Data protection principles The PIPL establishes seven principles for data processing, including legality, propriety, necessity, and sincerity (Article 5), explicit purpose (Article 6), minimum necessity (Article 6), transparency (Article 7), accuracy (Article 8), accountability and data security (Article 9), and storage limitation (Article 19). The PIPL is similar to the GDPR in this respect. Under the GDPR, personal data processing is subject to the principles of lawfulness, transparency and fairness, further processing and purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. In any event, the principles of data protection
Insight
China: The PIPL and the GDPR - A comparative perspective: Part two
December 3, 2021
Summary
China's Personal Information Protection Law (PIPL) shares similarities with the EU's General Data Protection Regulation (GDPR) in data protection principles, data subject rights, and data processor obligations, but also has distinct features such as specific provisions for the deceased's personal information and different measures for cross-border data transfers. The PIPL introduces obligations like appointing a Data Protection Officer (DPO) for large data processors and conducting Personal Information Protection Impact Assessments (PIPIA) for certain activities. Cross-border data transfer under PIPL requires either a security assessment by the Cyberspace Administration of China (CAC) for critical information infrastructure operators (CIIOs) or compliance with CAC regulations for others. The PIPL also prescribes stricter penalties for violations compared to China's Cybersecurity Law (CSL), with fines up to RMB 50 million or 5% of the previous year's revenue. Despite these similarities and differences, both laws aim to address the challenges of data protection in the era of Big Data and advanced technology.