China’s new Personal Information Protection Law: How to prepare

12 October 2021
spotlight_insights_23.jpg
China passed a comprehensive new data privacy law that takes effect 1 November. Companies operating in China and those serving China-based customers must comply with the tough new requirements or risk significant fines and penalties.

China’s National People’s Congress passed the legislation — known as the Personal Information Protection Law, or the PIPL — in August. The law’s passage follows two rounds of draft publication and solicitation of public opinions.

The PIPL is similar to the European Union’s General Data Protection Regulation (GDPR) in that it establishes rules for collecting, storing, handling and transferring personal data. There are also rules related to obtaining individuals’ consent. In addition, Reuters reports, the PIPL “states that handling of personal information must have clear and reasonable purpose and shall be limited to the ‘minimum scope necessary to achieve the goals of handling’ data.”

As with the GDPR, non-compliance with the PIPL comes with consequences, including but not limited to fines of up to RMB50 million (USD7.7 million) or 5 percent of the prior year’s annual revenue.

Beijing’s announcement of the new data protection law comes on the heels of the country’s new data security law, which took effect 1 September. The data security law dictates how companies must classify, store and transfer data to third parties. Together, the two laws reflect Beijing’s ongoing efforts to protect personal data and privacy. These efforts include increased enforcement. For example, China's Ministry of Industry and Information Technology recently fined over 43 apps for illegally transferring data under local rules.

This article highlights some important aspects of the PIPL that companies inside and outside China should consider.

Vistra Trends '22
Businesses that must comply with the PIPL

The PIPL applies to data-processing activities that occur within mainland China.

The law also applies to organisations based outside China that provide products or services to domestic natural persons, or that analyse and evaluate domestic natural persons’ behaviour. Again, multinational companies outside the EU that must collect data from EU citizens — and therefore must comply with the GDPR — will be familiar with this concept.

PIPL and GDPR terminology

Given that multinational organisations across the world have had to comply with the GDPR for many years now, it’s important to note at least one major difference between the GDPR’s terminology and the PIPL’s. The GDPR uses the term “data controller” to describe the entity that “determines the purposes for which and the means by which personal data is processed.” The “data processor” under the GDPR “processes personal data only on behalf of the controller” and is generally a third party.

The equivalent of the data controller under the PIPL is the “personal information processor” — that is, the personal information processor is the entity (i.e. individual or organisation) that determines the purpose and method of processing personal information. The “delegated party” under the PIPL refers to the party processing data on behalf of and at the instruction of the personal information processor; it is the equivalent of the data processor under the GDPR.

Consent and exemptions

To process personal data lawfully under China’s PIPL, one must obtain separate consent from the data subject, for example by obtaining a signature or checked box from the data subject.

There are other situations in which a separate consent from the data subject must be obtained. For example, if an employer provides sensitive information to a third party, or transfers personal information outside China, it must first obtain separate consent from the data subject.

Consent is not required in certain limited scenarios, such as when carrying out a contract in which the data subject is a party or when fulfilling legal obligations.

Cross-border data transfers

The PIPL clarifies rules for the cross-border flow of personal information. Multinational organisations must understand and follow these rules to avoid non-compliance in certain situations, such as when transferring employee information to a headquarters outside China.

China classifies certain organisations — such as those in energy, transportation and finance — as critical information infrastructure operators (CIIOs). In order to transfer personal data outside China under the PIPL, CIIOs and organisations that process personal data exceeding volume thresholds set by the Cyberspace Administration of China (CAC) must pass a security assessment performed by the CAC.

Organisations that aren’t classified as CIIOs and do not meet the volume thresholds must also either pass the CAC security assessment or meet certain other criteria — such as obtaining a personal information protection certification — to make cross-border data transfers.

Before making cross-border data transfers, the data information processor must inform the data subject of the data recipient’s name and contact information, along with the processing purpose and method, among other information.

Additional requirements for internet companies

The PIPL places additional requirements on large internet services providers that use personal data to attempt to influence user behaviour on their platforms. Among other steps, these providers must: establish independent organisations to oversee the protection of personal information; develop and implement rules for processing and protecting personal information; stop providing services to organisations that violate China’s data privacy laws; and regularly publish reports on data privacy and protection.

Recommendations for businesses affected by the PIPL

As mentioned, a multinational organisation that fails to comply with the PIPL faces significant penalties — up to RMB50 million or 5 percent of the prior year’s revenue. In addition, the company’s business license may be revoked.

There are also considerations for individuals within organisations who are directly responsible for ensuring compliance. Under the PIPL, government authorities can impose personal fines of up to RMB1 million (USD150,000) and may prohibit responsible persons from serving as directors, supervisors or senior managers.

Organisations inside and outside China that feel they may have to comply with the PIPL should take steps to fully understand their obligations under the new law; this process may require outside advisors. Those that are affected should document their data collection, storage, transfer and other processes in light of the new rules, then conduct a gap analysis. If the analysis uncovers risks, the organisation should address them by updating policies and practices. It may need to conduct trainings and provide additional internal support, especially for employees who handle personal data in China.

Depending on the volume of personal data collected and processed, and the nature of the business (for example, internet companies), China-based organisations should also consider appointing a data protection officer to ensure compliance. Organisations based outside China that must comply with the PIPL should either establish an organisation in China or delegate a representative in China to be responsible for personal information protection matters.