PIPL, How It Differs From GDPR and What It Means for Businesses
China’s Personal Information Protection Law (PIPL) took effect on November 1, only a couple of months after it was passed in August by the National People’s Congress Standing Committee, leaving businesses struggling to prepare. The law sparked controversy as global tech giants LinkedIn and Yahoo announced their exit from China immediately after it became effective, both citing “increasingly challenging business and legal environment”, showing the challenges global organizations face in PIPL compliance.
As the second-largest consumer market in the world, most global businesses have a stake in the country. This new law has generated concerns in the business community and triggered a wave of suspicions and speculations. Yet, very few have been able to pinpoint any specific challenges and make recommendations on how to comply. Why is this the case?
Who Does PIPL Apply To?
The PIPL applies to 1) any organization operating within China that collects and processes personal data, and 2) any organization operating outside China that collects and processes the personal data of Chinese citizens for a) providing products and services, b) learning the data subjects’ behaviours, or c) any other purposes as deemed relevant by the jurisdiction.
In this respect, the PIPL is very similar to the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), such that the regulations are not only limited to the geographical location of the data collector, but also the location of the data subject. An additional requirement unique to the PIPL is that for organizations that do not operate in China, a local representative must be appointed.
PIPL and GDPR, Key Differences
1. Objective and Approach
Both the PIPL and GDPR serve the objective of safeguarding privacy. There is, however, a subtle difference between their approaches. The PIPL focuses almost entirely on limiting and restricting personal data collection and processing without specifying any cybersecurity requirements, whereas the GDPR puts an equal emphasis on both and holds organizations accountable for lacking adequate cybersecurity measures.
2. Limitations on Personal Data Collection
Like the GDPR, the PIPL identifies a list of conditions where personal data collection is allowed. Specifically, the PIPL only allows an organization (“personal information handler”) to collect and process personal data if one of the following conditions are met:
a) The organization has received the data subject’s consent;
b) The collection of personal data is necessary to meet contractual and human resources management needs;
c) The collection of personal data is necessary to meet legal obligations;
d) The collection of personal data is necessary to prevent public health crises, or to safeguard personal and financial safety;
e) The collection of personal data is necessary for news reporting and public opinion supervision for the public interest;
f) The collection of personal data that have already been openly shared by the data subject or publicly disclosed through other legal channels; or
g) Other conditions as deemed appropriate by the jurisdiction.
Unlike the GDPR, which lists out conditions based on “legitimate purposes”, the conditions listed by PIPL aim towards maintaining legal and social order. Particularly, the PIPL appears rather lenient towards the collection and use of personal data for “public interest”, as stated in lines (d) and (e), whereas all purposes relating to business operations are simply lumped into line (a).
3. Overseas Transfer of Personal Data
Perhaps the most controversial component of the PIPL is an entire section on rules regarding transferring data overseas, something of which the GDPR does not have. Such strict data localization requirements are never seen before in any other major data privacy regulations. This section creates a significant barrier that challenges international businesses and is seen as the main reason behind LinkedIn and Yahoo’s exit.
In general, any organization that wishes to transfer personal data outside of China must fulfill one of the following requirements:
a) The organization has passed a security assessment conducted by the Cyberspace Administration of China (CAC);
b) The organization has undergone a personal information protection certification by a public agency delegated by the CAC;
c) The organization and the overseas data recipient have signed a standard form contract made by the CAC, which sets out the obligations of both parties; or
d) Other conditions as deemed appropriate by the jurisdiction.
At first glance, these requirements do not seem troublesome because there isn’t all that much demanded from the organization other than opening its doors for CAC assessments. However, it is the simplicity of the language that creates a whole world of ambiguity, leaving wide discretion for the governing body. Since the assessment criteria are not disclosed, nobody knows what the CAC does and what they might demand afterward. Many worry that the CAC could demand access to the company’s internet network and sensitive proprietary information.
A few additional points listed in this section include that the data subject must be informed of the name and address of the overseas data recipient prior to the data transfer. The section concluded with a line explicitly stating that the Chinese government has the right to pose retaliatory restrictions on any foreign organization whose home government poses unfair restrictions on Chinese organizations.
What It Means for Businesses
For most international businesses that operate in China, the cross-border transfer of personal data is inevitable as it is common for cloud servers and data centers to be located abroad. Unless a company switches to local cloud providers or on-premises systems – which is unlikely in today’s world – it is now required to go through the CAC security assessment.
Organizations that fail to comply with the PIPL will be ordered to immediately suspend unlawful operations and services (e.g. websites, applications) until corrected, and repay any “unlawful income” obtained through these operations. Organizations will face fines of up to 1 million yuan ($157,000). Individuals responsible for any unlawful decisions can also be fined up to 100,000 yuan ($15,700), and be banned from holding any high-level management positions.
If the violation is considered “serious”, the PIPL states that it can fine up to 50 million yuan ($7.85 million) or 5% of the violator’s annual revenue. Ultimately, the Chinese government holds the right to revoke business licenses and permits when it deems necessary.
A Law of Ambiguity
In the end, the PIPL is a law containing ambiguity and wide discretion. And this explains why no one has been able to make any specific recommendation or compliance checklist. Clearly, it isn’t the law itself that is posing challenges in compliance, but the ambiguity in requirements, assessment criteria, and penalties.
Taking out the ambiguity, businesses should focus on the things that they have control on, such as enhancing cybersecurity measures and keeping sensitive data safely encrypted.
To learn more about personal data protection and regulatory compliance, see A Brief Look at 4 Major Data Compliance Standards: GDPR, HIPAA, PCI DSS, CCPA.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Car, Energy, Factory, City Solutions: Penta IoT Security