POPIA vs China’s PIPL: What is the Future of Data Privacy?

January 13, 2022 by Sam Strand identity

Sub 5-minute read

Since its enactment in 2016, the EU’s General Data Protection Regulation (GDPR) has shaped global norms and values – nearly all ensuing national data protection laws have been modelled off it. South Africa’s Protection of Personal Information Act (POPIA) was no exception and its enactment brought South Africa on par with global standards.

However, China’s new Personal Information Protection Law (PIPL) is noteworthy. Its approach is not only at odds with the norms established by the GDPR; it also explicitly states China’s desire to shape global standardsfor data protection. Contrasting POPIA and the PIPL highlights how political contexts shape legislation andreveals how data protection legislation may look in the future.

How Data Privacy Fosters Trust – The Tangible Economic Benefits

Both laws should be applauded for requiring the explicit consent of the individual before their personal data can be processed. These requirements for the acquisition of data subject consent – a staple in other leading privacy bills like the GDPR – is a mechanism designed to empower individuals to make informed decisions about howand when their personal information is collected and processed. This fosters digital trust.

Digital trust has become a major concern for businesses and consumers alike. For stakeholders and customers, it relates to whether they can trust that their data is secure, and if their personal information is correct, safe, and private. In an interview with Deloitte, the director of MIT’s Connection Science laboratory Sandy Pentlandexplained the value of transparency when dealing with personal information.

“I’m going to deliver this service to you, and then without really making it clear, we’re going to sell your data on the side. That’s a violation of trust. A consequence is that if I don’t understand your business model and what you are offering me and what the value is to you, I can’t trust you. It’s that transparency in value, the relationship, and the motivations that are often left on the floor” –Sandy Pentland, MIT.

The formal recognition of data subject rights, combined with the prosecution of non-compliant businesses, creates an environment in which consumers can trust that businesses will not abuse their personal information once it is collected. This is invaluable, because countries in which businesses, governments and other institutions engender more trust experience stronger per capita real GDP growth. Macroeconomics has shown that as trust improves, economic prosperity grows.

POPIA vs PIPL – The Political State and Regulatory Compliance Obligations

The two laws diverge on the issue of state and governmental accountability. Enforcement of the PIPL is the responsibility of the Cyberspace Administration of China – a state backed regulator that also controls the list of approved news sources. Although the PIPL empowers individuals in their transactions with the private sector, the law does not restrict the state’s ability to collect and process its citizens’ personal information.

In contrast, South Africa’s POPIA is enforced by the Information Regulator, an independent body that is accountable to the National Assembly and subject only to the law and constitution. POPIA therefore applies equally to businesses and the state (with a few exceptions for judicial and national security purposes). By establishing an independent regulator, POPIA is similar to the European Union’s GDPR and California’s CCPA. When contrasted with China’s PIPL, South Africa’s POPIA highlights the democratic values enshrined in our constitution.

Regardless, both national regulators have the power to impose harsh punishments, and both require the identification of a party responsible for data protection and compliance (the PIPL goes further to require the specialized appointment of a “personal information protection officer” if certain thresholds for data processing are exceeded). For businesses and organizations, POPIA can serve fines of up to R10 million (±660,000 USD)and ten-year prison sentences, while the PIPL’s fines are heftier; up to 50 million Yuan (±7,800,000 USD) or 5% of the last year’s annual revenue.

Risk Management – Data Breaches and Information Abuse

Data breaches have become so pervasive that they have negatively affected the public image of technology and media companies. According to a survey by Deloitte, only 17% of respondents cited trust in the technology and media sector – unsurprising, considering the heightened levels of public scrutiny after the sector’s history of leaks and apathetic data security measures. The importance of this cannot be overstated, as in the same survey, 85% of respondents were “very or fairly likely” to sever an existing relationship with an organization if it does something that negatively impacts trust.

In the wake of repeated data breaches, regulatory oversight is now necessary to help ensure that businesses properly manage personal information. POPIA directly covers the issue of protecting against data breaches and adopts a Risk-Based Approach (RBA) that requires businesses to take reasonable precautions to protect against reasonably foreseeable risks. This means that if a business is instituting protective measures to combat reasonably foreseeable threats, such as common types of data breaches, then that business should be able to make a defendable legal case against the regulator and avoid penalties in the event of such a data breach.

The PIPL does not directly cover data breaches; that job is left mostly to the Cybersecurity Law, which takes a far more complex and controlling approach. Data is categorized as ‘general data’, ‘important data’, or ‘core data’, and each of these categories comes with their own security and processing requirements. The Law also stipulates multiple scenarios in which companies must undergo security reviews, both for national and international data handling.

Cross Border Compliance – The Complex Road to Universal Standards?

POPIA and the PIPL both regulate cross border data transfers, but China’s PIPL is far more constrictive – in some cases it even requires businesses to undergo a security assessment by the Cyberspace Administration of China before being allowed to transfer personal information out of China. The PIPL has also made it even more costly and inefficient for companies to store Chinese data overseas, thereby promoting the storage of all Chinese personal information on mainland China. Such constraints have serious implications: following other firms, LinkedIn withdrew from China in 2021 citing “a significantly more challenging operating environment and greater compliance requirements”.

However, national standards for cross-border data transfers are not new. The GDPR requires the EU commission to “determine whether non-EU countries “offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union”. Compliance with these requirements is desirablebecause countries that meet these requirements face lower trade barriers to doing business with EU citizens.

Lower barriers to trade have tangible effects: a report issued before the UK complied with GDPR requirements estimated that not meeting them would cost UK firms between 1 billion and 1.6 billion Pounds due to theadditional compliance obligations. The extraterritorial scope of modern data privacy legislation can seriously constrain or promote business – developing global standards that protect personal information but minimize compliance obligations is therefore an objective worth pursuing.

In Article 12 of the PIPL, China clearly outlines its ambitions to be at the forefront of such global standards for personal information protection…

“The [Chinese] State vigorously participates in the formulation of international rules [or norms] for personal information protection, stimulates international exchange and cooperation in the area of personal information protection, and promotes mutual recognition of personal information protection rules [or norms], standards, etc., with other countries, regions, and international organizations.”

Although Article 12 speaks of “cooperation in the area of personal information protection”, the highly restrictive nature of China’s current legislation sets it at odds with existing norms established by the GDPR. Successfully negotiating global standards for data protection, reconciling China’s more restrictive approach with current norms, and generating the necessary multilateral support would be an immense challenge. China’s powerful economy would grant it significant bargaining power within such negotiations, but different political contexts would likely see nations disagree on issues of state accountability, national security, and the degree to which individuals are wholly protected by such legislation.

The value of data protection laws for the protection of individual rights is proven and recognized. How nations will negotiate a solution to the increasingly complex intersection of such legislation remains to be seen.

Regulatory Compliance, Today

The rapidly expanding web of regional and international laws can make regulatory compliance a daunting task. The regulatory requirements that compel businesses to consider KYC, AML/CFT and privacy and cybersecurity – all while operating in a risky digital world packed with the sensitive personal information of clients – can seem inconceivable.

As South Africa’s leading provider of world-class due diligence and remote-onboarding solutions, ThisIsMe is proud to be at the forefront of a trust-based and privacy-compliant digital world. To book a demonstration and ensure future regulatory compliance, contact our team here.