China’s Landmark Personal Information Protection Law—Are You Prepared?
Following the launch of the Cybersecurity Law (“CSL”, effective June 1, 2017) and Data Security Law (“DSL”, effective September 1, 2021), China enacted the Personal Information Protection Law (“PIPL”) on November 1, 2021. The PIPL is by far the most significant law in China’s data protection regime with extraterritoriality and stringent sanctions (fines could go as high as RMB 50 million (approx. USD 7.74 million) or 5% of the violator’s turnover in the previous year). While in many aspects similar to the EU’s General Data Protection Regulation(“GDPR”), the PIPL has some significant differences for companies with an interest in China. Below we highlight some key aspects of the PIPL with relevance to both Chinese and foreign companies that process personal information (“PI”) in China.
PI Processing Basis
The PIPL provides for six bases for collecting and processing PI. The most prominent one is informed consent but it is important to remember it is not the only basis. It is also worth noting that “Legitimate Interest” which is recognized under the GDPR as an independent basis and may require GDPR compliant companies to make certain adjustments to their policies. Under the PIPL, companies are allowed to process PI if the processing is necessary to conclude contracts or perform contractual obligations. The necessity to fulfill statutory functions or statutory obligations or tackle public health emergencies also justifies PI processing.
Additionally, companies should always bear in mind they are only allowed to process PI “within a reasonable scope”. Though there is ambiguity about the definition of “reasonable scope”, a risk minimizing approach would be to minimize the use of PI and the time for which it is stored. It is also critical to have proper processes in place (as well as the relevant legal documentation) in relation to both collection and use to ensure that the basis is solid.
Data Subject Rights
The PIPL requires businesses to obtain an individual’s consent for certain actions involving processing his or her information and providing individuals with rights over their personal information such as the right to know, access, modify, copy and delete it, withdraw their consent and refuse automated decision-making. Deceased persons also enjoy rights under the PIPL, exercised by their close relatives. Noticeably, failure to implement mechanisms that will facilitate data subjects in exercising their rights may create legal liability.
The PIPL is applicable to both Chinese and foreign companies (the law has an extraterritorial reach) when it comes to PI processing of Chinese individuals. Extraterritoriality will apply if the information concerned is that of natural persons inside China, and it is processed in order to provide products and services to natural persons in China, analyze or assess their conduct or under any other statutory circumstance. In particular, data processers outside of China are required to designate a personal information protection representative or institution within China to protect PI under certain circumstances.
Cross-border Data Transfer
A major issue for international businesses is the cross border transfer of information. Under the PIPL, if businesses are to undertake cross-border PI transfer, they have to meet one of several conditions such as passing a security assessment by the Cyberspace Administration of China (“CAC”, China’s privacy regulator), signing a contract based on CAC’s model contract with the overseas information recipient or getting a prior personal information protection certification by a specialized institution in accordance with CAC rules. Specific and separate consent from the data subject may also be required for cross border data transfers under certain circumstances.
The PIPL imposes additional liabilities on PI processors providing important internet platform services, having a massive number of users and complex business types. This may be of special relevance to some tech companies.
Inview of the PIPL’s relevance and penalties, companies should carefully study the requirements, review and amend their data protection agreements as well as their standard terms and conditions, introduce well-developed consent forms, cross-border data transfer policies, designate a personal information protection representative or institution within China (if applicable) and implement data subject right protection mechanisms. While GDPR and PIPL are similar, companies should not assume their GDPR compliance makes them PIPL compliant automatically.
By: Zach Lichtblau and Yasmin Yao
If you have any questions about privacy or data protection in China, you may contact BNLS Law Firm at firstname.lastname@example.org and email@example.com.