China’s first comprehensive online data and personal information regulation, Personal Information Privacy Law (PIPL), went into effect on November 1, 2021. The PIPL is enforced and administered by the Cyberspace Administration of China (CAC) and state and local government departments. Although on the surface, PIPL adopted many languages and concepts from the GDPR, based on the special characteristics of its administrative agency, CAC, and the only official investigation and fine it has announced, PIPL might be more strictly enforced than GDPR; thus compliance with PIPL might not provide as much security against CAC investigation.
PIPL vs. GDPR
Similar to the European Union’s General Data Protection Regulation (GDPR), the law has extraterritorial jurisdiction, meaning that it arguably covers any entity that processes personal information of individuals in China, not limited to processing personal information of Chinese citizens (PIPL Article 3). The Personal Information Handlers in PIPL have similar obligations as the Data Controllers in GDPR, including providing notices to individuals for collecting personal data, notifying individuals of transferral of data to another processor, and conducting and keeping personal information protection impact assessments. However, unlike GDPR, PIPL requires foreign personal information processors to retain a dedicated entity or appointed individual representative responsible for managing personal information within China. Although the individual does not have to be employed or affiliated with the corporation, CAC has not published any further instructions on obtaining such a representative.
Under PIPL, individuals have virtually similar rights as those under GDPR, including know your data policies, withdraw consent for data, non-discrimination after withdrawing consent, amend your data, delete your data, and request copies of your data (PIPL Article 15 -17, 24, 44-47). However, PIPL does not outline the specific process for companies to respond to individuals’ requests. PIPL indicates seven legal basis for processing personal information - personal consent, necessity for the execution of contract or human resources management, necessity to perform legal duties or legal obligations, legitimate public interest, already legally disclosed personal information, and other circumstances stipulated by laws or administrative regulations (PIPL Article 13). These legal bases are similar to those required by GDPR. However, PIPL also specifically grants a basis for processing personal information for news reporting, within reasonable grounds. Since the regulation is still new and there are not many cases related to PIPL, it remains to be seen how the individual rights and legal bases will be enforced in the future.
Both PIPL and GDPR place restrictions on international data transfers. In addition to the requirement to provide notice of transfer to and ask for consent from the relevant individual, PIPL requires an ex-ante impact assessment of personal data protection and record processing circumstances. The processors must comply with one of the following conditions: pass a security assessment organized by CAC, obtain a certification issued by the organization as authorized by CAC, sign a cross-border data transfer agreement with the overseas data receivers according to the standard contract formulated by the CAC, or another mechanism that may be provided by other laws or regulations (PIPL Chapter III). Compared to GDPR, PIPL places a higher bar on cross-border transfers, and affords the CAC and the Chinese government more control over the personal information.
Cyberspace Administration of China
CAC administers and enforces the PIPL. CAC is established under part of the Chinese government’s movement to combine party and state institutions. It is this intertwined party-state identity of CAC that makes enforcement of PIPL and its accountability more uncertain. Professor Jamie Horsley, a senior fellow at the Paul Tsai China Center and formerly executive director of the Yale China Law Center, notes that “The CAC undertakes rulemaking and administrative licensing and punishment activities, generally in compliance with legally mandated procedures governing administrative agencies. It represents China in international cyber-related activities. However, it lacks many formal attributes of an administrative agency in the Chinese system, including institutional transparency and accountability.” Even though merged party-state entities should be generally treated as administrative agencies when performing state functions, it remains unclear where the boundary between state and party functions lie. Another alarming aspect of CAC that arises from its joint party-state characteristic is remedy for challenging CAC. behaviors. Thus far, the only way to challenge CAC is through filing complaints or writing to the Director’s mailbox; both options are notoriously futile and might even lead to secret arrest, if the complaints seem too adamant by the Chinese government. It is also unclear whether CAC can be sued as an administrative agency. At least in the present, CAC seems to have unchecked power under its dual party and state characteristics.
Application of the Law
As of now, the only decision CAC has published enforcing the PIPL is the $1.2 Billion fine on DiDi, the Chinese Uber company. The decision was released on July 21 2021, after it announced that DiDi would face review twenty days prior. CAC found Didi’s behavior in violation of the Cybersecurity Law, the Data Security Law, and the PIPL. Given the grave circumstances, conclusive evidence, and despicable character, DiDi was fined $1.2 billion, and its Chairperson and CEO Cheng Wei and President Liu Qing around $138k. CAC did not give a clear explanation of the basis for this fine.
Mingli Shi, the Tech Exchange Fellow with the Ford Foundation and Media Democracy Fund, notes that the case was staged as a cybersecurity case but the decision is based on privacy violation. When asked about the illegal activities taken by DiDi, CAC stated that DiDi had illegally collected screenshot information from mobile phones, user clipboard and application lists, passenger facial recognition information, familial information, home and work addresses, and other personal information. CAC added that DiDi also illegally analyzed billions of pieces of passenger trip information, residence information, and other personal information without authorization. However, CAC did not mention any concern related to cybersecurity as basis for the fine. In addition, during a press conference, the CAC stated that this is no ordinary administrative punishment, “The administrative punishment of DiDi relevant to this cybersecurity review is special and different from regular administrative punishment.” Professor Horsley acknowledges that this statement seems to suggest that there might be other punishments in addition to fines for future violations of the PIPL. The calculation of the fines was not announced either. Shi explains that the penalties for violation of PIPL is calculated based on the 5% annual turnover clause, whereas the penalties for Cybersecurity Law and Data Security Law is significantly friendlier; therefore, the amount of fine imposed seems to further support that the punishment is for violation of PIPL, not for Cybersecurity Law. Another concern revealed by this decision is that the law is applied retroactively. DiDi’s actions were all conducted before the enactment of the PIPL. Based on the vagueness of the decision and ambiguous explanation given by CAC, it remains unclear how the law will be applied in the future, but Shi predicted that it would be easy for CAC to make a similar decision with this precedent. This fine appears to be a signal from the CAC that the PIPL will be enforced strictly and could bring serious consequences to technology companies that had been operating freely in China for a long time.
In conclusion, the PIPL, in many aspects, is similar to the GDPR, but it is unclear how it would be applied by the CAC in the future, given the party-state characteristic of CAC and the unexplained grave punishment it administered on DiDi.