Consumer Data Privacy: EU’s GDPR vs. China’s PIPL

Adopted Aug. 20, 2021, China’s Personal Information Protection Law (PIPL) is the first comprehensive framework for the protection of personal information in China. Among other things, it requires businesses to conduct impact assessments, honor data subjects’ requests for information, and follow measures for cross-border data transfers. It entered into effect Nov. 1, 2021. PIPL borrows many concepts from the European Union’s General Data Protection Regulation (GDPR), which became effective May 25, 2018. The following table provides an at-a-glance comparison of the key elements of each consumer data privacy law; it is not meant to provide a comprehensive overview of each law’s provisions.

[Download the full comparison chart as a PDF.]

What are the basics of the GDPR and PIPL?

GDPR PIPL
Name General Data Protection Regulation Personal Information Protection Law
Citation EU/2016/679 PIPL
Jurisdiction European Union People’s Republic of China (PRC)
Model Opt-in Opt-in
Sector Non-sectoral Non-sectoral
Effective date May 25, 2018 Nov. 1, 2021

Whose data is protected by the GDPR and PIPL?

GDPR PIPL
Statutory term Data subject Individuals
Defined as Natural person in the EU Natural persons within the borders of the PRC

What types of data are protected by the GDPR and PIPL?

GDPR PIPL
Statutory term Personal data Personal information
Defined as Any information relating to an identified or identifiable natural person All kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling
Definition excludes de-identified data GDPR uses the term “pseudonymized,” rather than “de-identified.” According to Recital 26, personal data that has undergone pseudonymization – which could be attributed to a natural person by the use of additional information – should be considered personal data PIPL’s definition doesn’t address de-identification or pseudonymization, but it specifically excludes anonymized information
Definition excludes publicly available info No No, but Art. 27 permits handlers to handle personal information that has already been disclosed by the individual or otherwise lawfully disclosed, except where the individual clearly refuses. If, however, the handling would significantly influence an individual’s rights and interests, the handler must obtain consent
Definition excludes aggregate info Not specified, but Recital 162 indicates that the GDPR applies to the processing of personal data for statistical purposes Not specified

What types of data have heightened protections in the GDPR and PIPL?

GDPR PIPL
Statutory term Special categories Sensitive personal information
Biometric data Yes Yes
Children’s data No Yes, under the age of 14
Citizenship status No Unclear; PIPL refers to “specific identity”
Electronic communications No Not specified
Financial account info No Yes
Genetic data Yes Unclear; PIPL refers to “biometric characteristics”
Geolocation info No Yes
Government-issued ID No Unclear; PIPL refers to “specific identity”
Marital status No PIPL refers to “specific identity”
Mental health Yes PIPL refers to “medical health”
Physical health Yes Yes
Political opinion Yes Not specified
Race/ethnicity Yes Not specified
Religious beliefs Yes Yes
Sexual orientation Yes Not specified
Union membership Yes Unclear; PIPL refers to “specific identity”

What types of data are exempt from the GDPR and PIPL?

GDPR PIPL
B2B-related data No No
Common Rule-covered info n/a n/a
COPPA-related info n/a n/a
DPPA-covered info n/a n/a
Employment-related data No No
FCRA-covered info n/a n/a
FERPA-covered info n/a n/a
GLBA-covered data n/a n/a
HIPAA de-identified info n/a n/a
HIPAA-protected health info n/a n/a

Who must comply with the GDPR and PIPL?

GDPR PIPL
Private sector Controller, processor Personal information handler, entrusted persons
Jurisdictional threshold Processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or the monitoring of their behavior PIPL applies to handling the personal information of natural persons within the borders of the PRC, and also when handling personal information outside the PRC’s borders if (1) providing products or services to natural persons inside the borders, (2) analyzing or assessing activities of natural persons inside the borders, or (3) laws or administrative regulations so provide
Revenue threshold None None
Processing threshold None None
Broker threshold None None

Who is exempt from the GDPR and PIPL?

GDPR PIPL
Public sector EU/2018/1725 governs EU institutions; EU/2016/680 governs law enforcement No; PIPL Arts. 33-37 address the handling of personal information by state authorities
Nonprofits No No
GLBA financial institutions n/a n/a
HIPAA-covered entities n/a n/a
HIPAA business associates n/a n/a
Higher education institutions No No

What acts are covered by the GDPR and PIPL?

GDPR PIPL
Processing Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction “Handling” includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.
Selling Not specifically defined PIPL Art. 10 prohibits the “illegal” selling of personal information
Dark patterns Not specifically defined Not specifically addressed, but PIPL prohibits handling personal information in misleading, swindling, coercive, or other such ways
Targeted advertising Not specifically defined Yes, per Art. 24
Profiling Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements Yes, per Art. 24
Cross-border transfers Yes, per Arts. 44-50 Yes, per Arts. 38-43

What rights are granted to individuals by the GDPR and PIPL?

GDPR PIPL
Notice Yes Yes, unless laws or administrative regulations stipulate otherwise
Access Yes Yes, but limited per Art. 45
Correct Yes Yes, per Art. 46
Object/opt-out Yes, under Art. 21 Yes, unless laws or administrative regulations stipulate otherwise
Withdraw consent Yes, under Art. 7 Yes. Art. 15
Limit use Yes, under Art. 18 Yes, unless laws or administrative regulations stipulate otherwise
Delete/erasure Yes Yes, per Art. 47
Data portability Yes Yes, but limited per Art. 45
Free exercise of enumerated rights (nondiscrimination) Art. 23 permits union or member state law to restrict by way of a legislative measure the scope of data subject rights under certain circumstances Art. 16 prohibits nondiscrimination only regarding an individual’s refusal to grant consent or the withdrawal of consent
Private right of action Yes, via Art. 79 Yes, per Art. 50
Other redress Yes, via supervisory authority People’s procuratorates, statutorily designated consumer organizations, and organizations designated by the state cybersecurity and informatization department, per Art. 70

What obligations are imposed on businesses by the GDPR and PIPL?

GDPR PIPL
Be transparent Yes Yes
Specify purpose Yes Yes
Minimize data collection Yes Yes
Secure consent Yes, to the extent it is used as the lawful basis for processing Yes, to the extent it is used as the basis for handling personal information – Arts. 13, 14; separate consent required for additional uses – Art. 23
Conduct assessment Yes, when processing is likely to result in a high risk to the rights and freedoms of natural persons – Art. 35 Yes, per Art. 55; moreover, when transferring personal information outside PRC’s borders, handlers may be required to pass a security assessment organized by the state cybersecurity and information department – Art. 38, Art. 40
Keep records Yes, per Art. 30 Personal information protection impact assessment reports and handling status records shall be preserved for at least three years – Art. 56
Contract with data processors Yes, per Art. 28 Yes, per Art. 21
Appoint DPO Yes, per Art. 37 Yes, per Arts. 52-53
Implement data security Yes, per Art. 32 Yes, per Art. 9
Provide notice of breach Yes, per Arts. 33-34 Yes, per Art. 57

Who enforces the GDPR and PIPL?

GDPR PIPL
Regulatory authority EU supervisory authorities State cybersecurity and informatization department, plus relevant state council departments – Art. 60
Others Data subjects, per Art. 79 Any organization or individual, per Art. 65; and People’s procuratorates, statutorily designated consumer organizations, and organizations designated by the state cybersecurity and informatization department, per Art. 70

Do the GDPR and PIPL provide an opportunity to cure?

GDPR PIPL
Opportunity to cure No Implied in Art. 66
Cure period n/a Not specified

What are the consequences for noncompliance with the GDPR and PIPL?

GDPR PIPL
Noncompliance Administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher Order of correction, confiscation of unlawful income, or provisional suspension or termination. Where correction is refused, a fine of up to 1 million yuan (with directly responsible persons fined between 10,000 and 100,000 yuan). For grave offenses, a fine of not more than 50 million yuan, or 5% of annual revenue (with directly responsible persons fined between 100,000 and 1 million yuan) – Art. 66

[Download the full comparison chart as a PDF.]

Navigate international data privacy law compliance with confidence

Stay on top of the latest GDPR developments with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law. Watch our latest on-demand In-House Forum to learn how to successfully manage data and privacy and find the right balance between oversight and keeping up with rapidly changing requirements.

Want to learn more about GDPR requirements? Download this comparison chart to understand key differences between the GDPR and state consumer data privacy laws in the U.S., or review our 10-step GDPR program compliance checklist and avoid costly penalties.

All of the most up-to-date GDPR resources are on Bloomberg Law. Request a demo to see it for yourself.

Recommended for you

See Bloomberg Law in action

From live events to in-depth reports, discover singular thought leadership from Bloomberg Law. Our network of expert analysts is always on the case – so you can make yours. Request a demo to see it for yourself.