China has taken another step toward data protection with the release of the second draft revision of the Personal Information Protection Law (PIPL). Although not the final law, it appears that personal data protection legislation has entered the final stages, and it is believed that the PIPL will soon be formally enacted.
It is not difficult to see that the draft PIPL is becoming increasingly similar to the EU’s General Data Protection Regulation (GDPR). For example, personal data processors will be allowed to transfer personal data abroad if they obtain a personal data protection certification or enter into a standard contract with the data recipient abroad. The standard contractual clauses under the GDPR are similar.
Nevertheless, foreign companies need to be aware that the PIPL also has differences from the GDPR. For example, Critical Information Infrastructure Operators (CIIOs) and processors of personal data that process such data beyond a certain amount must conduct a security assessment before they are allowed to transfer such data abroad.
Since the Security Assessment Regulation has not yet been formally implemented, the specific content of the cross-border transfer security assessment provisions is not yet known. Therefore, foreign companies in particular should keep an eye on the progress of the PIPL and related regulations.
In addition, there are other aspects of the PIPL that deviate from the regulations of the GDPR. This means that in the future, it will not be enough to just have the GDPR level of data security in China. Foreign companies should be aware of the risks in good time and prepare for the formal entry into force of the law.