The global legal market continues preparations to implement China’s Personal Information Protection Law (PIPL), which was passed on 20 August 2021 and takes effect on 1 November 2021. Stanford University has published an English version of China’s PIPL.
PIPL requires any organisation or individual handling Chinese citizens’ personal data to minimise data collection and obtain prior consent, closely mirroring the EU’s Global Data Protection Regulation (GDPR). Companies that already comply with GDPR and the California Consumer Privacy Act should have a smooth ride.
The PIPL applies to:
- The processing of personal information in China; and
- The processing of personal information outside China, if it involves:
- Providing products or services to natural persons in China,
- Analysing and evaluating the behaviour of natural persons in China, or
- Other circumstances stipulated by laws and administrative regulations.
Similar to GDPR, the PIPL establishes seven principles for data processing: legality, explicit purpose, minimum necessity, transparency, accuracy, accountability and data security, and storage limitation.
GDPR v. PIPL
- Require designated representation: Mandates that companies establish a special institution or designate a representative and report the name and contact details of that institution or representative to the authorities.
- Extraterritorial in nature: Applicable to any company that processes Chinese citizens’ personal data, regardless of where the processing occurs.
- Rights to individuals: Grants individuals access to request, correct, delete, transfer, and restrict rights for the collection and use of their personal data.
Distinctions that make PIPL more rigorous:
- Mandatory individual consent prior to the disclosure of personal information.
- Requires companies, regardless of their location (China or outside), to establish a special institution or designate a representative.
- Penalties for PIPL violation are much stricter and may involve revocation of the right to do business with China.
Through the PIPL, it is evident that the Chinese government wants significant control over and access to companies doing business with China.
Preparations the Legal Industry Needs to Make
Like any other industry that processes individuals’ personal information, the PIPL applies to legal services providers and enterprises. Below are a few basics about the regulation and practical guidance on how these companies can become PIPL-ready:
Lawful handling of personal information:
- Secured consent for individuals’ whose data are being handled
- Contracts, including collective labour contracts
- Statutory duty or legal obligation
- Public health emergencies or vital interests, such that handling the data protects the life, health, and property of natural persons in emergencies
- Public interest, such as news reporting or “public opinion supervision,” within a reasonable scope
- Public information, such that the information being handled has been lawfully disclosed to the public, within a reasonable scope
- Any other circumstances stipulated by laws and administrative regulations
- Data Localisation Threshold
The PIPL clarifies that only critical information infrastructure operators (CIIOs) and personal information processors that process personal information up to the amount specified by the Cyberspace Administration of China (CAC) must fulfil the data localisation obligations. In addition, the data localisation threshold only applies to data collected or generated in China.
- Obligations for Cross-Border Personal Information (PI) Transfers
Data processors must fulfil one of the following conditions when transferring data outside of China:
- Pass a CAC security assessment, if the export involves a CIIO or the handling PI in volumes exceeding a to-be-stipulated threshold
- Undergo a specialised agency’s PI protection certification
- Enter a contract with the overseas recipient using the CAC’s standard form
- Other conditions prescribed by laws, regulations, or the CAC
- Privacy Impact Assessment (PIA) Requirements
A PI handler must conduct a PIA before handling data that could have a significant impact on individuals’ rights and interests, including in the following situations:
- Handling sensitive PI
- Using PI for automated decision-making
- Entrusting handling to other parties, providing PI to other handlers, or disclosing PI publicly
- Transferring PI out of China
Entities subject to the PIPL must retain relevant records for at least three years.
- Appointing a Data Processing Officer (DPO)
A PI handler that processes PI in volumes that exceed the CAC threshold must designate a person in charge of PI protection, similar to the DPO requirement under GDPR, to supervise PI handling activities and the implementation of protective measures. The PI handler must publicly disclose the DPO’s contact information and report it to relevant authorities.
- Train managers and employees.
- Conduct a self-assessment of the enterprise’s business and the personal information the entity may manage through its operations.
- Create or amend the organisation’s personal information policy.
- Establish a compliance system for protecting personal information.
- Issue regular reports on the social responsibility to protect personal information.
- Improve the collection process for app users’ and employees’ personal information.
- Manage personal information according to its nature.
- Implement relevant protection measures, such as encryption and de-identification.
- Set reasonable operational controls and provide ongoing training to staff.
- Formulate a security incident response plan and engage in simulation exercises.
Because the PIPL takes many cues from GDPR, it should not be burdensome for companies to comply. However, global companies may face challenges with the PIPL rules governing cross-border transfers of personal information, which are more stringent than those within GDPR or pre-PIPL privacy rules in China. Focusing on the cross-border transfer requirements should be a priority, especially when implementing technical and operational measures to address them may require extensive lead time.
Authored by: 3NServe
Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of Novum Learning or Legal Practice Intelligence (LPI). While every attempt has been made to ensure that the information in this article has been obtained from reliable sources, neither Novum Learning or LPI nor the author is responsible for any errors or omissions, or for the results obtained from the use of this information, as the content published here is for information purposes only. The article does not constitute a comprehensive or complete statement of the matters discussed or the law relating thereto, and does not constitute professional and/or financial advice.