揭秘中国个人信息保护法:PIPL vs. GDPR

2021年8月20日, the National People’s Congress (NPC) passed the final version of the Personal Information Protection Law of the People’s Republic of 中国 (PIPL), a comprehensive privacy law that covers multiple facets of personal information protection.

PIPL于2021年11月1日生效. It is applicable not only within the territory of the People’s Republic of 中国 but also beyond its borders. It has provisions for extraterritorial application under any of the following circumstances:

• 为中国境内的人们提供产品或服务.
• Analyzing or evaluating the behaviors of people within the territory of 中国.
• Any other circumstance as provided by any law or administrative regulation.

第1部分:PIPL vs. GDPR

The PIPL parallels the EU General Data Protection Regulation (GDPR) in various aspects, 但在细节上存在分歧. Below are the 15 key points of comparison of 中国’s PIPL relative to the EU’s GDPR.

个人信息处理原则

1. 处理的法律依据有重大差异. Both laws require a similar legal basis for processing personal information (PI), 然而, the PIPL adds human resources management and disclosed information as legal bases for processing, 同时也忽略了合法利益. 而不是GDPR要求的明确同意, the PIPL requires obtaining individuals’ separate consent in five specific PI processing scenarios.
2. 设置更严格的通知规则. Internet companies are suggested to notify mobile application users with dual lists that fully protect their right to know.
3. Imposes specific rules for processing sensitive PI and the disclosed PI. PIPL类似于PIPL处理原则中的GDPR, while the PIPL sets specific rules for processing sensitive PI and the disclosed PI.
4. 对重要的平台服务提供商施加义务. Under the PIPL, the PI processor, which is deemed as important platform service provider (i.e.(看门人)，需要特定的义务.
5. Highlights the prohibition on unreasonable differential treatment of individuals in trading conditions, 比如贸易价格. 没有GDPR中定义的自动决策豁免, PIPL highlights that PI processors may not label individual trade price, other trade conditions and user behavior data to establish an internal decision-making mechanism, which could result in unreasonable differential treatment to individuals regarding service prices and service quality by analyzing such labels.

PI处理器的合规义务

6. 将个人权利扩展到已故的自然人. PIPL expands the scope of data subjects’ rights to deceased people by providing the close relatives of the deceased with rights regarding the processing of PI of the deceased, e.g.、咨询、复制、更正、删除.
7. Requires assessment of the impact on personal information protection under broader scenarios. Two triggers of an impact assessment under PIPL—processing sensitive PI and automated decision making—are like those in the GDPR. 然而，在PIPL中还有其他触发器，例如.g.、PI跨境转移、向第三方提供PI等.
8. Lack of practical know-how and uncertainties and ambiguities still exist. 在写这篇文章的时候, there is no clarification on the following issues – what is the threshold for appointing a person in charge of PI protection for organizations within and outside 中国 respectively, 以及与个人资格相关的要求, 位置, tasks and safeguards; as well as what is the response time restriction for PI incident notification? 除了, there are no official guidelines to solidify organizations’ understanding of cross-border data transfer – i.e., what constitutes a transfer in the regime of laws and regulations of 中国, and how to calculate the size of datasets that will trigger government assessment.
9. 设计上缺乏对隐私的保护. Although both laws require PI processors to adopt corresponding technical security measures, the PIPL lacks provisions for data protection by design and by default in GDPR. 相反，这一要求是由国家标准强制规定的.

跨境数据传输要求

10. Significant differences in rules for critical information infrastructure operators (CIIOs) and other PI processors. 规则取决于什么类型的组织将PI转移到海外.e., whether it is deemed as a CIIO and whether it belongs to certain industries – as well as depend on the status of organizations, 例如它们处理的PI或敏感PI的数量.
11. 更严格的数据本地化要求. 一旦该组织被视为CIIO和其他PI处理器, it must store PI in 中国 and may only transfer PI abroad with the approval of the National Cyberspace Department.
12. 提供的转移机制较少. Both laws require a transfer mechanism for organizations to transfer PI beyond the borders of the People’s Republic of 中国, PIPL提供更少的传输机制.

执行

13. 没有独立的执法机构. Similar to the GDPR, Chinese regulators appoint rulemaking authority and fining authority. 然而，中国还没有独立的执法机构.
14. 确立刑事处罚，强化个人责任. 例如, a violator who illegally sells or otherwise illegally provides PI to third parties may be held criminally liable. 并对直接负责的主管人员处罚款.
15. 强化私人诉权. The burden of proof is shifted to the PI processor in proving that there is no misconduct. The PIPL also enables a public interest class-action legal action where a PI processor contravenes the PIPL and infringes upon the rights and interests of many individuals.

第2部分:跨境数据传输操作指南

It is suggested that a PI processor outside the territory of the People’s Republic of 中国 should take the following five steps.

步骤1. 识别PI处理器的类型.
步骤2. 确定是否需要政府评估.
步骤3. 确定是否需要进行网络安全审查.
步骤4. 判断是否存在异常.
步骤5. 选择传递机制.

图1 shows the step-by-step procedures for the transfer of PI across the borders of 中国 and 图2 shows the step-by-step assessment procedures required for cross-border data transfer approvals.

图1: Step-by-Step Procedures for Cross-Border Transfer of Personal Information

图2: 跨境数据传输安全评估程序

编者按: 有关此主题的进一步见解，请下载ISACA^®的新出版物，”中国个人信息保护法解读.”