The recently effective data protection law in China affects even non-Chinese businesses. In this article, we cover the law’s basic principles and compliance challenges.
China’s Personal Information Protection Law (PIPL) came into force on November 1st, 2021. The law establishes strict rules on handling the personal data of Chinese citizens and sets immediate compliance requirements.
Large international tech companies will likely be affected the most, as they have to establish their presence in China and use local servers to onboard Chinese users. We’ve summarized the law’s key principles and how to comply with them.
The PIPL affects public and private organizations that handle the personal data of Chinese citizens for activities including, but not limited to:
The law equally applies to foreign businesses, including those without a legal entity in China. This could be a non-Chinese business that advertises to Chinese users or onboards them to its app or e-store.
Third-party vendors providing businesses with data handling services must also comply with the PIPL. However, it’s on businesses to make agreements with vendors and supervise them to ensure compliance.
Definitions under the PIPL
Personal information is any data by which an individual can be identified, such as their name, appearance, email address, IP address, cookie ID, and so on. Personal data doesn’t include anonymised data.
Sensitive personal information includes biometrics, religion, medical and financial information, individual location tracking, as well as information relating to minors under the age of 14.
Businesses that are subject to the PIPL must guarantee users’ personal information rights and protect personal data from breaches and unlawful usage. The PIPL lays out the legal bases for data handling and explains when to ask for a user’s consent to it.
The PIPL also introduces data localization and data transfer rules, which restrict storing and transferring personal information outside of China.
The PIPL defines the grounds for handling personal information. This includes the following cases:
In case none of the legal bases above are appropriate, businesses must request the individual’s consent.
The law requires businesses to map their data flows by covering what personal information is processed and why, as well as where it is held and transferred. The mapping should include:
The resulting record is used as a basis for implementing protection measures under the PIPL.
If a business doesn’t have an appropriate legal basis for data handling, it must obtain user consent in a non-coercive way. Accordingly, user consent must be:
Additionally, the PIPL introduces a separate consent requirement, which is uncommon for other data privacy laws such as the European General Data Protection Regulation (GDPR). Under the PIPL, separate consent is needed when:
In cases involving the handling of information of minors under the age 14, a parent or trustee should provide consent.
Before handling a user’s data, businesses must provide them with a consent form which clarifies the following:
The consent form can be provided via a pop-up notification.
For cross-border data transfers, businesses must additionally provide the user with the foreign receiving side’s name and contacts before requiring separate consent.
The PIPL provides individuals with a set of rights relating to their personal information. These include the rights to:
Under the PIPL, it is the company’s obligation to ensure and protect these rights.
Businesses must ensure that users can make decisions relating to their personal information and have the tools to opt out. Therefore, it’s required to review privacy policies and notices to ensure that they contain the following:
All in all, businesses are recommended to develop internal processes and policies for responding to user requests and providing them access to their personal information.
The PIPL sets restrictions on the use of personal data for automated profiling in online advertising:
Personal data used for automated profiling can relate to the user’s behavior, habits, interests, hobbies, as well as their financial, health, credit, or other status.
The PIPL introduces a data localization rule, which prohibits the following types of companies from storing data on servers outside of China:
This requirement has the potential to force large multinational tech companies to open an office in China to ensure data localization.
Compliance measures for companies outside China vary according to the following parameters:
Local companies must be prepared for an on-demand assessment by the Cyberspace Administration of China (CAC), which may want to make sure the data localization rule is fulfilled.
*As of 25.01.2022, the CAC hasn’t provided any clarification on whether “1 million users” refers to Chinese users specifically.
The PIPL sets restrictions on transferring personal data outside of China. The following entities and data types fall under the restrictions:
1. Entities affected:
2. Data types affected:
If the above-mentioned criteria apply, businesses must undergo a security assessment by the Cybersecurity Administration of China (CAC) before transferring data abroad.
In all other cases, firms are allowed to transfer personal information under one of three conditions:
Any firm willing to transfer personal data outside China must conduct a self-assessment, examining whether personal information handling is lawful and necessary, and whether protective measures are suitable to the degree of risk.
To apply for the CAC security assessment, businesses must provide a package of documents, including:
The contract must limit the recipient’s data usage scope and indicate penalties for contract violations. It’s also required to indicate security measures and where the data will be physically located.
According to the same guidance, businesses must indicate administrative and technical measures in their self-assessment report for the cross-border transfer. These include:
Although the CAC hasn’t yet provided clear mechanisms for security assessments, it issued draft Measures for the Security Assessment of Outbound Data on October 29th, where general requirements are provided.
When a firm handles a certain amount of data (to be further specified by the CAC), it’s obliged to appoint a Personal Information Protection Officer, analogous to the DPO under the GDPR.
The names and contacts of Personal Information Protection Officers should be reported to the CAC and indicated in the privacy policies of the firm. It’s also recommended to watch for additional guidance on required qualifications of officers, which may be issued by the CAC.
If a firm is established outside China and is handling the personal data of Chinese citizens, it must designate a representative within China. A representative can be either a natural person or a legal entity.
The representative’s names and contacts should be reported to the Cybersecurity Administration of China (CAC). It is also recommended to watch for additional guidance on requirements for the representative, which may be issued by the CAC.
The PIPL was passed on August 20th, 2021 and came into effect on November 1st, 2021, giving businesses only two months to implement compliance measures. As of November 2021, the law requires immediate compliance from obliged businesses.
Sanctions for non-compliance with the PIPL depends on whether a company is local or foreign. For local firms, sanctions include:
Overseas companies that don’t fall into line with the PIPL or harm the national security of China may be:
The CAC is responsible for creating and updating the blocklist.