“The concept of privacy is different in China. The law’s focus is on protecting individuals as well as national security,” Alexa Lee, senior manager for global policy at ITI Council, said while referring to China’s Personal Information Protection Law (PIPL).
China in August passed the Personal Information Protection Law, putting in place one of the world’s strictest data privacy laws. It is modeled after Europe’s robust General Data Protection Regulation (GDPR), but there are many important aspects in which PIPL differs from GDPR and other privacy regulations from around the world. Lee highlighted these key differences while speaking at PrivacyNama 2021, a global conference on privacy regulations held by MediaNama on October 6 and 7.
What makes China’s PIPL different from GDPR?
- PIPL is a set of broad principles, not a detailed law: Unlike the GDPR, the PIPL does not provide a lot of details on how the law works. Rather it’s a set of broad principles and more details with regards to specification will follow, Lee said.
- Law focuses on individuals as well as national security: While privacy laws around the world focus on protecting individuals, China’s PIPL also focuses on national security because of China’s unique political system, Lee said. “So that’s why we see like data localisation measures, cross border data flow restrictions, and continuous surveillance and law enforcement powers,” Lee added.
- Blacklist provision: The PIPL contains a provision that allows the Chinese government to establish a blacklist of overseas data controllers and processors from processing Chinese personal data if the government deems that the company has violated China’s national security of public interests, Lee said. This provision is unprecedented because no other privacy law has it, Lee added.
- Provisions related to cross-border transfers: “The biggest significant difference between GDPR and the Chinese law is the provisions related to national security and cross-border data transfers,” Lee remarked. For two types of entities: operators of Critical Information Infrastructure or entities that process personal information that reaches a threshold amount, they will have to pass a security assessment administered by the Cyberspace Administration of China (CAC). Furthermore, to send personal data abroad for judicial or law enforcement purposes, an application must be filed with the relevant competent department for approval. However, international treaties or agreements, signed by China, that have provisions for cross-border data flows outside China, will supersede data localisation clauses of the law.
- Extra-territorial jurisdiction: Like GDPR, but unlike some other privacy legislations, PIPL applies if personal data related to people resident in China is processed outside China; this could include providing products and services from abroad to Chinese residents or analysing their online behavior.
- Retaliatory measures against other countries: If a country or a region adopts “discriminatory prohibitions, limitations or other similar measures” related to personal data protection against China, the Chinese government can retaliate. This basically means that if a country or a region (read: USA, EU) doesn’t grant China adequacy status and thus refuses to sign a data-sharing treaty with China, the Chinese government may retaliate in kind.
- No independent data protection authority: While in the EU the GDPR is administered by independent DPAs of the respective regions, China currently does not have an independent DPA, Lee said. Currently, multiple departments like the Cyberspace Administration of China (CAC) and the Ministry of Public Security are regulators of this space.
MediaNama hosted PrivacyNama 2021 with support from Facebook, Flipkart, Internet Society, Mozilla, Mobile Premier League, Omidyar Network, Paytm, Star India, and Xiaomi. We are also thankful to our community partners, the CyberBRICS Project, the Centre for Internet and Society, and the Centre for Communication Governance (NLU Delhi).
Also Read
- Summary: China Passes GDPR-Like Data Privacy Law, Except That Many Restrictions Do Not Apply To The Government
- China Expands Control Over Data Collected By Tech Companies With New Laws: Report
- Details: US, UK, EU And Allies Accuse China Of Carrying Out Malicious Cyber Activity
- What Apple’s Compromises On Privacy In China Mean For India
- Amidst Crackdown On Tech Companies, Chinese Govt Appoints Director To Board Of ByteDance Beijing: Report
Have something to add? Subscribe to MediaNama here and post your comment.