Comparative Analysis of Two Personal Data Protection Frameworks
On August 20, 2021, the Chinese Parliament enacted a new law aiming to protect personal data. The law will come into effect on November 1, 2021.
We can see that this Act aims to align its data protection standards on those from other countries or regions such as the United States and the European Union.
Our analysis confirms that this law was largely inspired from the European Union protection standards in two aspects:
- A philosophy centered on the protection of the individuals and their right to privacy based on constitutional protection.
- Similar features such as accountability of the data processors, information and transparency to the users, rights granted to the individuals and convenience in their exercise.
Although there is no strict identity between the two systems, we found out there is a clear alignment with the European standards
NB: The analysis of the Chinese Law on Protection of personal information was made possible by use of a machine translated version of the text.
On August 20, 2021, a law aiming to establish a protection of personal information, called the Personal Information Protection Law (the “PIPL”) was passed during a session of the Standing committee of the Chinese Parliament.
Due to the potential and size of the Chinese data market, we cannot ignore the study of the provisions that will apply to the collection, processing, and storage of personal information.
To carry out this analysis, we thought relevant to compare this new system with the provisions of the General Data Protection Regulation in effect in the European Union since 2018.
This analysis will help us show that the Chinese lawmakers were largely inspired by the European framework when drafting the text. We’ll see that the general framework is based upon a similar philosophy which is implemented by similar general processing principles as well as comparable regimes of respective rights and obligations for individuals and data processors.
1. A General Framework Based on a Similar Philosophy
From the get-go we can see that the Chinese lawmakers drafted the Act with a template similar to the one used for the drafting of the GDPR. The Act follows a similar structure with headings using almost identical phrasing as those found in the GDPR.
The PIPL deals first with General provisions on the processing of personal information (chapters 1 and 2), then with provisions on cross borders processing of personal data (Chapter 3) and finally with the respective rights and obligations of individuals and data processors (Chapters 4 and 5). In this paper we will only focus on these chapters as they contain most of the guarantees granted to individuals and most of the obligations charged upon data processors.
1.1 An overarching right to privacy
The first Articles in both texts reveal that a similar philosophy underlies the protection scheme defined in the legislation.
In its first recital, the GDPR states that the protection of natural persons from having their personal data processed is a fundamental right which is the foundation of all the guarantees granted in the text.
Articles 1 and 2 of the PIPL base the protection of personal information at the legislative and constitutional level without referring to any sort of fundamental rights. But in our opinion these bases are equivalent since in the European legislative scheme fundamental rights are protected at the constitutional or supra-constitutional level.
1.2 The protection extended by extraterritoriality
This common principle of protection of the right to privacy led both legislators to adopt an extensive protection of their citizens regarding their personal information. That is why they both extended the territorial scope of application to processing occurring outside their territory. While the PIPL provides that it applies to processing made on the Chinese territory by processors located both inside and outside China. On the other hand, the GDPR provides that its rules applies both to processing of personal information of persons located in the European Union by processors established within its territory as well as those established in third party countries.
Nevertheless, beyond these general concepts, one major principle is missing from the PIPL. Indeed, there is no principle of privacy by default and by design as provided by Article 25 of the GDPR. This forces data processors to put in place all security measures from the design of processing to ensure that all safeguards are in place to protect the rights of individuals.
Although, there is no explicit inclusion of the principle in the Act, we can see that the general principles and the balance of rights and obligations between the individuals and the data processors implies that a similar concept exists in the Chinese PIPL.
2. Analogue General Processing Provisions
Beyond the philosophical likeness, Articles 5 to 9 of the PIPL provide general provision regarding processing of personal data.
2.1 Lawfulness and transparency of the processing
Article 5 states that personal data needs to be processed according to principles of lawfulness, loyalty, necessity, and good faith. Article 7 provides that processing must follow principles of openness and transparency. This also provides for a list of obligations charged on the processors including the obligation to inform individuals of processing methods and extent.
Both Articles imitate the principle in GDPR Article 5-1-a stating that processing shall be made lawfully and transparently in addition to transparency obligations provided in Article 12.
2.2 Data minimization and restriction of processing
Article 6 of the PIPL provides that processing must follow a clear and reasonable objective which needs to be linked to the purpose of processing. Moreover, it is stated that the collection of personal information must be limited to what is strictly necessary. Article 19 adds that the data retention period shall be minimal considering the accomplishment of the purposes of processing. These Articles follow what is provided by Articles 5-1-b and 5-1-c which are the sources for principles of purpose limitation and data minimization.
Article 8 of the PIPL specifies that that data processors should ensure the quality of data and need to prevent the risks regarding inaccuracy and incompleteness of data which is identical to the principle of data accuracy derived from Article 5-1-c of the GDPR.
Finally, Article 9 establishes that data processors are accountable for their processing activities and need to take all necessary measures to ensure the security of the personal data that are being processed which goes hand in hand with the principle of accountability set in Article 5-2 of the GDPR.
The correlation between the general provisions on data processing displays an alignment of Chinese legislation on European standards which is deemed the most protective with the rights of individuals.
Beyond general principles, we’ll also see that their implementation follows a resembling framework especially when studying in detail the regime of rights and obligations between data processors and individuals.
3. Equivalent Processing Regimes
3.1 Concordant cases of lawfulness of processing
Chapter 2 is the core of the whole act as it contains most of the rights imposed on data processors and the subsequent rights granted to individuals in relation to the processing of their personal data.
Article 13 follows the logic of Article 6 of the GDPR by listing cases where processing of personal data is lawful. As we can see from the list below a similar list has been enacted.
- Consent granted by the individual
- Conclusion or performance of a contract or legal obligations related to management of human resources
- Compliance with legal obligations
- Processing made in relation with medical emergencies or to protect life or safety of goods and persons
- Production of information reports or other acts of public interest
- Processing of data made available by individuals
The only case that is not included is the possibility for data processor to process data for legitimate purposes which restrict the way private operators can process personal information since they can only rely on consent or performance of a contract to lawfully process data.
3.2 A strict regime for consent
Regarding the regime for collecting and processing consent from individuals we can also figure out some sort of correlation in both regimes implemented by the GDPR and the PIPL.
The PIPL regards consent as being valid only if the individual acted voluntarily and in full knowledge of the consequences of its consent. Moreover, it is mandatory to collect the consent of users in case of modification of the purposes, methods or types of information processed. Individuals are also allowed to withdraw their consent at any moment. In this case, processors must put convenient procedures in place for individuals to be able to withdraw their consent. Finally, in the same way as the GDPR, withdrawal of consent has no effect on processing performed before the withdrawal (Article 14 and 15).
The PIPL also prevents processors from refusing to provide services to individuals solely because of refusal or withdrawal of consent (Article 16).
Before obtaining consent, data processors need to provide complete and precise information in a clear and comprehensive language of specific elements as follows:
- Identity and contact information of the data processor
- Purpose of processing, processing methods, type of information processed and data retention period
- Process to exercise rights granted by data protection legislation
3.3 A specific attention to sensitive data
Both acts take opposite approaches regarding processing of sensitive data since the GDPR forbid all processing of sensitive data unless performed in strictly limited conditions stated in Article 9. On the other hand, the PIPL allows the processing of sensitive data as a rule by requiring collection of consent.
Nevertheless, both texts present comparable definition of sensitive data including biometric data, religious data, ethnic data, medical data, minor localization.
As in the GDPR, the processing of sensitive data is allowed only for specific and necessary purposes only if security measures have been put in place.
In opposition of the GDPR, the PIPL only allows for processing of sensitive data as a lawful basis for procession. It is uncertain that other cases for lawfulness of process can apply to processing of sensitive data which may cast doubts over the efficiency of the protection of sensitive data.
Finally, data processors need to inform individuals of the necessity to process sensitive data and the impact of the processing on the rights of individuals.
4. Matching Rights and Obligations
4.1 Extensive rights granted to the individuals
Chapter 4 of the PIPL is dedicated to the rights granted to individuals when dealing with data processors.
These rights can be listed as follows:
- Refusal or restriction of processing (Article 44)
- Access to data (Article 45)
- Right to ask correction of inaccurate data (Article 46)
- Rights to ask for erasure of data, under specific circumstances (Article 47)
- Obligation to set convenient procedures to allow individuals to exercise their rights. (Article 50)
This list states many rights similarly granted to individuals in Section 3 and 4 of the GDPR such as right to erasure, rectification, and restriction of processing.
4.2 Important safeguards from data processors
In the PIPL, the relationships between individuals and processors are less detailed than in the GDPR. Article 20 also establishes possibilities of joint accountability when two data processors jointly decide of processing purposes and methods. In this case, they must agree on their respective rights and obligations while facilitating the exercise of rights by individuals to either of the processors.
Regarding sub-processing of data, Article 21 sets a restrictive framework, where the sub-processing agreement must provide for the duration of the sub-processing of data, the processing methods, the type of information processed, the security measures implemented as well as the rights and obligations of both parties. In case of merger, fusion, or bankruptcy the processor must inform individuals of the identity of the recipient who oversees performing the obligations of the original processor. Moreover, in this event the new recipient also needs to collect the consent of the individual in case of a modification of the methods and purposes of processing.
When a data processors sub-process personal data to other data processors, it is also mandatory to obtain consent and to give individuals information about the identity and contact information of the recipient as well as the purpose, methods of processing and types of information processed.
Finally, the act also provides for a framework regarding personal data processing which purpose is to achieve automated decision-making. Respectively the GDPR contain allow individuals to object to processing of personal data included in automated decision making, The PIPL states that processors need to make sure that the automated decision-making process is transparent, fair, and impartial. Moreover, data processors who perform automated decision-making must not discriminate based on this processing.
Chapter 5 adds to these obligations to compel processor to provide specific actions when dealing with personal data (Article 51):
- Formulate internal procedures
- Specify an internal classification system
- Adapt security measures such as de identification and encryption
- Organize emergency measures in case of security issues
It also mandatory to designate a contact person responsible for data processing whose role could be identical as the Data protection Officer indicated in the GDPR.
Data processors are also mandated to perform regular security audits (Article 54) and preliminary impact studies for certain processing. They also must take all necessary measures to inform people and remediate to any data leakage.
4.3 Cross-border transfer regulations
In our opinion, the GDPR opens more avenues for cross-border transfers towards third-party countries by allowing transfers according to several exceptions such as adequacy decisions, standard contractual clauses and binding corporate rules. On the other hand, the PIPL seems to be stricter regarding those transfers as the processors who wish to send data to other countries can only do so based on necessity and compliance with one of the following obligations:
- Pass security test performed by the Chinese administration
- Certification by a professional authority
- Conclusion of a contract with the recipient according to standards established by the administration
In addition to these obligations, the data processor is obliged to inform individuals and the administration in case of data loss and data leakage.
In conclusion, we can say that the regime implemented by the Chinese legislators is largely inspired by the European framework with a few differences. A complete analysis would obviously show some differences in the details, but most of the framework looks and feels similar which makes us foresee a positive alignment between the two global markets.