China’s National People’s Congress passed the legislation — known as the Personal Information Protection Law, or the PIPL — in August. The law’s passage follows two rounds of draft publication and solicitation of public opinions.
The PIPL is similar to the European Union’s General Data Protection Regulation (GDPR) in that it establishes rules for collecting, storing, handling and transferring personal data. There are also rules related to obtaining individuals’ consent. In addition, Reuters reports, the PIPL “states that handling of personal information must have clear and reasonable purpose and shall be limited to the ‘minimum scope necessary to achieve the goals of handling’ data.”
As with the GDPR, non-compliance with the PIPL comes with consequences, including but not limited to fines of up to RMB50 million (USD7.7 million) or 5 percent of the prior year’s annual revenue.
Beijing’s announcement of the new data protection law comes on the heels of the country’s new data security law, which took effect 1 September. The data security law dictates how companies must classify, store and transfer data to third parties. Together, the two laws reflect Beijing’s ongoing efforts to protect personal data and privacy. These efforts include increased enforcement. For example, China's Ministry of Industry and Information Technology recently fined over 43 apps for illegally transferring data under local rules.
This article highlights some important aspects of the PIPL that companies inside and outside China should consider.
Businesses that must comply with the PIPL
The PIPL applies to data-processing activities that occur within mainland China.
The law also applies to organisations based outside China that provide products or services to domestic natural persons, or that analyse and evaluate domestic natural persons’ behaviour. Again, multinational companies outside the EU that must collect data from EU citizens — and therefore must comply with the GDPR — will be familiar with this concept.
PIPL and GDPR terminology
Given that multinational organisations across the world have had to comply with the GDPR for many years now, it’s important to note at least one major difference between the GDPR’s terminology and the PIPL’s. The GDPR uses the term “data controller” to describe the entity that “determines the purposes for which and the means by which personal data is processed.” The “data processor” under the GDPR “processes personal data only on behalf of the controller” and is generally a third party.
The equivalent of the data controller under the PIPL is the “personal information processor” — that is, the personal information processor is the entity (i.e. individual or organisation) that determines the purpose and method of processing personal information. The “delegated party” under the PIPL refers to the party processing data on behalf of and at the instruction of the personal information processor; it is the equivalent of the data processor under the GDPR.
Consent and exemptions
To process personal data lawfully under China’s PIPL, one must obtain separate consent from the data subject, for example by obtaining a signature or checked box from the data subject.
There are other situations in which a separate consent from the data subject must be obtained. For example, if an employer provides sensitive information to a third party, or transfers personal information outside China, it must first obtain separate consent from the data subject.
Consent is not required in certain limited scenarios, such as when carrying out a contract in which the data subject is a party or when fulfilling legal obligations.
Cross-border data transfers
The PIPL clarifies rules for the cross-border flow of personal information. Multinational organisations must understand and follow these rules to avoid non-compliance in certain situations, such as when transferring employee information to a headquarters outside China.
China classifies certain organisations — such as those in energy, transportation and finance — as critical information infrastructure operators (CIIOs). In order to transfer personal data outside China under the PIPL, CIIOs and organisations that process personal data exceeding volume thresholds set by the Cyberspace Administration of China (CAC) must pass a security assessment performed by the CAC.
Organisations that aren’t classified as CIIOs and do not meet the volume thresholds must also either pass the CAC security assessment or meet certain other criteria — such as obtaining a personal information protection certification — to make cross-border data transfers.
Before making cross-border data transfers, the data information processor must inform the data subject of the data recipient’s name and contact information, along with the processing purpose and method, among other information.
Additional requirements for internet companies
The PIPL places additional requirements on large internet services providers that use personal data to attempt to influence user behaviour on their platforms. Among other steps, these providers must: establish independent organisations to oversee the protection of personal information; develop and implement rules for processing and protecting personal information; stop providing services to organisations that violate China’s data privacy laws; and regularly publish reports on data privacy and protection.
Recommendations for businesses affected by the PIPL
As mentioned, a multinational organisation that fails to comply with the PIPL faces significant penalties — up to RMB50 million or 5 percent of the prior year’s revenue. In addition, the company’s business license may be revoked.
There are also considerations for individuals within organisations who are directly responsible for ensuring compliance. Under the PIPL, government authorities can impose personal fines of up to RMB1 million (USD150,000) and may prohibit responsible persons from serving as directors, supervisors or senior managers.
Organisations inside and outside China that feel they may have to comply with the PIPL should take steps to fully understand their obligations under the new law; this process may require outside advisors. Those that are affected should document their data collection, storage, transfer and other processes in light of the new rules, then conduct a gap analysis. If the analysis uncovers risks, the organisation should address them by updating policies and practices. It may need to conduct trainings and provide additional internal support, especially for employees who handle personal data in China.
Depending on the volume of personal data collected and processed, and the nature of the business (for example, internet companies), China-based organisations should also consider appointing a data protection officer to ensure compliance. Organisations based outside China that must comply with the PIPL should either establish an organisation in China or delegate a representative in China to be responsible for personal information protection matters.
How can we help?
How green bonds can help fight the climate crisis
28 Oct 2021
In 2015, the Paris Agreement set ambitious targets to mitigate climate change. Since then, the EU has rolled out its Green Deal, and the International Energy Agency (IEA) revealed its pathway to net-zero carbon dioxide emissions by 2050. In November 2021, the UN’s COP26 in…
The EU’s cross-border distribution of funds regulation: New AIF marketing rules provide clarity
26 Oct 2021
Why private equity firms need to develop and implement ESG strategies now
20 Oct 2021
Webinar: BVI Investment Funds - A Viable Alternative
28 Oct 2021
China’s new Personal Information Protection Law: How to prepare
12 Oct 2021
Hiring and paying remote workers abroad: Understanding your risks and options
06 Oct 2021