Chinese GDPR: a first for the country
In the middle of August, China adopted a major law on the protection of online privacy, the Personal Information Protection Law (or PIPL, adopted on August 20, 2021) which will come into force on November 1, 2021.
Would People’s China suddenly have become a great state protecting individuals? At the first reading of the great law on the protection of online privacy, the Personal Information Protection Law (or PIPL, adopted on August 20, 2021), which will come into force on November 1, 2021, one might think so.
Most of the principles of the GDPR are found in the PIPL, starting with the conditions of lawfulness, loyalty and transparency in the collection and processing of personal data or the rights of access, copy, rectification, etc. erasing… data. Sensitive data (biometric, religious, medical, health or even concerning minors under the age of 14, etc.) benefit from enhanced protection. The objective here is to put an end to certain common practices in China, for example algorithmic discrimination which makes it possible to adapt the price of products or services sold online to certain data concerning the consumer, for example his internet history or its geographic location.
The PIPL is also, like the GDPR, of extraterritorial application. It covers all processing of personal data on the territory of the People’s Republic of China but also all those which, from abroad, allow “to provide products or services to natural persons” in China or ” to analyze and evaluate the behavior of Chinese citizens. The text provides for the obligation to have representation in China, either a dedicated office or a designated representative, to ensure the application of the law. This is the equivalent of the EU representative provided for by the GDPR.