China’s PIPL and DSL: Is China following the EU’s approach to data protection?

Abstract

On 20th August, 2021, China, a market with over one billion consumers, passed the Personal Information Protection Law (PIPL), effective as of 1st November, 2021. The PIPL aims to provide individuals with comprehensive sets of data protection rights and will unquestionably impact how businesses ensure compliance in the upcoming years. Not surprisingly, like many other jurisdictions, the PIPL resembles the General Data Protection Regulation (GDPR) to a great extent, but it also diverges from the GDPR in many regards. Therefore, many companies, having already built a GDPRcompliant program, still face the challenge of demonstrating compliance with the PIPL. Also noteworthy is the recently enacted Data Security Law (DSL), a unique law (if not the only one) around the world targeting data security individually. The DSL not only supplements the PIPL, but also has a distinctive aim regarding national security, which exposes companies to obligations beyond those imposed by the PIPL. Furthermore, there is no denying that there are still some ambiguous parts of the PIPL and the DSL. However, China is enacting other laws, industry-specific regulations, guidelines and standards to complement the application of the two laws, which are also worth attention. This paper discusses the material differences between the GDPR and the PIPL (as well as the DSL when applicable) and creates a roadmap to achieve compliance with the PIPL and the DSL.