Privacy Regulations: EU’s GDPR vs China’s PIPL
Since the European Union’s General Data Protection Regulations (GDPR) came into force in 2018, Brussels has become a trailblazer in the field of data privacy regulation. The United States, home to the biggest tech industry in the world, does not have unifying federal legislation on privacy. So, many countries have followed the example of the EU and adopted privacy legislations similar to GDPR, which some observers call another “Brussels effect.” In August 2021, the National People’s Congress of China adopted the Personal Information Protection Law (PIPL), which entered into force November 1, 2021. Essentially, PIPL is quite similar to the GDPR and became another big step towards the government regulation of data handling practices in global cyberspace. This post outlines some of the main similarities and differences between the EU’s GDPR and China’s PIPL.
I. Broad Brush Strokes
GDPR was adopted in 2016 and came into force two years later, while the PIPL in China came into force only two months after it was adopted. In this regard, PIPL gives less time for data handling companies to adjust their practices and is likely to create time pressure for legal compliance. Additionally, GDPR has 11 chapters and is around 88 pages long, while China’s PIPL has 8 chapters and is only 20 pages. So, PIPL does not go into as much detail as GDPR in its provisions, but outlines general legal directives and expects the supervisory executive organizations to work on the specifics (Lee et al). The Cyberspace Administration is likely to take the leading role in supervising the implementation of the PIPL in China. In the European Union, each member state has its own Supervising Authority, which is responsible for enforcing the GDPR. For example, in Germany, it is the Federal Commissioner for Data Protection and Freedom of Information, while in France it is the National Data Protection Authority (aka CNIL).
Both legislations have an extraterritorial reach, which means that any company, independent of its geographic location, is subject to these laws, as long as they process the data of individuals within the boundaries of the law’s jurisdiction. Neither law applies to anonymized data, which refers to any data that cannot be traced back to the individual owner. Both GDPR and PIPL impose less burden or restrictions on small businesses, but PIPL does not specify what exactly constitutes a “small-scale data handler”. GDPR identifies as a small business, companies that have less than 250 employees.
Table 1 shows different terminology used by the European and Chinese authorities, but they generally represent the same ideas. Overall, the two documents are quite similar in terms of how they define private information and the regulations they impose on data collection and processing practices.
II. Legal basis
Both documents emphasize consent as the primary legal basis for data processing. EU’s GDPR states that consent must be “freely given, specific, informed and unambiguous” (GDPR), while China’s PIPL clarifies that “consent shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement” (PIPL). However, in certain cases, consent is not necessary under either legislation. For example, when there is a contractual necessity. This means that if a company needs to collect and process personal information to implement a contract, where the data subject is an interested party, then it is not necessary to obtain individual consent.
GDPR also identifies legitimate interest as a legal basis for processing personal information. If the data-collecting organization has not obtained consent, and cannot show the data use is necessary for the provision of a service contract, then data collection is permissible if the data is needed for “preventing fraud, transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data; ensuring network and information security, including preventing unauthorized access to electronic communications networks and stopping damage to computer and electronic communication systems; and reporting possible criminal acts or threats to public security to a competent authority” (MacCarthy, p. 61). It is worth noting that in the specific cases of legitimate interest, the data collecting organization needs to notify the data subjects and the latter can rightfully object to it.
Chinese law does not include legitimate interest as a legal basis for data processing but has several provisions, which are not specifically mentioned in GDPR. Under Article 13 of the PIPL data collectors can skip consent, where data collection is necessary: 1) “to conduct human resources management”; 2) “to respond to sudden public health incidents”; 3) “to protect natural persons’ lives and health, or the security of their property, under emergency conditions”; 4) “other circumstances provided in laws and administrative regulations” (DigiChina). Regarding the last provision, as of today, there is no clear information as to what the “other circumstances” imply, and what the role of this clause in the law will be.
READ ALSO: What is the GDPR?
III. Automated price difference
Big data has enabled a new marketing strategy, which relies on algorithms to analyze the willingness of an individual to pay for a service or good, and offers prices individually adjusted for each customer. This approach called price discrimination or “big data swindling” is a growing public concern in China (Shazeda). So, in Article 24 of the PIPL Chinese government included a provision, which simply bans automated pricing strategies: “the transparency of the decision-making and the fairness and justice of the handling result shall be guaranteed, and they may not engage in unreasonable differential treatment of individuals in trading conditions such as trade price, etc.”
GDPR also has a provision regarding human profiling and automated decision-making, but not specifically about pricing. Article 22 of the GDPR states that “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”, and offers a right to data subjects “to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.” This means that by default GDPR does not ban automated pricing, but extends a right to data subjects to contest a price that was offered by an algorithm if they think it is worth their time and effort.
There are more similarities and differences between the GDPR and PIPL, especially if we put them in context and compare the government structures in China and the European Union. However, outside their national realms, looking at their broader international implications these documents represent a new direction in the field of privacy regulation. In this regard, they are essentially similar as they both assume the need for unified government legislation to regulate the flow of private data. China was not the first country that followed the EU’s path and adopted national legislation on privacy, but it is the biggest. Put together, China and the EU account for almost a quarter of the internet users in the world.
DigiChina. (2021, October 14). Translation: Personal Information Protection Law of the People’s Republic of China (Effective Nov. 1, 2021).
Lee, A., Shi, M., & Chen, Q. (2021, October 14). Seven Major Changes in China’s Finalized Personal Information Protection Law. DigiChina.
MacCarthy, M. (2020). “Enhanced Privacy Duties for Dominant Technology Companies.” 47 Rutgers Computer & Tech. L.J.
Shazeda, A. (2021, June 30). “Big data swindling.” AI Now Institute. Medium.
SixFifty. (2021, September 2). Privacy Laws Compared: GDPR vs PIPL. Youtube
Wolford, B. (2019, February 13). What is GDPR, the EU’s new data protection law? GDPR.Eu.