CN: personal information processor is an individual or organization which autonomously determines in personal information processing activities the purposes and means of personal information processing, such as collection, storage, use, working on, transfer, providing, disclosure, deletion (Art. 4 par. 2;73 par.1 item 1).
EU: personal data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art4(7) sentence 1). Personal data processor means a natural or legal person, public authority, agency or other body which, on behalf of the controller, processes personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure or destruction (Art4(2),(8)).
In PIPL, only there is the concept of processor, no controller. Nonetheless, the processor in PIPL is an individual or organization which can determine the purposes and means of processing, thus should be understood in the way it covers the concept of controller in GDPR. After all it is the controller that determines purposes and means of data processing. On the other hand, a processor, even in a strict sense,for instance an independent third party data processing service provider, though without autonomy on processing purpose, must have some sort of autonomy on the means of processing to a certain scope, such as where to place servers, how to encrypt data, transfer data by what technique. Otherwise it is an associated organization, not a third party anymore.
Therefore a processor in PIPL also covers the concept of processor in GDPR. In short, a processor in PIPL is not essentially different from "controller + processor" in GDPR.
?Application inside and outside border
CN: PIPL applies to personal information processing activities within China (Art. 3 par. 1). PIPL also applies to an activity conducted outside China to process personal information of natural persons within China when the activity is purported to provide goods or services to the natural persons within China, or analysis or assessment of behaviour of natural persons within China, or fall inside other criteria provided for by laws or regulations.
EU: GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (Art. 3 (1)). GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to such data subjects in the Union, or related to the monitoring of their behaviour as far as their behaviour takes place within the Union (Art. 3(2)).
Apparently, the two pieces of legislation by China and EU are consistent in effect on the point of taking location of information subjects as basis for law application.
It is interesting to compare the criterion "activity within border" by China and the criterion "activity of an establishment of a controller or a processor within border". Not to make it too complex, an example is here to test the question: what happens if, for example, an outside establishment of an inside company processing personal information of subjects outside the border?
It’s necessary to split it into two cases for analysis.
The first case is where outside establishment behaves independently, for example, it provides processing service to an outside third party. In this case PIPL does not apply as the activity is outside China border. But answer is not so definite when comes to GDPR. Some think GDPR does not apply either, because the inside company is neither a controller nor a processor in this case. The headquarter information security commissioner of a EU company I used to service seemingly thought differently. The China branch was requested to follow GDPR, though the China branch processed nothing in relation to EU persons.
The second one is where behaviour of outside establishment is controlled to a certain extent by inside company. In this case GDPR definitely applies as it is an "activity of an establishment of a controller in the Union". It is arguable when comes to PIPL. For example, when the China headquarter enforces a certain sort of technical or service quality standards, is it an activity of "autonomously determine processing means" as defined by PIPL?
For those just discussed, we recommend clients to closely observe legal development within the the two regions.
One tip here is, the expression in GDPR English version "establishment" of a controller or a processor, should not be understood simply as a company, even not simply as an office. Legal form is not the criterion. An engaged consultant may also constitute an establishment.
?enforcement outside border
CN: personal information processor must take necessary measurements to assure personal information processing activities of an outside recipient reach the standards of personal information protection provided by PIPL. (Art. 38 par. 3).
EU: a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, unless EU has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. All provisions in relation to transfer of personal data to third country or international organization shall be applied in order to ensure that the level of protection of natural persons guaranteed by GDPR is not undermined.(Art 44、46(1))
Although many requirements are put up for transfer of personal data to recipient outside border, what if the outside recipient does not comply after reception? Both China and EU has impose duty of "assurance" on the insider controller and processor.
In practice, this requires the inside organization carefully examine personal information protection idea, method, capacity and the like of outside organizations on one hand and on the other hand the inside organization is required to control outside organizations via instruments such as agreements, so that, in case victimization takes place, an information subject is able to seek remedies via proper approach, for instance, sue the outside and/or inside organization in the light of agreements.
Meanwhile, the inside organization not properly performing "assurance" duty may, depending on situations, be given administrative punishment. Responsible person in China may also face criminal penalty.
conclusion
To a personal information processor, compliance to personal information protection law is a corporate governance issue , in some sense: a company must set up proper personal information protection institute internally in line to legal requirements, invest adequately to construct personal information protection infrastructure and give staff sufficient training, and in the meanwhile prepare proper corporate regulations to ensure staff behave in accordance to requirements of the law.
