China’s PIPL, Cybersecurity Law, and Data Security Law provide the overall framework governing data protection, cybersecurity and data security in China for generations to come.
China’s new Personal Information Protection Law (PIPL) represents the biggest shake-up of Chinese data privacy legislation in the nation’s history.
The new law imposes fines of up to 5% of a company’s worldwide revenue or ¥50M (almost USD 12 million) – whichever is higher – for non-compliance.
At this stage, PIPL does not specify whether this annual revenue refers to the worldwide turnover or the revenue generated in China, and as it does not set a minimum penalty, regulators have discretion as to the penalties that will be imposed on violations.
While PIPL has similarities to GDPR, there are some key differences that all businesses with interests in or with China need to take into consideration.
We share some of the basics.
Key terms to understand
“Personal information” and “processing of personal information” are similarly defined under PIPL and GDPR.
However, PIPL defines sensitive personal information as:
“personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14” (Article 28).1
Lawful basis to process Personal Information (PI)
PIPL requires organisations to have a lawful basis to process personal information. However, the PIPL does not provide “legitimate interests” as a lawful basis for processing as found in the GDPR.
China’s PIPL also proposes additional legal bases for PI handing:
- “necessary for the performance of human resource management under labor rules or collective labor contract made in accordance with the laws”
- “utilization of public PI (self-disclosed PI and PI otherwise disclosed legitimately) within reasonable scope”
| PIPL (Art.13) | GDPR (Art.6) |
| Necessary for the performance of a contract or for human resource management | Necessary for the performance of a contract |
| Legal obligations | Necessary for compliance with a legal obligation |
| Vital interests under public heath incidents or emergencies | Vital interests |
| Public interests | Public interests |
| Utilization of public PI | -- |
| Otherwise prescribed by laws and administrative regulations | -- |
| -- | Legitimate interests |
7 principles of PIPL
The PIPL establishes 7 principles that must be complied with when processing personal information.
These principles on handling of PI must be implemented throughout the full lifecycle of PI, relate to PI protection obligations and internal PI compliance management of PI handlers:
| PIPL | GDPR (Article 5) |
| Lawfulness, legitimacy, necessity and good faith (Article 5) | Lawfulness, fairness and transparency |
| Purpose limitation (Article 6) | Purpose limitation |
| Data minimisation (Article 6) | Data minimisation |
| Transparency (Article 7) | Lawfulness, fairness and transparency |
| PI quality (Article 8) | Accuracy |
| Accountability (Article 9) | Accountability |
| Data security (Article 9) | Integrity and confidentiality |
| Storage limitation (Article 19) | Storage limitation |
Personal Information Rights compared
PIPL predominantly aligns with the GDPR with respect to personal information rights. However, it differs in respect to specificity of language used and only requires processing entities to respond on a “timely” basis to the requests, rather than providing a specific timeline for response.
The following table shows individuals’ rights compared across PIPL, GDPR and the California Consumer Privacy Act (CCPA):
| PIPL | GDPR | CCPA |
| Right to know | Information to be provided | Right to be informed |
| Right to decide | --- | --- |
| Right to restrict | Right to restriction of processing | --- |
| Right to refuse | Right to object | --- |
| Right to access | Right of access | Right of access |
| Right to copy | Right of access |
Right of access |
| Right to data portability | Right to data portability | Right to portability |
| Right to rectify | Right to rectification |
--- |
| Right to delete | Right to erasure (‘right to be forgotten’) | Right to delete |
| Related rights in automated decision making | Related rights in automated decision making | --- |
| --- | --- | Not to sell |
Individuals also have the right to bring lawsuits against processing entities if they reject the individuals’ requests to exercise their rights (Article 50). Changes to burden of proof in privacy-related suits that allow individuals to be compensated based on the actual damage or the illegal profit obtained by processing entities (Article 69) may see more individuals exercise their personal information rights and file suits in Chinese courts if their requests are rejected.
Separate Consent
The PIPL sets separate consent requirement for various scenarios such as:
- Sharing of PI
- Handling of sensitive PI
- PI cross-border transfer: PIPL extends its territorial scope to the processing of personal information conducted outside of China
PI handlers must ensure that PI subjects give consent for such handling activities respectively, rather than having to consent to a bundle of handling purposes. This separate consent requirement has legal and product compliance implications for PI handlers.
What does this mean for business and HR leaders?
Compliance with the new regulation extends to the information you hold on employees, not just your customers. It’s important to include HR and payroll systems in your plans as well.
There’s a lot to think about, so we’ve developed an employee lifecycle map and audit tool to help you assess where your plans are currently, and what you should focus on to ensure compliance. Download our audit tool for:
- Questions and practical prompts to help you audit and prepare your own internal data systems and processes.
- Examples of when an employee might use their new data rights, and what the implications would be for your systems
- Checklist to help you ensure internal compliance requirements of PIPL are built into your overall strategy
This information is part of a series of information articles and webinars developed by ADP to help you learn more about China’s Personal Information Protection Law. For more information, register for our webinar: The Internal Impact of PIPL.
This article is intended for informational purposes only and does not constitute legal advice. We recommend you seek independent legal advice for your specific business.
1 iapp.org
