On August 20, 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL), which will become effective starting November 1, 2021.
As an overarching law in China with respect to data privacy, PIPL shares many similarities with the EU General Data Protection Regulation (GDPR). If a company has already been GDPR compliant, its data privacy compliance system can basically work in China, while certain localizations are necessary in response to unique requirements under PIPL. In particular, a company should pay attention to the following differences between PIPL and GDPR:
- Data localization. PIPL requires a controller1 of large-scale personal data2 or a critical information infrastructure operator (CIIO)3 to store personal data within China, and cross-border transfer thereof shall be subject to a security assessment by Cyberspace Administration of China (CAC). Other data controllers may do the cross-border transfer in reliance on one of legitimate approaches recognized under PIPL, including entering into a standard contract (following a template to be issued by CAC) with overseas data recipients. Further, a controller shall obtain standalone consent of data subjects (to the extent that the consent is the lawful basis for the data processing) and conduct the data protection impact assessment (DPIA, as defined below) prior to the cross-border transfer.
- Standalone consent of data subjects. Standalone consent is a unique concept under PIPL. The law requires a controller to obtain standalone consent of data subjects under certain circumstances, for example, processing sensitive personal data and cross-border transfer of personal data. Although PIPL does not define the “standalone consent,” it is commonly believed that such consent shall be obtained through a separate affirmative action by data subjects (e.g., a separate signature or clicking of a separate checkbox).
- Rights of data subjects. Rights of data subjects under PIPL are similar to those under GDPR except that the “right to be forgotten” under GDPR is not provided under PIPL.
- DPIA. Both GDPR and PIPL require the DPIA under certain circumstances, for example, automated decision-making and processing sensitive personal data. However, PIPL further requires a controller to conduct the DPIA in the following cases (which are not required under GDPR): cross-border transfer of personal data, contracting a third-party data processor, providing personal data to another controller, and making personal data publicly available.
- Data breach notification. Unlike GDPR, PIPL does not set forth a specific timeline (e.g., within 72 hours) for a controller to notify a data breach to a government authority.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.