GDPR vs. China’s Data Protection Legal Framework – Part I

2. Unlike the GDPR, PIPL does not permit processing based on “legitimate interests.” It relies heavily on consent, requiring “separate consent” for sensitive data, automated decisions, and cross-border transfers.

3. PIPL introduces categories like “Important Data” and “Core Data” subject to strict controls. It also defines sensitive data more broadly and includes all data of minors under 14 as sensitive.

4. PIPL requires data localization for Critical Information Infrastructure Operators (“CIIOs”) and certain high-volume processors, conflicting with the GDPR’s support for free data flow within the EU.

5. PIPL enforcement is led by the Cyberspace Administration of China (“CAC”) and may involve multiple agencies such as the Ministry of Industry and Information Technology (MIIT) and the Public Security Ministry (MPS). Penalties can reach 5% of annual turnover and include personal liability, exceeding GDPR’s 4% cap.

EU-to-China Data Transfers: Compliance Challenges

1. GDPR compliance alone is insufficient. Companies must also meet PIPL’s requirements, which often conflict with EU standards.

2. Without an EU adequacy decision for China, data transfers must rely on GDPR’s Standard Contractual Clauses (SCCs) and require a Transfer Impact Assessment (TIA). This is complicated by China’s expansive government access laws, which conflict with GDPR standards under Schrems II.

3. In addition to EU mechanisms, companies must comply with one of China’s approved transfer routes—CAC-led security assessment, China-specific SCCs, or formal certification.

I. Overview

The GDPR is a rights-based instrument designed to empower individuals, while China’s legal framework adopts a state-centric model, deliberately balancing individual rights with the pressing demands of national security and social stability (under the overarching principle: national security > societal interests > individual rights).

II. Comparison：

(1) Key Definitions

1. Personal Data vs. Personal Information[1]

• Common: Both frameworks broadly define personal data as information relating to an identified or identifiable natural person.
• Difference: While the GDPR uses a concise definition, China’s laws provide illustrative examples, such as names, ID numbers, and biometric data. The PIPL also explicitly excludes anonymized information from the scope of personal information.

2. Sensitive Personal Data[2]

• Common: Both recognize that certain types of data warrant heightened protection due to their potential to cause harm.
• Difference: The GDPR defines sensitive data through a closed list (e.g., race, religion, health), whereas the PIPL adopts a harm-based, open-ended approach, listing examples like biometrics, financial data, and location. It also uniquely classifies the data of minors under 14 as sensitive. This broader scope under Chinese law may impose stricter compliance obligations.

3. Data Controller vs. Personal Information Controller[3]

• Common: Both frameworks designate an entity responsible for determining the purposes and means of data processing—the GDPR calls this the “Data Controller,” while the PIPL refers to the “Personal Information Controller”.”
• Difference: The GDPR distinguishes between controllers and processors (who act on behalf of controllers). In contrast, the PIPL uses a single term—”controller”—to describe entities that independently determine processing purposes and means. The PIPL does not explicitly define “processor” but does outline requirements applicable to it; for example, the relationship between the Controller and the Processor shall be governed by a data processing agreement.

4. Data Subject[4]

• Common: Both define the data subject as the individual to whom the data pertains.
• Difference: The GDPR limits this concept to natural persons. Chinese law, however, expands the definition in some sectors (e.g., finance, insurance) to include legal entities such as companies and government agencies, reflecting broader regulatory goals including national security and public interest.

5. Important Data and Core Data (China-Specific)[5]

• Chinese law introduces “Important Data” and “Core Data”—concepts absent from the GDPR. Important Data refers to information whose compromise could threaten national security, economic stability, or public health. Core Data, a subset, concerns even more sensitive national interests and is subject to the strictest controls, especially regarding cross-border transfers.

(2) Legal Bases for Data Processing

The GDPR permits personal data processing based on the controller’s “legitimate interests,” subject to a balancing test, while the PIPL lacks this basis, making explicit consent the primary requirement in China. Although the PIPL provides limited non-consent grounds, their practical application remains uncertain, reinforcing consent as the dominant legal basis

(3) Data Subject Rights

Both GDPR and PIPL give individuals control over personal data, including: access, rectification, erasure, data portability, right to be informed and rights to challenge automated decisions.

Key Differences:

• Access: GDPR specifies required information and verification; PIPL focuses on easy access for minors/guardians.
• Erasure: GDPR sets timelines and requires notifying third parties; PIPL encourages proactive deletion but no notification.
• Data Portability: GDPR guarantees machine-readable transfers; PIPL allows transfers only if authorities’ conditions are met.
• Automated Decisions: PIPL allows users to disable algorithmic recommendations and banning targeted marketing to minors.
• Deceased Persons: PIPL uniquely grants relatives rights over deceased individuals’ data.

(4) Data Controller and Processor Obligation

1. Impact Assessments[6]

• Common: Both require risk assessments before high-risk data processing.
• Differences: GDPR mandates Data Protection Impact Assessment (DPIAs) for high-risk scenarios, especially with new technologies. PIPL requires Personal Information Protection Impact Assessment (PIPIA) for activities like sensitive data processing, automated decision-making, data sharing (especially cross-border), and disclosure. Additional assessments apply to critical and children’s data.

2. Data Breach Notification[7]

• Common: Both require prompt notification of personal data breaches.
• Differences: GDPR sets a 72-hour deadline for notifying authorities and mandates user notification if risks are high. Chinese law requires immediate remedial action and notification to both authorities and affected individuals, with specific rules for minors and network data.

3. Appointment of DPO vs. PIPO[8]

• Common: Both require dedicated roles for overseeing data protection.
• Differences: GDPR mandates a DPO in specific high-risk scenarios. PIPL requires a PIPO once data volumes meet state thresholds. Companies located outside China that process Chinese personal information must appoint a designated representative or organization within the PRC and report their details to the data protection authority.For critical data, a senior management–level security officer is also required.

4. Data Localization[9]

• Common: Divergence exists.
• Differences: GDPR permits free data flow within the EU. Chinese law requires Critical information infrastructure operators (CIIOs) and large controllers to store data domestically. Cross-border transfers need official security assessments, and foreign judicial or law enforcement agencies access to local data requires government approval.

(5) Enforcement, Penalties, and Cross-Border Transfers

1. Enforcement and Penalties[10]

• Common: Both regimes impose substantial obligations on controllers and include penalties for violations.
• Differences: GDPR enforcement is handled by independent Data Protection Authorities (DPAs) across EU member states, with coordinated oversight and clear procedures. Fines can reach €20 million or 4% of global annual turnover, and individuals can lodge complaints or seek judicial remedies. China adopts a multi-agency enforcement model led by the Cyberspace Administration of China (CAC), with overlapping roles for The Ministry of Industry and Information Technology (MIIT) and the Public Security Ministry (MPS). Fines under the PIPL can reach RMB 50 million or 5% of turnover. Responsible individuals may also face personal penalties and disqualification. Civil and criminal liability is possible.

2. Cross-Border Data Transfers[11]

• Common: Both frameworks allow data transfers abroad under defined legal mechanisms and safeguards.
• Differences: GDPR permits transfers to countries with an EU “adequacy decision”, or via safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). It also allows limited derogations (e.g. explicit consent, contractual necessity). China requires a CAC-led security assessment for CIIOs or controllers exceeding set thresholds—e.g. transfer of data on over 1 million individuals or 10,000 sensitive records per year. Lower-volume controllers must sign CAC-standard contracts. Certification is an alternative route, and limited exemptions apply for HR management, contracts, or smaller transfers. Unlike the GDPR, China mandates data localization, requiring certain data to be stored domestically, with outbound transfers allowed only after approval.[12]

[1] GDPR Art. 4.1; PIPL Art. 4, CSL Art. 76(5).

[2] GDPR Art. 9.1; PIPL Art. 28.

[3] GDPR Art. 4.7; PIPL Art. 73(1), CSL Art. 76(3), NDSMR Art. 62(3).

[4] GDPR Art. 4.1; Measures for the Administration of Data Security of Banking and Insurance Institutions (2024) Art. 3.

[5] DSL Art.3 & 21, CSL Art. 76(4), NDSMR Art. 62(1) & 62(4), Measures for the Administration of Data Security of Banking and Insurance Institutions (2024) Art. 3.

[6] GDPR Art. 35; PIPL Art. 55, NDSMR Art. 31, Regulations on the Protection of Children’s Personal Information Online (2019) Art. 16 & 17.

[7] GDPR Art. 33 & 34; PIPL Art. 57, NDSMR Art. 11, Regulations on the Protection of Children’s Personal Information Online (2019) Art. 21.

[8] GDPR Art. 37; PIPL Art. 53, NDSMR Art. 30.

[9] PIPL Art. 40.

[10] GDPR Art. 83 & 84; PIPL Art. 60 & 66-71, DSL Art. 6, NDSMR Art. 47, Measures for the Administration of Data Security of Banking and Insurance Institutions (2024) Art. 4, Regulations on the Security Protection of Critical Information Infrastructure (2021) Art. 3.

[11] Adequacy Decision: GDPR Art. 45; PIPL Art. 38(1) & 40. SCCs: GDPR Art. 46.2.c; PIPL Art. 38(3). BCRs: GDPR Art. 46.2.b & 47; PIPL Art. 38(2). Exemptions: GDPR Art. 49; PIPL Art. 38(4).

[12] PIPL Art. 40, CSL Art. 37, Provisions on Automobile Data Security Management (Trial) (2021) Art. 11.