Extraterritorial Application of Chinese Personal Information Protection Law: A Comparative Study with GDPR
Written by Huiying Zhang, PhD Candidate at the Wuhan University Institute of International Law
China enacted the Personal Information Protection Law (PIPL) at the 30th Session of the Standing Committee of the 13th National People’s Congress on August 20, 2021. This is the first comprehensive national law in China concerning personal information protection and regulating the data processing activities of entities and individuals. PIPL, the Cyber Security Law (came into force on June 1, 2017) and Data Security Law (promulgated on September 1, 2021) constitute the three legal pillars of the digital economy era in China.
PIPL includes eight chapters and 74 articles, covering General Provisions, Rules for Processing Personal Information, Rules for Cross-border Provisions of Personal Information, Rights of Individuals in Activities of Processing Personal Information, Obligations of Personal Information Processors, Departments Performing Duties of Personal Information Protection, Legal Liability and Supplementary Provisions. This note focuses on its extraterritorial effect.
Article 3 of the PIPL provides:
“This Law shall apply to activities conducted by organizations and individuals to control the personal information of natural persons within the territory of the People’s Republic of China.
This Law shall also apply to activities outside territory of the People”s Republic of China to handle the personal information of natural persons within the territory of the People’s Republic of China under any of the following circumstances:
a . personal information handling is to serve the purpose of providing products or services for natural persons within the territory of the People’s Republic of China;
- personal information handling is to serve the purpose of analyzing and evaluating the behaviors of natural persons within the territory of the People’ s Republic of China; or
- having other circumstances as stipulated by laws and administrative regulations.”
According to paragraph 1 of Art 3, PIPL applies to all data processing activities of personal information carried out in China. If foreign businesses processes or handles the personal information within the territory of China, in principle, they shall comply with the PIPL. It indicates that this clause focuses on the activities of processing or handling personal information in the territorial of China, especially the physical link between the data processing or handling activities and Chinese territory.
According to paragraph 2 of Art 3, the PIPL shall be applicable to activities outside the territory of China in processing or handling the personal information within China under some circumstances. As provided in Art 53, “personal information handlers outside the borders of the People’ s Republic of China shall establish a dedicated entity or appoint a representative within the borders of the People’ s Republic of China to be responsible for matters related to the personal information they handle”. Notably, this clause focuses on the physical location of the data processors or handlers rather than their nationality or habitual residence.
PIPL has extraterritorial jurisdiction to data processing or handling activities outside the territorial of China under 3 circumstances as provided in paragraph 2 of Art 3 of the PIPL. This is the embodiment of the effect principle, which derives from the objective territory jurisdiction and emphasizes the influence or effect of the behavior in the domain. If the purpose is to provide products or services to individuals located in China, or to analyze the behaviors of natural person in China, the PIPL shall be applicable. Crucially, the actual “effect” or “influence” of data processing or handling is emphasized here, i.e. when it is necessary to determine what extent or what requirements are met of the damage caused by the above-mentioned data processing or handling activities outside the territorial of China, Chinese courts may reasonably exercise the jurisdiction over the case. Obviously, it reflects the consideration of the element of “brunt of harm”. However, if the “effect” or “influence” is not specifically defined and limited, there will be a lot of problems. It is important to figure out exactly whether data processors or handlers outside the territorial of China are aware of the implications of their actions on natural person within China and whether the “effect” or “influence” of the data-processing behaviors are direct, intentional and predictable.
The PIPL explicitly states its purported extraterritorial jurisdiction for the first time and insists on the specific personal jurisdiction and the effect principle. It is mainly because the PIPL is formulated “in order to protect personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information”, but in the process of legal protection of personal information of natural person, there are a lot of challenges, such as the contradiction between the application of traditional jurisdiction, the virtual nature of personal information and so on. In this sense, all jurisdiction of the PIPL, whether territorial jurisdiction or personal jurisdiction or effect principle, are all further supplements for the existing personal information protection regime previously provided.
2.PIPL and GDPR: a Comparative Study
The provisions on jurisdiction of GDPR are mainly concentrated in Art 3 and Art 23, 24, 25, 26, 27 of preambular 2. In Art 3, paragraph 1 and 2 identified “establishment principle” and “targeting principle” and paragraph 3 provides “This regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”.
A. Establishment Principle
Under paragraph 1 of Art 3, GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” It set the “establishment criterion”, which has the dual characteristics of territorial jurisdiction and extraterritorial jurisdiction.
Compared with establishment criterion in GDPR, the PIPL indicates that personal information handlers outside the territorial of China shall establish a dedicated entity or appoint a representative within China as previously mentioned. It highlights the significance and necessity of establishing an entity when foreign data handlers process the personal information of national persons outside China under circumstance in paragraph 2 of Art3 of PIPL.
B. Targeting Principle
Compared with targeting criterion in GDPR, PIPL has many differences. Paragraph 2 of Art 3 of the GDPR clearly states that for data processors and controllers that do not have an establishment in the EU, GDPR will apply in two circumstances. Firstly, as stated in Art 3 of GDPR, the processing activities relate to “the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union” (Art 2 GDPR). It seems too abstract to give the definition and processing method of data processor and controller’ s behavior intention. Art 23 of the GDPR provides the clarification that “it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.” The key factor to assess whether the processor or controller “targets” the EU is whether the behaviour of the offshore data processors or controllers indicates their apparent intention to provide goods or services to data subjects in the EU. This is an objective subjective test.
In contrast, Art 3 of the PIPL states that the law shall apply when the data processor processes personal information “to serve the purpose of providing products or services for natural persons within the territory of the People’ s Republic of China”. It indicates that the purpose of data processor or controller outside China is to provide a product or service to a domestic natural person in China. The key to the application is not only about whether it has purpose, but also about whether they have processed personal information of a natural person in China.
Secondly, the procession activities are in related to “the monitoring of their behaviour as far as their behaviour takes place within the Union”. It requires both the data subject and the monitored activity be located within the EU. “Monitoring” shall be defined in accordance with Article 24 of the GDPR preamble. This provision does not require the data processors or controllers to have a corresponding subjective intent in the monitoring activity, but the European Data Protection Board ( Hereinafter referred to as EDPB) pointed out that the use of the term “monitoring” implied that the data controllers or processors had a specific purpose, namely to collect and process the data. Similarly, Art 3 of the PIPL also applies to activities outside China dealing with personal information of natural persons within China, if the activities are to analyse and evaluate the acts of natural persons within China. The meaning of “analysis and evaluation” here is very broad and seems to cover “monitoring” activities under the GDPR.
Furthermore, paragraph 3 of Art 3 of the GDPR provides: “This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” It suggests that the data processor or controller does not have an establishment in the territory of the EU and there is no circumstances under paragraph 2 of Art 3 of the GDPR. Due to that the international law applies EU member state law in the area where the numerical controller is located, this law shall apply. This condition is primarily aimed at resolving the issue of extraterritorial jurisdiction over data processing or controlling that takes place in EU without an establishment. This condition is similar to Directive 95/46 of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The similar condition is not included in the PIPL, which instead shall apply to other circumstances “as stipulated by laws and administrative regulations”.
C. Passive personality principle
Under the passive personality principle, a state has prescriptive jurisdiction over anyone anywhere who injures its nationals or residents. As previously mentioned, paragraph 2 of Art 3 of the GDPR states that although the personal data processors or controllers are not established in the EU, EU still applies the laws of member states in accordance with public international law. Art 25 of the preamble of GDPR provides examples of such situations which may include a Member State’s diplomatic mission or consular post.
To some extent, GDPR includes all the personal data processing activities involving natural persons situated in the EU area into its jurisdiction, which is a variation of the passive nationality principle. It is because EU treats the individual data right as a fundamental human right and aims to establish a digital market of the unified level of protection. PIPL adopts the similar practice by adopting the passive nationality principle to protect Chinese citizens and residents.
The promulgation of PIPL shows that China recognizes the extraterritorial effect of data protection law. The exploration of legislation not only has the meaning of localization, but also contributes to the formulation of data rules for the international community. It marks an important step towards China’ s long-term goal of balancing the preservation of national sovereignty, the protection of individual rights and the free flow of data across borders.