Countries around the world are implementing new regulations concerning data privacy and protection. One of the latest is in China. The Personal Information Protection Law (PIPL) went into effect on November 1, 2021, and it’s causing significant concerns for many multinational companies.
Yahoo, for example, recently announced it would stop servicing the market in China due to compliance concerns.
What is the Personal Information Protection Law (PIPL)?
The PIPL is similar to the EU’s General Data Protection Regulation (GDPR) in that it imposes restrictions on how personal data is collected, stored, used, and managed. It has four stated objectives:
- To protect the rights and interests of individuals
- To regulate personal information processing
- To safeguard the lawful and orderly flow of data
- To facilitate the reasonable use of personal information
While much of the language in the PIPL draws inspiration from the GDPR, other key tenets distinguish it from its predecessor. There is a significant focus on cross-border data transfers and broad governmental rights. For example, the PIPL affirms China’s intent to defend what it calls digital sovereignty. Essentially, that means anything the government feels infringes on the rights of its citizens, jeopardizes national security, or goes against the public interest will face restrictions. These restrictions may bar some companies from doing business there.
Penalties for noncompliance include administrative fines of up to 5% of annual turnover (gross revenue) or RMB 50 million (approximately $7.8 million). Additionally, individuals within an organization can be named separately and face fines up to RMB 1 million (more than $150,000). Serious violations can lead to criminal liability.
How Should Organizations Assess PIPL Compliance?
One of the challenges with PIPL compliance is the lack of specificity in much of the law, along with its rapid implementation. While the GDPR gave organizations two years to prepare for implementation, PIPL went into effect less than three months after being passed into law.
However, if you are collecting or processing personal information from individuals in China, you will need to comply. Here are seven key areas that businesses need to address as part of the effort to comply with the PIPL:
- Identify a clear lawful basis for data processing
- Review and implement consent requirements
- Manage cross-border data flows
- Conduct a formal data protection impact assessment
- Create a system to manage data subject requests
- Appoint a Data Protection Officer and China representative
- Review gatekeeper provisions
Identify a Clear Lawful Basis for Data Processing
One of the first things organizations need to do to make sure they comply with PIPL is review their data processing standards. Under the PIPL, businesses must have a lawful basis for any data that is collected, stored, or processed related to a Chinese citizen. The PIPL requires personal information is to be limited to the smallest scope to fulfill that purpose.
You must have a clear and reasonable purpose for data collection or use. Currently, these purposes include data processing that is necessary to:
- Enter into or perform a contract
- Conduct human resources/personnel management practices per labor policies or collective agreements
- Comply with legal duties
- Respond to public health incidents or protect the rights and interests of Chinese citizens
- Report on news or supervision of media to protect the public interest
While the GDPR uses “legitimate interest” as a lawful use, such as commercial interests or marketing, the PIPL has no such stipulation. Businesses that use data for purposes outside those listed here need to take a careful look at their data processing policies with their legal counsel.
Review and Implement Consent Requirements
In most cases, the PIPL requires that organizations obtain consent for data collection and processing. Companies should review their collection and use policies to make sure consent is collected where required.
- This includes consent for data use such as:
- Sharing with other data processors
- Providing personal data to recipients beyond Chinese borders
- Publicizing personal data
- Processing sensitive data
- Data for minors under the age of 14
Articles 14 and 15 of the PIPL clarify that consent is only valid if individuals voluntarily and explicitly provide such consent with the full knowledge of how the data will be processed for each use. Consent banners must be obvious.
Consumers must also have an easy and convenient way to withdraw consent.
Manage Cross-Border Data Flows
There are significant restrictions within the PIPL regarding data that crosses borders. For example, organizations that are designated as Critical Information Infrastructure (CII) operators must submit to a mandatory security assessment conducted by the Cyberspace Administration of China (CAC).
For companies that are not designated as part of the CII, data transfers beyond Chinese borders require organizations to submit to a voluntary security assessment, be certified by agencies appointed by the CAC, or enter into an agreement with the CAC.
Once data leaves Chinese borders, the same protections will continue to apply, including data used by third-party processors.
Conduct a Formal Data Protection Impact Assessment
Organizations that process the data of Chinese citizens are required to conduct a data protection impact assessment (DPIA) and maintain a record of data processing activities. This works as a positive affirmation by organizations that they have complied with the PIPL and have implemented adequate protection measures to secure data in their possession.
Create a System to Manage Data Subject Requests
Under the PIPL, consumers have the right to request access and copies of data collections along with corrections or deletions of data, withdrawal of consent at any time, or portability of data.
Similar to the provisions in the GDPR, organizations must implement internal processes and policies for responding to requests promptly.
Appoint a Data Protection Officer and China Representative
To comply with the PIPL, you may also need to appoint a data protection officer (DPO) if you exceed a certain threshold amount as determined by the CAC. However, the PIPL does not specify what this threshold is.
You must also establish a local representative in China to handle matters relating to personal information processing.
Review Gatekeeper Provisions
Additional obligations are placed on large platform operations that include establishing an independent supervising body with external members to:
- Help create and manage rules on personal data protection
- Reject product or service providers that violate the PIPL
- Publish period reports on personal data protection policies
Organizations will want to review the “gatekeeper” provisions in the PIPL with their legal counsel.
If an Organization Is Already GDPR Compliant, Are They Also PIPL Compliant?
In many ways, complying with the GDPR will help meet many of the requirements under the PIPL. However, there are key differences that go beyond GDPR provisions, including:
Defining lawful basis differently. Some uses under the GDPR may not be acceptable under the PIPL.
- Classifying financial data as sensitive date while the GDPR does not.
- Additional requirements for data localization and different cross-border data transfer regulations.
- Granting rights for personal data upon death
- Requiring representatives in China
- Requiring notification of any data breaches immediately, rather than within 72 hours as specified under GDPR
In short, ensuring GDPR compliance will accomplish many of the objectives of the PIPL, but not all of them.
PIPL Is Now in Effect
PIPL is now the law in China. As with the GDPR, there are likely to be more refinements as provisions are better defined.
While the latest data protection legislation to go into effect, PIPL won’t be the last. 66% of the world’s countries now have some form of data protection laws. Another 10% of countries have draft legislation pending.
Organizations should review their policies and practices to make sure they comply now and stay up-to-date on evolving data protection practices to maintain legal compliance into the future.