The PIPL is often likened to the GDPR, as the China-government equivalent of EU regulation. This article highlights some key similarities and differences between the two documents.
Note that this article does not constitute formal legal advice or serve as an exhaustive guide to the application of the Personal Information Protection Law of the People’s Republic of China (PRC).
Both relate to the collection, storage, use, processing, transmission, provision, public disclosure, deletion and any operation which is performed on personal information.
Both are extraterritorial and thus applies for offshore controllers
Both require Data Protection Impact Assessments in certain situations
Both have a data breach notification requirement
Both define personal data as involving identifiable & identified natural persons
Both consider special protections for sensitive data1
Both include the following rights:
Right to access
Right to correction and or rectification
Right to information
Right to withdraw consent
Right to data portability2
Right to object and restrict the processing of an individual's data
Right to erasure
Unlike the GDPR and other jurisdictions, the PIPL does not distinguish between business and personal data. Therefore identifiable business contact information that is collected (e.g. contact person’s name) will fall into the parameters of the
personal information definition under Chinese law.
Unlike the GDPR, the PIPL does not provide “legitimate interests” as a lawful basis to process personal information. See section on Legal Basis for the grounds covered.
PIPL requires additional separate consent for processing activities if a processing entity i) shares personal information with other processing entities; (ii) discloses personal information publicly; (iii) processes sensitive personal information; or (iv) transfers personal information overseas.
Unlike the GDPR, the PIPL lacks precise GDPR language addressing personal information rights, including exemptions or where certain restrictions may apply.
Naming Convention: GDPR’s “Controller” & the PIPL’s “Personal Information Processor” The GDPR’s definition of “controller” is akin to the PIPL’s “Personal Information Processor (PIP)” defined as an individual or organisation that determines the purposes and means of the processing of personal information in relation to personal information processing activities.
Sensitive Data is defined similarly between both regulations. However, the PIPL's definition is broader when it comes to defining sensitive data. China's PIPL defines personal information as data which can identify a person, but Article 4 specifically makes an exception for anonymised information. For examples, please visit this article.
PIPL states that this is subject to certain conditions. For more information, please This Overview on the PIPL.