If Your Company Is GDPR Compliant, Are You Ready for China’s PIPL?

China’s first dedicated law on personal data protection comes into effect this month. Sidley counsel Jing Lu looks at how the new Personal Information Protection Law (PIPL) differs from Europe’s General Data Protection Regulation (GDPR).

The PIPL, which became law on 1 November 2021, has implications for all companies that process personal data during their operations in China. Life sciences companies should therefore review their practices to ensure they are collecting and using the personal data of HCPs, patients and employees in China in accordance with the PIPL, particularly in relation to the rules on the cross-border transfer of personal data.

As an overarching law on data privacy, the PIPL has many similarities to the EU’s GDPR. Therefore, if a company is already GDPR compliant, its data privacy compliance system will essentially be able to function in China. However, there are some significant differences between the PIPL and the GDPR, and local measures in China will need to be taken in order to comply with them.

The first difference centres around data localisation. Under the PIPL, a controller of large-scale personal data or a critical information infrastructure operator is required to store personal data within China. Any cross-border transfer of these data will be subject to a security assessment by the Cyberspace Administration of China (CAC). Other data controllers may carry out a cross-border transfer by relying on one of a number of legitimate approaches recognised under the PIPL. These include entering into a standard contract with overseas data recipients, using a CAC template.

The PIPL also contains the unique concept of the stand-alone consent of data subjects. A controller will be required to obtain stand-alone consent in circumstances that include the processing of sensitive personal data and the cross-border transfer of personal data. The PIPL does not define what ‘stand-alone consent’ entails. However, it is believed that such consent will generally be obtained through a distinct affirmative action by data subjects, for example a separate signature or clicking a separate checkbox.

Other noteworthy differences are that the GDPR’s ‘right to be forgotten’ is not provided for under the PIPL and that, unlike the GDPR, the PIPL does not set forth a specific timeline for a controller to notify a data breach to a government authority. Also, the PIPL requires a controller to conduct a data protection impact assessment in some situations where this is not required by the GDPR. These include the cross-border transfer of personal data, the contracting of a third-party data processor, the provision of personal data to another controller, and the making of personal data publicly available.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.