Industry News for Business Leaders

China’s GDPR-Equivalent Comes Into Force Today

China’s GDPR-Equivalent Comes Into Force Today

On August 20, the Committee of the National People’s Congress of the People’s Republic of China announced the upcoming adoption of a law dedicated to the protection of personal data online. This law, known as the Personal Information Protection Law (PIPL), comes into force today (November 1, 2021).

The objective is to protect the personal data of Internet users by limiting the massive collection and exploitation of it by Chinese digital giants. More specifically, the first article of the PIPL aims to encourage the “rational” use of personal information. At the end of 2020, China had 989 million online users.

A Chinese GDPR?

Composed of 74 articles, divided into 8 chapters, the Chinese law is reminiscent of the European Union’s General Data Protection Regulation (GDPR) in terms of its scope. 

According to article 4 of the PIPL, data refers to “all kinds of information, recorded electronically or by other means, relating to identified or identifiable natural persons, excluding information after anonymization processing.” This definition recalls article 4 of the RGPD and in particular the definition of “personal data” where some terms are identical.

Other major ideas of the GDPR can be found in the PIPL, such as:

  • The collection of the prior consent of the Internet user before any processing of his or her personal data (collection, storage, etc. ).
  • The right to information, i.e. informing Internet users of the use that may be made of their data.
  • The principle of data minimization: data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
  • Specific rules for the processing of sensitive data: biometric, medical, financial and location data are subject to specific requirements.
  • The possibility to refuse targeted advertising.

The data protection officer also finds his equivalent in the Chinese regulation. The law outlines that companies must appoint someone who will be in charge of managing personal data protection operations.

The PIPL also has an extraterritorial scope. Here again, a parallel can be drawn with the GDPR because data transfers from China to countries that do not have a level of data protection equivalent to that decreed by Beijing are prohibited. 

Countering  Chinese Tech Giants

This new law comes into force to counter the abuses of Chinese digital giants.

Like their American counterparts, Chinese Internet giants, such as Tencent, Alibaba, and Weibo, have adopted an economic model that is based on the exploitation of consumers’ personal data.

Much criticism has started emanating from a part of the population and from the Chinese administration. The Chinese authorities have therefore targeted some tech giants for bad commercial practices (different prices for the same service depending on the users for example). Beijing has sanctioned several companies in recent months, including Chinese giant Alibaba who was fined over 2.3 billion euros last April for anti-competitive practices.

Beijing is also targeting some companies that have deployed facial recognition systems without authorization, “secretly” capturing consumers’ faces and other biometric data. The new legislation is meant to regulate this. Signs will have to be prominently displayed in public places where such equipment and images are implemented and captured. Additionally, the collection and use of such data must be limited to “safeguarding public safety”.

New Sanctions

The PIPL provides for sanctions that are just as dissuasive as those provided for in the European regulation.

According to article 66 of the PIPL, the monetary penalties are up to 50 million yuan, (6.6 million euros) or  5% of annual revenue (article 83 of GDPR provides for monetary penalties of up to 20 million euros, or 4% of annual turnover).

Other punitive actions include ordering the cessation of data processing and confiscation of “illegally” earned profits. Employees directly responsible for the data breach could also be fined between $1,500 and $15,000. And for the most serious cases, the PIPL also provides for the suspension or termination of the company’s services.

Sanctions also apply to foreign companies or organizations. If they violate the rights of Chinese citizens, or endanger China’s national security or public interests, they will be blacklisted and any transfer of personal information of Chinese citizens to these entities will be restricted or even prohibited. China will also take reciprocal measures against countries that take “discriminatory, prohibitive or restrictive measures against China in the protection of personal information.”