China's new privacy law looks a lot like Europe's
There are many similarities with the GDPR, but the Pipl is more stringent on the transfer of data abroad and confirms Beijing's line against the digital giants
Internet censorship in China (Getty Images) China continues to sharpen its regulatory arsenal, especially in the digital sphere. And it does so with a sort of triad: Data security law, cybersecurity law and, finally, Personal information protection law (Pipl) The latter, approved last August by the Standing Committee of the National People's Assembly, will come into force from first November and systematizes the Chinese rules on the protection of personal data, giving a reference regulatory framework under the control of the Cybersecurity Authority of China (Cac). And, among the three, it is perhaps the law that can have the greatest repercussions on the activities of companies not only Chinese but also foreign in that country and on that market.Pipl has many similarities with the General Regulation on data protection of the European Union (the GDPR, in force since 2018), including its extraterritorial scope, restrictions on data transfer, compliance obligations and penalties for non-compliance. But Pipl raises some concerns for companies doing business in China, even if their data processing activities take place outside of China: the consequences for non-compliance could potentially include fines and company placement. on a government blacklist.
Pipl aims to "protect the rights and interests of individuals", "regulate the processing of personal information" and "facilitate a reasonable use of personal information", and applies to "processing entities of personal information ". But, once again, the tech giants seem to be the main focus.
“Companies that manage data on a large scale such as Alibaba, Tencent or Didi will have to manage their activities and the relationship with users in a completely different way. For those who work in China in any other area, this means deepening and adapting their standards to the new legislation ”, explains Lorenzo Riccardi, managing partner of the consulting company RSA Asia. "And companies will have to adapt immediately because in China as soon as the law comes into force it must be applied immediately", explains Luca Qiu, coordinator of the digital working group of the Italy China Foundation and CEO of Value China during a webinar on parallels and differences between GDPR and Pipl organized by the Italy-China Foundation and the Italian-Chinese Chamber of Commerce.
Pipl vs Gdpr: the keywords
The definition of "personal information" and "processing of personal information" are similar in both regulatory instruments. Sensitive personal information is defined in the Pipl as that which “once leaked, or used illegally, can easily violate the dignity of a natural person or cause damage to personal safety and property, such as biometric identification information, religious beliefs, special status, health medical information, financial accounts, information on where people are, as well as personal information of children under 14 ”. In the Gdpr, the company, the public administration or the body that processes personal data are defined as "data processing manager". In the Pipl, the term "entrusted party" is used instead. Just as "the data processor" becomes a "personal information processor". But in substance their tasks may not differ substantially.Pipl vs Gdpr: a question of borders
As with the Gdpr, Pipl extends its territorial scope to data processing personal outside of China, provided that the purpose of the processing is to provide products or services to individuals in China or to "analyze" or "evaluate" the behavior of individuals in China. In addition, the Pipl requires that offshore “personal information processing entities” subject to the law establish a “dedicated office” or appoint a “designated representative” in China for the purposes of protecting personal information. “But the vast majority of processing takes place on Chinese ecommerce platforms with offices in China. Only they who collect the data and foreign companies use the data only to provide the service regularly "explains Howard Wu, partner of the law firm Baker McKenzie Shanghai:" So there is no need to be overly worried, but certainly companies must immediately adapt to the new law and understand how to comply ".Pipl vs Gdpr: consent to data processing
The definition of consent under the Pipl largely aligns with the requirements of consent of the Gdpr. That is, it must be informed, freely provided, demonstrated by a clear action of the individual and can be subsequently withdrawn. However, there is an addition: the Pipl requires separate consent for some processing activities, in particular if a processing entity shares personal information with other entities, discloses it publicly, transfers it abroad or processes it. In relation to the protection of the right to privacy for the individual, the law provides that people must be able to know what personal information is collected, can not allow the use of the data, and can request corrections or deletions from the databases.But the documents circulated are not yet the definitive ones and therefore there are still controversial points regarding the final rules. It remains uncertain how different rights envisaged and protected by the Pipl can be interpreted in practice. Individuals should have the right to bring lawsuits against processing entities if they reject their requests to exercise their rights, as well as the right to compensation based on actual harm that may have been suffered. However, the rules may differ based on the size of the personal information processors. "For Alibaba or Tencent there may be additional requests compared to the standard ones that will be enough for small or medium platforms", explains Wu.
Pipl vs Gdpr: data abroad
As is known, the Chinese government does not want to allow the transmission of sensitive data overseas. For this reason, compared to the GDPR, the Pipl foresees additional requests to transfer information to entities that are not located on Chinese territory, especially for companies or entities that process a large amount of data. If it is actually necessary to transfer such personal information abroad, it is necessary to pass a security assessment by the regulatory authorities.This is one of the crucial points of the entire regulatory system. "The law is considered to be in line with Beijing's new strategy to combat the role of the giants of the technology sector, whose role the government wants to avoid as a monopoly, regulate data processing and balance margins and economic performance", explains Riccardi. Once again, the focus is on large platforms. "However, this is not just a Chinese trend but also a European one and the countries of the Five Eyes (the intelligence group that brings together the United States, United Kingdom, Canada, Australia and New Zealand, ed)", says Francesca Gaudino, partner of Baker McKenzie Milano: "Everyone is preparing new rules on the local residence of data".
Pipl vs Gdpr: sanctions
In the event of violation, regulators can order corrective actions, confiscate illegal income, suspend services or issue a fine. In the case of the GDPR, the fine can reach up to 20 million euros or 4% of global annual revenues. In the case of the Pipl, on the other hand, it can reach up to 50 million renminbi, or about 6.7 million euros, or 5% of annual revenues. Unlike European law, however, the non-specific Chinese law refers to global revenues or only to those generated in China. Not only. The Pipl would seem not to establish even a minimum sanction, thus leaving margin of discretion to the regulatory authorities.Rules - 14 hours ago
Facebook bypassed the Gdpr but only risks a small fine
A new group of experts will investigate the origins of the coronavirus
The trial for the murder of Giulio Regeni opens
Topics
Alibaba Big data China Ecommerce Europe Gdpr Legal Privacy Social media Social Network globalData. fldTopic = "Alibaba, Big data, China, Ecommerce, Europe, Gdpr, Legal, Privacy, Social media, Social Network"
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
