The PIPL is often likened to the GDPR, as the China-government equivalent of EU regulation. This article highlights some key similarities and differences between the two documents. 

This guide is for informational purposes only, and does not constitute professional legal advice. Consult independent legal advice for information specific to your circumstances. Chinafy is not liable to you in any way for your use of or reliance on this information. 

Key Similarities between the PIPL & the GDPR

Both relate to the collection, storage, use, processing, transmission, provision, public disclosure, deletion and any operation which is performed on personal information. 

Both are extraterritorial and thus applies for offshore controllers

Both require Data Protection Impact Assessments in certain situations

Both have a data breach notification requirement

Both define personal data as involving identifiable & identified natural persons

Both consider special protections for sensitive data¹

Both include the following rights:

Right to access

Right to correction and or rectification

Right to information 

Right to withdraw consent

Right to data portability²

Right to object and restrict the processing of an individual's data

Right to erasure

Key Differences between the PIPL & the GDPR

Unlike the GDPR and other jurisdictions, the PIPL does not distinguish between business and personal data. Therefore identifiable business contact information that is collected (e.g. contact person’s name) will fall into the parameters of the 

personal information definition under Chinese law.

Unlike the GDPR, the PIPL does not provide “legitimate interests” as a lawful basis to process personal information. See section on Legal Basis for the grounds covered.

PIPL requires additional separate consent for processing activities if a processing entity i) shares personal information with other processing entities; (ii) discloses personal information publicly; (iii) processes sensitive personal information; or (iv) transfers personal information overseas.

Unlike the GDPR, the PIPL lacks precise GDPR language addressing personal information rights, including exemptions or where certain restrictions may apply.

Naming Convention: GDPR’s “Controller” & the PIPL’s “Personal Information Processor” The GDPR’s definition of “controller” is akin to the PIPL’s “Personal Information Processor (PIP)” defined as an individual or organisation that determines the purposes and means of the processing of personal information in relation to personal information processing activities.

References

Sensitive Data is defined similarly between both regulations. However, the PIPL's definition is broader when it comes to defining sensitive data. China's PIPL defines personal information as data which can identify a person, but Article 4 specifically makes an exception for anonymised information. For examples, please visit this article.

PIPL states that this is subject to certain conditions. For more information, please This Overview on the PIPL.