Consumer Data Privacy: EU’s GDPR vs. China’s PIPL
Adopted Aug. 20, 2021, China’s Personal Information Protection Law (PIPL) is the first comprehensive framework for the protection of personal information in China. Among other things, it requires businesses to conduct impact assessments, honor data subjects’ requests for information, and follow measures for cross-border data transfers. It entered into effect Nov. 1, 2021. PIPL borrows many concepts from the European Union’s General Data Protection Regulation (GDPR), which became effective May 25, 2018. The following table provides an at-a-glance comparison of the key elements of each consumer data privacy law; it is not meant to provide a comprehensive overview of each law’s provisions.
[Download the full comparison chart as a PDF.]
What are the basics of the GDPR and PIPL?
| GDPR | PIPL | |
| Name | General Data Protection Regulation | Personal Information Protection Law |
| Citation | EU/2016/679 | PIPL |
| Jurisdiction | European Union | People’s Republic of China (PRC) |
| Model | Opt-in | Opt-in |
| Sector | Non-sectoral | Non-sectoral |
| Effective date | May 25, 2018 | Nov. 1, 2021 |
Whose data is protected by the GDPR and PIPL?
| GDPR | PIPL | |
| Statutory term | Data subject | Individuals |
| Defined as | Natural person in the EU | Natural persons within the borders of the PRC |
What types of data are protected by the GDPR and PIPL?
| GDPR | PIPL | |
| Statutory term | Personal data | Personal information |
| Defined as | Any information relating to an identified or identifiable natural person | All kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling |
| Definition excludes de-identified data | GDPR uses the term “pseudonymized,” rather than “de-identified.” According to Recital 26, personal data that has undergone pseudonymization – which could be attributed to a natural person by the use of additional information – should be considered personal data | PIPL’s definition doesn’t address de-identification or pseudonymization, but it specifically excludes anonymized information |
| Definition excludes publicly available info | No | No, but Art. 27 permits handlers to handle personal information that has already been disclosed by the individual or otherwise lawfully disclosed, except where the individual clearly refuses. If, however, the handling would significantly influence an individual’s rights and interests, the handler must obtain consent |
| Definition excludes aggregate info | Not specified, but Recital 162 indicates that the GDPR applies to the processing of personal data for statistical purposes | Not specified |
What types of data have heightened protections in the GDPR and PIPL?
| GDPR | PIPL | |
| Statutory term | Special categories | Sensitive personal information |
| Biometric data | Yes | Yes |
| Children’s data | No | Yes, under the age of 14 |
| Citizenship status | No | Unclear; PIPL refers to “specific identity” |
| Electronic communications | No | Not specified |
| Financial account info | No | Yes |
| Genetic data | Yes | Unclear; PIPL refers to “biometric characteristics” |
| Geolocation info | No | Yes |
| Government-issued ID | No | Unclear; PIPL refers to “specific identity” |
| Marital status | No | PIPL refers to “specific identity” |
| Mental health | Yes | PIPL refers to “medical health” |
| Physical health | Yes | Yes |
| Political opinion | Yes | Not specified |
| Race/ethnicity | Yes | Not specified |
| Religious beliefs | Yes | Yes |
| Sexual orientation | Yes | Not specified |
| Union membership | Yes | Unclear; PIPL refers to “specific identity” |
What types of data are exempt from the GDPR and PIPL?
| GDPR | PIPL | |
| B2B-related data | No | No |
| Common Rule-covered info | n/a | n/a |
| COPPA-related info | n/a | n/a |
| DPPA-covered info | n/a | n/a |
| Employment-related data | No | No |
| FCRA-covered info | n/a | n/a |
| FERPA-covered info | n/a | n/a |
| GLBA-covered data | n/a | n/a |
| HIPAA de-identified info | n/a | n/a |
| HIPAA-protected health info | n/a | n/a |
Who must comply with the GDPR and PIPL?
| GDPR | PIPL | |
| Private sector | Controller, processor | Personal information handler, entrusted persons |
| Jurisdictional threshold | Processes personal data in the context of activities of an “establishment” in the EU, or processes personal data of individuals in the EU related to the offering of goods and services to them or the monitoring of their behavior | PIPL applies to handling the personal information of natural persons within the borders of the PRC, and also when handling personal information outside the PRC’s borders if (1) providing products or services to natural persons inside the borders, (2) analyzing or assessing activities of natural persons inside the borders, or (3) laws or administrative regulations so provide |
| Revenue threshold | None | None |
| Processing threshold | None | None |
| Broker threshold | None | None |
Who is exempt from the GDPR and PIPL?
| GDPR | PIPL | |
| Public sector | EU/2018/1725 governs EU institutions; EU/2016/680 governs law enforcement | No; PIPL Arts. 33-37 address the handling of personal information by state authorities |
| Nonprofits | No | No |
| GLBA financial institutions | n/a | n/a |
| HIPAA-covered entities | n/a | n/a |
| HIPAA business associates | n/a | n/a |
| Higher education institutions | No | No |
What acts are covered by the GDPR and PIPL?
| GDPR | PIPL | |
| Processing | Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction | “Handling” includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. |
| Selling | Not specifically defined | PIPL Art. 10 prohibits the “illegal” selling of personal information |
| Dark patterns | Not specifically defined | Not specifically addressed, but PIPL prohibits handling personal information in misleading, swindling, coercive, or other such ways |
| Targeted advertising | Not specifically defined | Yes, per Art. 24 |
| Profiling | Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements | Yes, per Art. 24 |
| Cross-border transfers | Yes, per Arts. 44-50 | Yes, per Arts. 38-43 |
What rights are granted to individuals by the GDPR and PIPL?
| GDPR | PIPL | |
| Notice | Yes | Yes, unless laws or administrative regulations stipulate otherwise |
| Access | Yes | Yes, but limited per Art. 45 |
| Correct | Yes | Yes, per Art. 46 |
| Object/opt-out | Yes, under Art. 21 | Yes, unless laws or administrative regulations stipulate otherwise |
| Withdraw consent | Yes, under Art. 7 | Yes. Art. 15 |
| Limit use | Yes, under Art. 18 | Yes, unless laws or administrative regulations stipulate otherwise |
| Delete/erasure | Yes | Yes, per Art. 47 |
| Data portability | Yes | Yes, but limited per Art. 45 |
| Free exercise of enumerated rights (nondiscrimination) | Art. 23 permits union or member state law to restrict by way of a legislative measure the scope of data subject rights under certain circumstances | Art. 16 prohibits nondiscrimination only regarding an individual’s refusal to grant consent or the withdrawal of consent |
| Private right of action | Yes, via Art. 79 | Yes, per Art. 50 |
| Other redress | Yes, via supervisory authority | People’s procuratorates, statutorily designated consumer organizations, and organizations designated by the state cybersecurity and informatization department, per Art. 70 |
What obligations are imposed on businesses by the GDPR and PIPL?
| GDPR | PIPL | |
| Be transparent | Yes | Yes |
| Specify purpose | Yes | Yes |
| Minimize data collection | Yes | Yes |
| Secure consent | Yes, to the extent it is used as the lawful basis for processing | Yes, to the extent it is used as the basis for handling personal information – Arts. 13, 14; separate consent required for additional uses – Art. 23 |
| Conduct assessment | Yes, when processing is likely to result in a high risk to the rights and freedoms of natural persons – Art. 35 | Yes, per Art. 55; moreover, when transferring personal information outside PRC’s borders, handlers may be required to pass a security assessment organized by the state cybersecurity and information department – Art. 38, Art. 40 |
| Keep records | Yes, per Art. 30 | Personal information protection impact assessment reports and handling status records shall be preserved for at least three years – Art. 56 |
| Contract with data processors | Yes, per Art. 28 | Yes, per Art. 21 |
| Appoint DPO | Yes, per Art. 37 | Yes, per Arts. 52-53 |
| Implement data security | Yes, per Art. 32 | Yes, per Art. 9 |
| Provide notice of breach | Yes, per Arts. 33-34 | Yes, per Art. 57 |
Who enforces the GDPR and PIPL?
| GDPR | PIPL | |
| Regulatory authority | EU supervisory authorities | State cybersecurity and informatization department, plus relevant state council departments – Art. 60 |
| Others | Data subjects, per Art. 79 | Any organization or individual, per Art. 65; and People’s procuratorates, statutorily designated consumer organizations, and organizations designated by the state cybersecurity and informatization department, per Art. 70 |
Do the GDPR and PIPL provide an opportunity to cure?
| GDPR | PIPL | |
| Opportunity to cure | No | Implied in Art. 66 |
| Cure period | n/a | Not specified |
What are the consequences for noncompliance with the GDPR and PIPL?
| GDPR | PIPL | |
| Noncompliance | Administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher | Order of correction, confiscation of unlawful income, or provisional suspension or termination. Where correction is refused, a fine of up to 1 million yuan (with directly responsible persons fined between 10,000 and 100,000 yuan). For grave offenses, a fine of not more than 50 million yuan, or 5% of annual revenue (with directly responsible persons fined between 100,000 and 1 million yuan) – Art. 66 |
[Download the full comparison chart as a PDF.]
Navigate international data privacy law compliance with confidence
Stay on top of the latest GDPR developments with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law. Watch our latest on-demand In-House Forum to learn how to successfully manage data and privacy and find the right balance between oversight and keeping up with rapidly changing requirements.
Want to learn more about GDPR requirements? Download this comparison chart to understand key differences between the GDPR and state consumer data privacy laws in the U.S., or review our 10-step GDPR program compliance checklist and avoid costly penalties.
All of the most up-to-date GDPR resources are on Bloomberg Law. Request a demo to see it for yourself.