From 1 November, the People's Republic of China will introduce its first comprehensive data protection law. The Personal Information Protection Law (PIPL) will then apply to all companies operating in China – being an important trading partner and market, also for UK companies. The law adopts some of the principles of the European and UK GDPR. A brief overview of what needs to be considered now.
PIPL vs. DSGVO: the similarities
The PIPL is intended to minimise data misuse by large tech and internet companies in China. It focusses primarily on one important aspect that should sound familiar for those who understand the GDPR: the explicit consent of data subjects to the processing of their data. According to PIPL, companies who process personal data in China will have to obtain consent, among other things, if they want to collect, store or process personal data. In this context, companies must inform data subjects about the purpose and methods of their data collection.
PIPL vs. GDPR: the differences
There are already clear gaps in the PIPL: for example, essential data subject rights such as the right to erasure are completely missing. Here, further alignment with the UK law would be desirable. Just like the GDPR, the scope of application of the PIPL does not cover state bodies – with the difference that the Chinese law lacks a reference to the powers of these bodies (as in Article 2, UK GDPR).
Do I need to take action?
Find out what the new law specifically means for you. For example, the PIPL refers in particular to advertising and tracking – industrial groups that merely purchase raw materials from China are therefore less affected than app and software developers or platform operators. As far as implementation is concerned, you will probably already be familiar with some things from the last 2-3 years of GDPR. Use your experience and measures already taken to guarantee a most efficient and effective implementation.
In summary, the following can be said about the PIPL: In principle, no matter what the motivation, any form of data protection is welcome and every step in this direction is a good one – however, a more far-reaching protection would be desirable for the future, which would not only hold companies but all data-collecting bodies equally accountable.