On August 20, 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL), which will become effective starting November 1, 2021.
As an overarching law in China with respect to data privacy, PIPL shares many similarities with the EU General Data Protection Regulation (GDPR). If a company has already been GDPR compliant, its data privacy compliance system can basically work in China, while certain localizations are necessary in response to unique requirements under PIPL. In particular, a company should pay attention to the following differences between PIPL and GDPR:
- Data localization. PIPL requires a controller1 of large-scale personal data2 or a critical information infrastructure operator (CIIO)3 to store personal data within China, and cross-border transfer thereof shall be subject to a security assessment by Cyberspace Administration of China (CAC). Other data controllers may do the cross-border transfer in reliance on one of legitimate approaches recognized under PIPL, including entering into a standard contract (following a template to be issued by CAC) with overseas data recipients. Further, a controller shall obtain standalone consent of data subjects (to the extent that the consent is the lawful basis for the data processing) and conduct the data protection impact assessment (DPIA, as defined below) prior to the cross-border transfer.
- Standalone consent of data subjects. Standalone consent is a unique concept under PIPL. The law requires a controller to obtain standalone consent of data subjects under certain circumstances, for example, processing sensitive personal data and cross-border transfer of personal data. Although PIPL does not define the “standalone consent,” it is commonly believed that such consent shall be obtained through a separate affirmative action by data subjects (e.g., a separate signature or clicking of a separate checkbox).
- Rights of data subjects. Rights of data subjects under PIPL are similar to those under GDPR except that the “right to be forgotten” under GDPR is not provided under PIPL.
- DPIA. Both GDPR and PIPL require the DPIA under certain circumstances, for example, automated decision-making and processing sensitive personal data. However, PIPL further requires a controller to conduct the DPIA in the following cases (which are not required under GDPR): cross-border transfer of personal data, contracting a third-party data processor, providing personal data to another controller, and making personal data publicly available.
- Data breach notification. Unlike GDPR, PIPL does not set forth a specific timeline (e.g., within 72 hours) for a controller to notify a data breach to a government authority.
Sidley Austin LLPはクライアントおよびその他関係者へのサービスの一環として本情報を教育上の目的に限定して提供します。本情報をリーガルアドバイスとして解釈または依拠したり、弁護士・顧客間の関係を結ぶために使用することはできません。
弁護士広告 - ニューヨーク州弁護士会規則の遵守のための当法律事務所の本店所在地は、Sidley Austin LLP ニューヨーク：787 Seventh Avenue, New York, NY 10019 (+212 839 5300)、シカゴ：One South Dearborn, Chicago, IL 60603、(+312 853 7000)、ワシントン：1501 K Street, N.W., Washington, D.C. 20005 (+202 736 8000)です。