Comparison Between Global Data Security Laws – China PIPL, EU GDPR, And US Data Laws

The activation of the Personal Information Protection Law (PIPL) adds another layer of complexity concerning compliance with China‘s data law security. We expect that some further details will be detailed in regulations and practical guidance in the future. This law, which came into effect recently on 1 November 2021, has changed business dealings in and around China.

The General Data Protection Regulation (GDPR) was passed by the European Union and has been in effect since 25 May 2018. The GDPR is the most comprehensive privacy and security law in the world. But how does this compare to the PIPL and the privacy laws adopted by the US for privacy protection?

It is important to note and compare how these laws differ and draw parallels. A comparison will allow us to assess how we interact and do business with these countries. In this article, I will outline these laws and navigate how this will affect day-to-day dealings with these countries.

The United States lacks one law that envelops the privacy of all types of data. Instead, it has a combination of various elements that go by acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA. The data collected by the vast majority of products people use every day isn’t regulated. Each different state’s draft data privacy law looks different some with prior consent requirements akin to the EU’s GDPR. Some have larger scopes and others have exemptions by sectors.

The necessity for data protection laws

In the modern global economy, data is one of the most valuable resources to businesses. Companies use data to understand customers and personalise experiences to build deeper relationships which in turn increase profits. While the use of data is optimised when it freely flows across borders, many countries have been formulating privacy measures making the transfer of data across borders more complicated, expensive, and time-consuming. Some activities, at a broader level, may even become illegal.

Data protection legislation prevents data from being misused or traded/sold/leaked to third parties that may use it for purposes different to the consent given by the customers when it was collected. The most common data elements that businesses collect may include your name, address, emails, contact telephone numbers, and bank and credit card details. Protecting this information is both an ethical and more importantly a legal requirement in most countries and the businesses must take considerable measures to protect the data they collect.

Data protection laws contain a set of principles that organisations, governments, and businesses have to adhere to in order to ensure people’s data is accurate, safe, secure, and lawful.

These principles ensure data is:

• Only used in specific processes
• Not stored for longer than necessary
• Used only in relevant ways
• Kept safe and secure
• Used only within the confines of the law
• Not transferred out of the legal jurisdiction it was collected in without consent
• Stored following data protection rights

Timeline of information security laws enhancement in China

Since the enactment of the Cybersecurity Law (the CSL) in June 2017, Chinese Regulators have launched a series of enforcement actions involving a cybersecurity review against some internet companies. The enforcement actions brought data security into the spotlight.

In September 2021, the Chinese government stepped up its enforcement efforts on data security governance by introducing the Data Security Law (DSL) to provide additional data protection on top of cyberspace governance.

The Personal Information Protection Law (PIPL) has mirrored certain provisions of the GDPR and jointly built up a strict regulatory regime for privacy protection, data security, and network security in China. The GDPR acted as a benchmark for international judicial practice.

Key similarities and differences between PIPL and GDPR

While the PIPL employed the GDPR as a benchmark for the data privacy framework, there is no single principal data protection legislation in the United States. A jumble of hundreds of laws enacted on both the federal and state levels serves to protect the personal data of United States residents.

Here is a comparison of the general ways in which these data laws differ and the similarities between them:

Cross-border Data Transfer:

The PIPL has some elements in common with the GDPR regarding the cross-border transfer of personal information. However, it also has some additional requirements. The GDPR has an adequate level of protection ensured. The appropriate safeguards are implemented in the Standard Contractual Clauses (SCC), Binding Corporate Rules, etc. PIPL goes beyond this with implementing data localisation. In essence, this means that the PIPL requires a controller of large-scale personal data or a critical information operator to store personal data within China. Cross-border transfers above a certain threshold are subject to a security assessment by the Cyberspace Administration of China (CAC).

Data Protection Impact Assessment (DPIA):

Regarding GDPR, a DPIA is required when there is a high-risk nature of the processing. PIPL requires DPIA to be performed whenever there is a transfer of data overseas and when using third-party processors. In the United States, the DPIA is a compliance requirement.

Rights of Individuals:

With regards to the GDPR, people have the right to access, correct, erase, and object to processing, subject to any automated decisions concerning data provided. The PIPL provides the same rights but includes additional rights, including requesting handlers to explain their handling rules. The rights can be exercised beyond death by close relatives of the deceased.

Sensitive Personal Information:

The GDPR and PIPL both protect biometric data, religious information, and health-related data. The GDPR also protects trade union membership details, generic data, and sexual orientation. The PIPL instead protects personal financial accounts, personal information of minors under the age of 14, and so on.

Data Breach Notification:

The GDPR controller will, in the case of a personal data breach, notify the personal data breach to the supervisory authority competent in accordance with Article 55 not later than 72 hours after having become aware of it. The PIPL imposes immediate mandatory reporting of data breaches to the relevant authority on a personal information handler.

Legal Liabilities:

The GDPR punishes non-compliance with a fine of up to ” 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year. The PIPL punishes non-compliance with fines of up to RMB 50 million (approximately ” 6 316 830 or up to 5% of the prior year’s revenue).

Data protection in the United States

Because there is no particular law in the United States, it is imperative to inspect their current laws separately by comparing them to data protection laws that China and the European Union have imposed on their territory.

Data privacy is not highly legislated or regulated in the U.S. The access to private data contained in, for example, third-party credit reports may be sought when seeking employment or medical care. Although some regulations exist, there is no all-encompassing law regulating the acquisition, storage, or use of personal data.

Whoever obtains the data is deemed to own the right to store and use it, even if the data was collected without permission. Exemptions on this content are regulated by laws and rules such as the Federal Communications Act’s provisions, and implementing rules from the Federal Communications Commission.

Some examples of data privacy laws in the United States are:

• Children’s Online Privacy Protection Act (Coppa) this governs the collection of information about minors (children 13 years and younger).
• Health Insurance Portability and Accounting Act this governs the collection of health information.
• Fair Credit Reporting Act this act regulates the collection and use of credit information.
• Gramm Leach Bliley Act (GLBA) governs personal information collected by banks and financial institutions.

According to Osano, a corporate privacy supplier in the U.S. The U.S. has hundreds of sectoral data privacy and data security laws among its states. The state attorney generals oversee data privacy laws governing the collection, storage, safeguarding, disposal, and use of personal data collected from their residents, especially regarding data breach notifications and the security of Social Security numbers. Some apply only to governmental entities, some apply only to private entities, and some apply to both.

Outcomes of the Comparison: DPR, PIPL, and US Data Privacy Laws

When comparing GDPR and PIPL, one can draw a few parallels to the privacy laws in place. The biggest similarity is that it is a law within itself. The US, although having some similarities with both, doesn’t have one defining law to compare to.

The GDPR and PIPL have all-encompassing laws making it easier to govern and having clearly defined bodies in place to monitor any breaches of these data rules.