


? 引言


歐盟2018年5月25日生效了《數(shù)據(jù)保護通用規(guī)定》 (General Data Protection Regulation。下稱GDPR),對歐盟境內的個人信息處理活動進行了規(guī)范。



中國:保護個人信息權益,但也要促進個人信息的合理利用 (第一、二條)。





歐盟:個人數(shù)據(jù)是與已識別或者可識別的自然人有關的各種信息(第 4(1))。




























China Personal Information Protection Law and EU General Data Protection Regulation Comparative Reading: Five Basic Concepts


China has published the Personal Information Protection Law (PIPL), which takes effect on November 1, 2021. It can be expected that personal information processing activities will take some time to turn from chaos now into disciplined.

European Union has made the General Data Protection Regulation (GDPR) effective from May 25, 2018, that regulates personal data processing in the EU.

Given the depth and wideness of economic exchange between China and the EU, it is very useful for organizations, especially businesses and others with cross CN-EU border business, to read the PIPL and GDPR comparatively, in order that they can prepare their organization and institution pursuant to legislation in both regions.

?Objectives: balance of protection and use of personal information

CN: protect personal information rights, but also promote use of personal information ( Art. 1;2).

EU: protect personal rights to the protection of personal data,while free movement of personal data within the Union should neither be restricted nor prohibited (Art. 1(2)(3)).

The necessity of personal information protection is getting prominent along the growth of electronic information industry. With advance of the e-information industry, the scope, speed of and impact on personal life by personal information processing activities are tremendously different from the days before. Use of personal information, however, is also the foundation for many economic activities in digital economy environment. Both China and EU therefore have emphasized the balance of the two sides.

?Definition of personal information

CN: personal information means any type of information relating to an identified or identifiable natural person (Art. 4).

EU: personal data means any information relating to an identified or identifiable natural person (Art. 4(1)).

PIPL uses the word Personal Information whilst GDPR uses Personal Data, but there is no difference in essence between.

PIPL has affixed to the above definition a sentence "pseudonymized information" is not personal information. This however is just an additional emphasis of the point "relating to an identified or identifiable", with no further essential development in the definition.

PIPL has also emphasized that whether information is recorded electronically is not a component of the definition. GDPR on the other hand stipulates that it applies as long as personal data enter a filing system which no matter is automated or not. As an automated filing system can only be electronic, and data in a electronic filing system can only be recorded electronically, these two pieces of legislation therefore are talking about the same thing with different ways of expression.

?Personal information controller and processor

CN: personal information processor is an individual or organization which autonomously determines in personal information processing activities the purposes and means of personal information processing, such as collection, storage, use, working on, transfer, providing, disclosure, deletion (Art. 4 par. 2;73 par.1 item 1).

EU: personal data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art4(7) sentence 1). Personal data processor means a natural or legal person, public authority, agency or other body which, on behalf of the controller, processes personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure or destruction (Art4(2),(8)).

In PIPL, only there is the concept of processor, no controller. Nonetheless, the processor in PIPL is an individual or organization which can determine the purposes and means of processing, thus should be understood in the way it covers the concept of controller in GDPR. After all it is the controller that determines purposes and means of data processing. On the other hand, a processor, even in a strict sense,for instance an independent third party data processing service provider, though without autonomy on processing purpose, must have some sort of autonomy on the means of processing to a certain scope, such as where to place servers, how to encrypt data, transfer data by what technique. Otherwise it is an associated organization, not a third party anymore.

Therefore a processor in PIPL also covers the concept of processor in GDPR. In short, a processor in PIPL is not essentially different from "controller + processor" in GDPR.

?Application inside and outside border

CN: PIPL applies to personal information processing activities within China (Art. 3 par. 1). PIPL also applies to an activity conducted outside China to process personal information of natural persons within China when the activity is purported to provide goods or services to the natural persons within China, or analysis or assessment of behaviour of natural persons within China, or fall inside other criteria provided for by laws or regulations.

EU: GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (Art. 3 (1)). GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to such data subjects in the Union, or related to the monitoring of their behaviour as far as their behaviour takes place within the Union (Art. 3(2)).

Apparently, the two pieces of legislation by China and EU are consistent in effect on the point of taking location of information subjects as basis for law application.

It is interesting to compare the criterion "activity within border" by China and the criterion "activity of an establishment of a controller or a processor within border". Not to make it too complex, an example is here to test the question: what happens if, for example, an outside establishment of an inside company processing personal information of subjects outside the border?

It’s necessary to split it into two cases for analysis.

The first case is where outside establishment behaves independently, for example, it provides processing service to an outside third party. In this case PIPL does not apply as the activity is outside China border. But answer is not so definite when comes to GDPR. Some think GDPR does not apply either, because the inside company is neither a controller nor a processor in this case. The headquarter information security commissioner of a EU company I used to service seemingly thought differently. The China branch was requested to follow GDPR, though the China branch processed nothing in relation to EU persons. 

The second one is where behaviour of outside establishment is controlled to a certain extent by inside company. In this case GDPR definitely applies as it is an "activity of an establishment of a controller in the Union". It is arguable when comes to PIPL. For example, when the China headquarter enforces a certain sort of technical or service quality standards, is it an activity of "autonomously determine processing means" as defined by PIPL?

For those just discussed, we recommend clients to closely observe legal development within the the two regions.  

One tip here is, the expression in GDPR English version "establishment" of a controller or a processor, should not be understood simply as a company, even not simply as an office. Legal form is not the criterion. An engaged consultant may also constitute an establishment.

?enforcement outside border

CN: personal information processor must take necessary measurements to assure personal information processing activities of an outside recipient reach the standards of personal information protection provided by PIPL. (Art. 38 par. 3).

EU: a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, unless EU has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. All provisions in relation to transfer of personal data to third country or international organization shall be applied in order to ensure that the level of protection of natural persons guaranteed by GDPR is not undermined.(Art 44、46(1))

Although many requirements are put up for transfer of personal data to recipient outside border, what if the outside recipient does not comply after reception? Both China and EU has impose duty of "assurance" on the insider controller and processor. 

In practice, this requires the inside organization carefully examine personal information protection idea, method, capacity and the like of outside organizations on one hand and on the other hand the inside organization is required to control outside organizations via instruments such as agreements, so that, in case victimization takes place, an information subject is able to seek remedies via proper approach, for instance, sue the outside and/or inside organization in the light of agreements.

Meanwhile, the inside organization not properly performing "assurance" duty may, depending on situations, be given administrative punishment. Responsible person in China may also face criminal penalty.


To a personal information processor, compliance to personal information protection law is a corporate governance issue , in some sense: a company must set up proper personal information protection institute internally in line to legal requirements, invest adequately to construct personal information protection infrastructure and give staff sufficient training, and in the meanwhile prepare proper corporate regulations to ensure staff behave in accordance to requirements of the law.

