Personal-Data

China’s Personal Information Protection Law of 2021 is often compared to GDPR but operates in a fundamentally different legal context. PIPL provides individual rights: informed consent for processing, access to personal information, correction of errors, deletion rights, and data portability. Processing requires a lawful basis (consent, contract, legal obligation, public interest, etc.). Cross-border transfers need individual consent plus one of: government security assessment, standard contractual clauses, or certification. However, PIPL explicitly exempts state security and emergency response activities. The coexistence of PIPL’s individual protections with the National Intelligence Law’s access requirements creates an unusual framework: organizations must protect personal data while simultaneously being prepared to disclose it to state security when requested. For international data transfers involving China, this dual nature complicates compliance.

The GDPR is the world’s most influential data protection regulation. It applies to any organization processing personal data of EU residents, regardless of where the organization is located. Key requirements include obtaining a lawful basis before processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests), implementing data protection by design, appointing Data Protection Officers for large-scale processing, conducting impact assessments for high-risk activities, and reporting breaches within 72 hours. The regulation creates direct tension with US surveillance laws like CLOUD Act, FISA 702, and EO 12333, which can compel disclosure of data that GDPR protects.