Warsaw, 21st October 2021
Opinion of the Chief Expert of the Union of Entrepreneurs and Employers on digital economy
regarding the Personal Information Protection Law
The Personal Information Protection Law (PIPL), the Chinese equivalent of the European General Data Protection Regulation (GDPR), will enter into force at the beginning of November this year. While it resembles the GDPR in many ways, there are also a number of significant differences proving the goals of the Chinese law are broader than mere protection of personal data.
PIPL regulates how personal data is collected and processed by companies. Both GDPR and PIPL similarly define such basic notions as “personal data” or “personal data processing”. Following its enforcement, data processing will only be allowed if it has a clear and legitimate purpose and is limited to the “minimum extent necessary to achieve the purposes of data processing”, and the user will have to consent to their processing. This consent may be withdrawn at any time, and companies will not be entitled to refuse to render services solely on this basis. Contrary to the GDPR, PIPL does not mention any legitimate interests of the administrator, yet it states that data may be collected without consent in certain cases, such as compliance with an obligation imposed by law or to the extent necessary to perform the contract concluded with the user etc.
Both GDPR and PIPL are applied in an extraterritorial fashion, which means both acts apply to the processing of personal data that takes place outside the borders of the EU and China, respectively. However, the scope of the extraterritorial application of PIPL is wider than in the case of GDPR. When determining the territorial scope of the GDPR, it is necessary to take into account the geographic location of the administrator or the processing party, and more specifically, whether it is based in the EU or conducts business activities in the EU. Running a business in the EU can be determined by offering services in one any of the member states. The availability of a website or the use of a language that is also a widely spoken language in a third-party country are not sufficient indicators. On the other hand, enabling an order in the currency of one of the member states may be enough.
Meanwhile, PIPL will apply to the processing of personal data outside of China, provided that the purpose of the processing is to provide products or services to individuals in China or to “analyse” the behaviour of individuals in China. Other objectives can be added by regulation. This shows that PIPL is “casting a much bigger net” than the GDPR.
Due to PIPL, foreign entities will be required to establish a branch or representative office in China for purposes related to data protection and control together with the Chinese authorities. This requirement largely reflects a non-EU entity representative known from GDPR.
The new provisions will also introduce restrictions on the cross-border transfer of personal data. Some provisions resemble those of the GDPR, but PIPL also includes a number of additional requirements, especially if the data exporter is an operator of a critical IT infrastructure or is processing a volume of personal data that requires permission from the Cyberspace Administration of China (CAC).
Firstly, a data controller planning to transfer personal data to entities outside of China is required to:
- obtain separate consent from users;
- take the necessary measures to guarantee that foreign recipients of data can ensure the level of protection required by PIPL;
- carry out an impact assessment on the protection of personal data.
Second, critical infrastructure operators or large data processors will need to store personal data locally. Should a transfer of data abroad become a necessity, the controller will have to undergo a security audit conducted by the CAC. These provisions will give the Chinese regulator wide opportunities to interfere in the business practices of companies and defend Chinese public interests.
Ultimately, the PIPL gives China the opportunity to take countermeasures against countries that have:
- acted in a way that discriminates against China in the protection of personal information;
- violated the interests of Chinese citizens whose data were processed;
- violated China’s national security and public interest.
To sum up, PIPL, following the example of GDPR, sets high standards of personal data protection. On the one hand, one could say that it is testament to the normative power of the EU in international relations and achieves one of the strategic goals of the European Commission to export EU standards. However, if we take consider the fact that PIPL, unlike the GDPR, will increase the control of the central state apparatus over the economy and strengthen China’s international position against foreign entities, we will see that these high standards are used against the EU itself. This is primarily due to the fact that PIPL will cover foreign companies to a much greater extent than GDPR, and will limit cross-border data transfer. Ultimately, PIPL shows how, in an increasingly data-driven economy, the regulation of cyberspace is becoming a new arena for geopolitics.
Kamila Sotomska
Chief Expert of the Union of Entrepreneurs and Employers on digital economy