On Oct. 21, 2020, the Standing Committee of the National Peopleâ€™s Congress of China released the draft Personal Information Protection Law to solicit public opinions. Many rules of the draft PIPL appear to be similar to those of the EU General Data Protection Regulation, including its territorial applicability.Â
At first glance, the territorial applicability provisions of the draft PIPL bear some resemblance to those of the GDPR. However, after taking a closer look at the wording of both laws, notable differences, of which non-China data controllers and processors, in particular, should be aware still exist.
The GDPRâ€™s territorial applicability is based upon two criteria, namely the â€œestablishment criterionâ€� and â€œtargeting criterion.â€� If a company falls under either of these two criteria, the GDPR will apply to this company. The PIPL also has two criteria to decide its territorial applicability,Â the â€œprocessing activity criterionâ€� and the â€œtargeting criterion.â€�Â
Establishment criteria of GDPR vs. processing activity criteria of draft PIPL
Under Article 3(1) of the GDPR, the establishment criterion regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
Under Article (3)(1) of the draft PIPL, the processing activity criterion shall apply to the activities carried out by organizations and individuals within the territory of the Peopleâ€™s Republic of China in processing the personal information of natural citizens.
Unlike the GDPR, the applicability of the draft PIPL does not require a data controller or processor have an “establishment” in China, but it does require their processing activities must be in China, except for those overseas processing activities under Article 3(2).
In other words, the draft PIPL applies to an overseas data controller or processorâ€™s processing activities in China, even it has no establishment in China. It does not apply to a data controller or processor who has an establishment in China, but its processing activities are not carried out in China, except for those overseas processing activities under Article 3(2).
Comparing the targeting criteria of GDPR and draft PIPL
Under Article (3)(2) of the GDPR, the targeting criterion regulation applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to (1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; and (2) the monitoring of their behavior as far as their behavior takes place within the EU.
Under Article (3)(3) of the draft PIPL, the targeting criterion law shall also apply to the activities carried out outside the territory of the People’s Republic of China in processing the personal information of natural persons in the territory of the People’s Republic of China under any of the following circumstances: (1) where the purpose is to provide products or services to natural persons in the territory of China; (2) for analyzing and evaluating the activities of the natural persons in the territory (of China); and (3) other circumstances provided by laws and administrative regulations.
In Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), the European Data Protection Board clarifies the targeting criterion of the GDPR largely focuses on what the â€œprocessing activitiesâ€� are â€œrelated to,â€� which will be considered on a case-by-case basis. While the wording â€œrelated toâ€� may sound abstract and broad, the recitals of the GDPR, the guidelines and relevant court cases in the EU appear to have narrowed its scope.
Offering of goods or services to data subjects in EU vs. providing products or services to natural persons in ChinaÂ
On the point of â€œthe processing activities are related to the offering of goods or services to data subjects in the [EU],â€� Recital 23 of the GDPR says, â€œit should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.â€�
In other words, the actual outcome of offering goods or services to data subjects in the EU is insufficient to conclude the GDPR should apply. Instead, for the GDPR to apply, the overseas data controller or processor should have an apparent expectation or objective that its goods or services will be provided to data subjects in the EU.
By contrast, Article 3(2)(I) of the draft PIPL only provides that it will apply to the overseas processing activities if â€œthe purpose is to provide products or services to natural persons in the territory (of China).â€� However, it is unclear whether this means that the purpose of the overseas data controller or processor is to provide products or services to natural persons in China or if the purpose of the overseas processing activities is to provide products or services to natural persons in China.
If Article 3(2)(I) of the draft PIPL were to be interpreted to have the meaning of the above paragraph (a), it would serve the same or very similar effect of Article 3(2)(a) of the GDPR, i.e., the overseas data controller or processor apparently has envisaged that its goods or services will be provided to data subjects in the Union, and therefore the GDPR should apply.
However, the wording of Article 3(2)(I) of the PIPL appears to imply the meaning of the above paragraph (b), in that the â€œpurposeâ€� is linked to â€œthe processing activities,â€� rather than the data controller or data processor.
There is a danger the PIPL will apply to an overseas data controller or processor as long as it sells goods or services to natural persons in China and processes their personal information, regardless of whether it has envisaged the offering of goods and services to them in the first place. In other words, the actual outcome of offering goods or services to data subjects in China will likely be a decisive factor in determining whether the PIPL should apply or not, and the expectation or objective of the overseas data controller or processor is irrelevant.
Monitoring behavior of data subjects in EU vs. analyzing and evaluating activities of natural persons in China
The second type of activity triggering the application of Article 3(2) of the GDPR is the â€œmonitoring of data subject behaviorâ€� as far as their behavior takes place within the EU. The guidelines provide “â€¦ the use of the word ‘monitoring’ implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individualâ€™s behavior within the EU.
The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as ‘monitoring.’ It will be necessary to consider the controllerâ€™s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data. The EDPB takes into account the wording of Recital 24, which indicates that to determine whether processing involves monitoring of a data subject behavior, the tracking of natural persons on the Internet, including the potential subsequent use of profiling techniques, is a key consideration.”
By contrast, Article 3(2)(II) of the draft PIPL provides that it will apply to overseas processing activities for â€œanalyzing and evaluatingâ€� the behavior of natural persons in China. The implications of the phrase â€œanalyzing and evaluatingâ€� can be very broad, which leaves room for not only those â€œmonitoring activitiesâ€� contemplated in the GDPR but potentially any analysis, assessment and study of the behavior of natural persons in China.
â€˜Other circumstancesâ€™ under the draft PIPL
Article 3(2)(I) of the PIPL provides â€œother circumstances provided by laws and administrative regulationsâ€� can also trigger the applicability to overseas personal information processing activities. This â€œother circumstancesâ€� provision leaves room for future legislation by Chinese legislators but adds to the uncertainty of the territorial applicability scope of the PIPL.
It is worth noting the draft PIPL discussed in this article is the first draft version published by Chinese legislators to solicit public opinions. It is possible that the final version of the PIPL may have clearer provisions on the issues discussed above. It is also possible that after the PIPL is passed, Chinese authorities may issue relevant guidelines or implementation rules that hopefully would shed more light on these issues.
Jacqueline Che also contributed to this article.
Photo by Alejandro Luengo on Unsplash