with interests in or with China need to take into consideration. 

We share some of the basics.

Key terms to understand

“Personal information” and “processing of personal information” are similarly defined under PIPL and GDPR.

However, PIPL defines sensitive personal information as:

“personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14” (Article 28).1

Lawful basis to process Personal Information (PI)

PIPL requires organisations to have a lawful basis to process personal information. However, the PIPL does not provide “legitimate interests” as a lawful basis for processing as found in the GDPR. 

China’s PIPL also proposes additional legal bases for PI handing:  

  • “necessary for the performance of human resource management under labor rules or collective labor contract made in accordance with the laws” 
  • “utilization of public PI (self-disclosed PI and PI otherwise disclosed legitimately) within reasonable scope” 
PIPL (Art.13)   GDPR (Art.6) 
 Necessary for the performance of a contract or for human resource management    Necessary for the performance of a contract
 Legal obligations  Necessary for compliance with a legal obligation
 Vital interests under public heath incidents or emergencies  Vital interests
 Public interests   Public interests 
 Utilization of public PI  --
 Otherwise prescribed by laws and administrative regulations  -- 
 -- Legitimate interests 

 

7 principles of PIPL

The PIPL establishes 7 principles that must be complied with when processing personal information. 

These principles on handling of PI must be implemented throughout the full lifecycle of PI, relate to PI protection obligations and internal PI compliance management of PI handlers: 

PIPL   GDPR (Article 5) 
 Lawfulness, legitimacy, necessity and good faith (Article 5)   Lawfulness, fairness and transparency
 Purpose limitation (Article 6)  Purpose limitation
 Data minimisation (Article 6)  Data minimisation
 Transparency (Article 7)  Lawfulness, fairness and transparency 
 PI quality (Article 8)  Accuracy
 Accountability (Article 9)  Accountability
 Data security (Article 9)  Integrity and confidentiality
 Storage limitation (Article 19)  Storage limitation

Personal Information Rights compared

PIPL predominantly aligns with the GDPR with respect to personal information rights. However, it differs in respect to specificity of language used and only requires processing entities to respond on a “timely” basis to the requests, rather than providing a specific timeline for response. 

The following table shows individuals’ rights compared across PIPL, GDPR and the California Consumer Privacy Act (CCPA): 

 PIPL GDPR  CCPA 
 Right to know  Information to be provided  Right to be informed
 Right to decide  ---  ---
 Right to restrict  Right to restriction of processing  ---
 Right to refuse  Right to object  ---
 Right to access  Right of access  Right of access
 Right to copy  Right of access
 Right of access
 Right to data portability  Right to data portability  Right to portability
 Right to rectify  Right to rectification
 ---
 Right to delete  Right to erasure (‘right to be forgotten’)  Right to delete 
 Related rights in automated decision making  Related rights in automated decision making  ---
 ---  ---  Not to sell

Individuals also have the right to bring lawsuits against processing entities if they reject the individuals’ requests to exercise their rights (Article 50).  Changes to burden of proof in privacy-related suits that allow individuals to be compensated based on the actual damage or the illegal profit obtained by processing entities (Article 69) may see more individuals exercise their personal information rights and file suits in Chinese courts if their requests are rejected. 

Separate Consent 

The PIPL sets separate consent requirement for various scenarios such as: 

  • Sharing of PI  
  • Handling of sensitive PI   
  • PI cross-border transfer: PIPL extends its territorial scope to the processing of personal information conducted outside of China 

PI handlers must ensure that PI subjects give consent for such handling activities respectively, rather than having to consent to a bundle of handling purposes. This separate consent requirement has legal and product compliance implications for PI handlers. 

What does this mean for business and HR leaders? 

Compliance with the new regulation extends to the information you hold on employees, not just your customers. It’s important to include HR and payroll systems in your plans as well.

There’s a lot to think about, so we’ve developed an employee lifecycle map and audit tool to help you assess where your plans are currently, and what you should focus on to ensure compliance. Download our audit tool for:

  • Questions and practical prompts to help you audit and prepare your own internal data systems and processes.
  • Examples of when an employee might use their new data rights, and what the implications would be for your systems
  • Checklist to help you ensure internal compliance requirements of PIPL are built into your overall strategy 

This information is part of a series of information articles and webinars developed by ADP to help you learn more about China’s Personal Information Protection Law. For more information, register for our webinar: The Internal Impact of PIPL

This article is intended for informational purposes only and does not constitute legal advice. We recommend you seek independent legal advice for your specific business. 

1 iapp.org