How does China’s new Personal Information Protection Law (PIPL) compare to the European Union’s GDPR? In this post, I provide a quick PIPL vs. GDPR comparison. In comparing the PIPL with the GDPR, I will note a few key similarities and differences — my comparison is not comprehensive.
Comparing PIPL and GDPR: Similarities
A few notable similarities between the PIPL and GDPR include:
- Both the PIPL and GDPR are extraterritorial.
- The PIPL and GDPR define personal data as involving identified and identifiable natural persons.
- The PIPL uses the GDPR’s lawful basis approach to data processing. Many other Asian privacy laws use the consent-based approach or an approach akin to the US approach of notice-and-choice.
- Both the PIPL and GDPR have special protections for sensitive data, but they differ on the types of data they recognize as sensitive.
- Both the PIPL and GDPR have a data breach notification requirement.
- The PIPL and GDPR recognize many of the same rights.
- Both the PIPL and GDPR require workforce training.
- Under certain circumstances, both the PIPL and GDPR require DPOs.
- Both the PIPL and GDPR require data protection impact assessments (DPIAs) in certain situations.
Comparing PIPL and GDPR: Differences
A few notable differences between the PIPL and GDPR include:
- The PIPL has no lawful basis of legitimate purposes, which the GDPR recognizes.
- The PIPL uses some different terminology than the GDPR. GDPR “data subjects” are called “individuals” under the PIPL. GDPR “data controllers” are called “personal information handlers” under the PIPL. GDPR “data processors” are referred to as “entrusted parties” under the PIPL.
- The PIPL has a strong data localization requirement.
- The PIPL recognizes a few different types of sensitive data than the GDPR. For example, financial data is sensitive under the PIPL but not under the GDPR.
- The PIPL has a post-mortem right for personal data after death.
- The PIPL requires a representative in China for foreign data handlers.
- The PIPL has less stringent requirements for cross-border data transfer than the GDPR.
- Under the PIPL, data breach notification must be “immediate” without the GDPR’s specific 72-hour deadline.
- The PIPL has a prohibition on personnel responsible for violations from holding high-level management or DPO positions.
- The PIPL has fines up to 5% of annual revenue. The GDPR has fines of 2% and 4% of annual revenue. The GDPR looks to worldwide annual revenue; the PIPL is unclear about whether the fine is based on annual revenue in China or worldwide annual revenue.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals.