TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | A look at the extraterritorial applicability of China’s newly issued PIPL: A comparison to the EU's GDPR Related reading: A look at China's draft of Personal Information Protection Law

rss_feed

""

On Oct. 21, 2020, the Standing Committee of the National People’s Congress of China released the draft Personal Information Protection Law to solicit public opinions. Many rules of the draft PIPL appear to be similar to those of the EU General Data Protection Regulation, including its territorial applicability. 

At first glance, the territorial applicability provisions of the draft PIPL bear some resemblance to those of the GDPR. However, after taking a closer look at the wording of both laws, notable differences, of which non-China data controllers and processors, in particular, should be aware still exist.

The GDPR’s territorial applicability is based upon two criteria, namely the “establishment criterion” and “targeting criterion.” If a company falls under either of these two criteria, the GDPR will apply to this company. The PIPL also has two criteria to decide its territorial applicability,  the “processing activity criterion” and the “targeting criterion.” 

Establishment criterion of GDPR vs. processing activity criterion of draft PIPL

According to Article 3(1) of the GDPR, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.

According to Article (3)(1) of the draft PIPL, the PIPL shall apply to the activities carried out by organizations and individuals within the territory of  China in processing the personal information of natural citizens.

Unlike the GDPR, the applicability of the draft PIPL does not expressly require a data controller or processor have an "establishment" in China, but it does require their processing activities must be in China, except for those overseas processing activities under Article 3(2).

In other words, the draft PIPL appears to apply to an overseas data controller or processor’s processing activities in China, even it has no establishment in China. It does not apply to a data controller or processor who has an establishment in China, but its processing activities are not carried out in China, except for those overseas processing activities under Article 3(2).

Comparing the targeting criteria of GDPR and draft PIPL

According to Article (3)(2) of the GDPR, the GDPR applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; and (b) the monitoring of their behavior as far as their behavior takes place within the EU.

Under Article (3)(2) of the draft PIPL, the PIPL shall also apply to the activities carried out outside the territory of the People's Republic of China in processing the personal information of natural persons in the territory of the People's Republic of China under any of the following circumstances: (a) where the purpose is to provide products or services to natural persons in the territory of China; (b) for analyzing and evaluating the activities of the natural persons in the territory (of China); and (c) other circumstances provided by laws and administrative regulations.

In Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), the European Data Protection Board clarifies the targeting criterion of the GDPR largely focuses on what the “processing activities” are “related to,” which will be considered on a case-by-case basis. While the wording “related to” may sound abstract and broad, the recitals of the GDPR, the guidelines and relevant court cases in the EU appear to have narrowed its scope.

Offering of goods or services to data subjects in EU vs. providing products or services to natural persons in China 

On the point of “the processing activities are related to the offering of goods or services to data subjects in the [EU],” Recital 23 of the GDPR says, “it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”

In other words, the actual outcome of offering goods or services to data subjects in the EU appears to be is insufficient to conclude the GDPR should apply. Instead, for the GDPR to apply, the overseas data controller or processor should have an apparent expectation or objective that its goods or services will be provided to data subjects in the EU.

By contrast, Article 3(2)(a) of the draft PIPL only provides that it will apply to the overseas processing activities if “the purpose is to provide products or services to natural persons in the territory (of China).” However, it is unclear whether this means that the purpose of the overseas data controller or processor is to provide products or services to natural persons in China or if the purpose of the overseas processing activities is to provide products or services to natural persons in China.

If Article 3(2)(I) of the draft PIPL were to be interpreted to have the meaning of the above paragraph (a), it would serve the same or very similar effect of Article 3(2)(a) of the GDPR, i.e., the overseas data controller or processor apparently has envisaged that its goods or services will be provided to data subjects in the Union, and therefore the GDPR should apply.

However, the wording of Article 3(2)(I) of the PIPL appears to imply the meaning of the above paragraph (b), in that the “purpose” is linked to “the processing activities,” rather than the data controller or data processor.

Accordingly, there is a danger the PIPL will apply to an overseas data controller or processor as long as it sells goods or services to natural persons in China and processes their personal information, regardless of whether it has envisaged the offering of goods and services to them in the first place. In other words, the actual outcome of offering goods or services to data subjects in China will likely be a decisive factor in determining whether the PIPL should apply or not, and the expectation or objective of the overseas data controller or processor is irrelevant.

Monitoring behavior of data subjects in EU vs. analyzing and evaluating activities of natural persons in China

The second type of activity triggering the application of Article 3(2) of the GDPR is the “monitoring of data subject behavior” as far as their behavior takes place within the EU. The guidelines provide "the use of the word 'monitoring' implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as 'monitoring.' It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data. The EDPB takes into account the wording of Recital 24, which indicates that to determine whether processing involves monitoring of a data subject behavior, the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques, is a key consideration."

By contrast, Article 3(2)(b) of the draft PIPL provides that it will apply to overseas processing activities for “analyzing and evaluating” the behavior of natural persons in China. The implications of the phrase “analyzing and evaluating” can be very broad, which leaves room for not only those “monitoring activities” contemplated in the GDPR but potentially any analysis, assessment and study of the behavior of natural persons in China.

‘Other circumstances’ under the draft PIPL

Article 3(2)(c) of the PIPL provides “other circumstances provided by laws and administrative regulations” can also trigger the applicability to overseas personal information processing activities. This “other circumstances” provision leaves room for future legislation by Chinese legislators but adds to the uncertainty of the territorial applicability scope of the PIPL.

It is worth noting the draft PIPL discussed in this article is the first draft version published by Chinese legislators to solicit public opinions. It is possible that the final version of the PIPL may have clearer provisions on the issues discussed above. It is also possible that after the PIPL is passed, Chinese authorities may issue relevant guidelines or implementation rules that hopefully would shed more light on these issues.

Jacqueline Che also contributed to this article.

Photo by Alejandro Luengo on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.