China’s Privacy Law: Impacts & How to Prepare
On October 21, 2020, the People’s Republic of China (PRC) unveiled a new draft of the Personal Information Protection Law (PIPL), the first potential comprehensive data protection law for the nation. PIPL contains many provisions inspired by the EU General Data Protection Regulation (GDPR) within its 8 chapters and 74 articles- in addition to its hefty fines.
After going through its third and final review during the National People’s Congress of China’s meeting this August, the law is now set to go into effect this November 1, 2021, becoming one of the strictest privacy laws now on the books.
While the final version of the law has yet to be publicly released as of this post, organizations that expect PIPL to apply to them may want to begin thinking now through some of the potential operational changes of this law. Some of these considerations are highlighted below:
Like GDPR, the PIPL has clear extraterritorial applications to overseas entities and individuals that process the personal information of individuals in mainland China. Even if an organization does not have a physical presence or legal entity in China, the law could still apply law if the purpose of processing personal information outside of China is to:
- provide products or services to individuals in China,
- “analyze” or “assess” the behavior of individuals in China, or
- for other purposes to be specified by laws and regulations.
Personal Information Processors
Unlike most current privacy regulations, PIPL does not differentiate between a data controller and data processor. Organizations responsible for PIPL compliance are “Personal Information Processors,” which under PIPL refers to “organizations or individuals that independently determine the purpose, scope and means of processing of personal information.”
In other words, a Personal Information Processor under PIPL is akin to a Data Controller under the GDPR. Entities that are “entrusted” with the processing of personal information on behalf of a Personal Information Processor’s information must contractually agree on the purpose, retention, processing method and protection measures for that information. In addition, those trustees must agree to no downstream sharing or usage of the personal information without the consent of the Personal Information Processor.
Also of note is that the final version of PIPL distinguishes between large-scale Internet platforms and “small scale” personal information processors. These large-scale organizations should follow “the principles of openness, fairness, and justice to formulate platform rules for personal information protection” – which include publishing “personal information responsibility reports” – while enabling China’s regulators to form relevant rules for small-scale processors that would “appropriately reduce their compliance costs.
“Personal Information” has a similar definition compared to the GDPR’s “Personal Data” definition. Essentially, it’s “information recorded by electronic or other means related to identified or identifiable natural persons, however, excluding such information after anonymization processing.”
PIPL also has a provision for “Sensitive Personal Information,” similar to “Special Categories of Personal Data” under the GDPR. Sensitive Personal Information means Personal Information that, once leaked or illegally used, may cause discrimination against individuals or grave harm to personal or property security – which includes (but is not limited to) information on:
- Ethnic group,
- Religious beliefs,
- Personal biometric data,
- Personal Information of minors under the age of 14
- health information
- financial account information, and
- location information
Opt-in consent is required for the processing of Sensitive Personal Information.
Data Protection Program
PIPL requires Personal Information Processors to create a data protection program. The law also includes a non-exhaustive list of specific program measures, such as:
- Implement classified management system of Personal Information
- Regular compliance audits
- Impact Assessments
- Employee Awareness & Training
- Designating a data protection officer
- Records of processing activities
- Individual rights request protocols
- Security Breach response and reporting requirements
Like the GDPR, organizations outside China that are subject to the law will need to appoint a data protection representative in China and also report relevant information of their domestic organization or representative to Chinese regulators.
PIPL includes various data subject rights, similar to GDPR. These individual rights include:
- Right to an explanation on the data processing activities
- Right to access personal information
- Right to correction
- Right to portability
- Right to opt-out of personalized marketing
- Right to deletion
If the retention period stipulated by laws and regulations has not expired, or the deletion of Personal Information is technically difficult to achieve, then the Personal Information Processor must stop processing information – other than storing and taking necessary security protection measures.
Organizations must provide a convenient mechanism that allows individuals to exercise their rights. And if the organization denies individuals the ability to exercise their rights – in which they must provide their rationale as to the denial – then individuals may file a lawsuit in a people’s court in accordance with the law.
Legal Bases for Information Processing
PIPL provides multiple legal bases for processing Personal Information – these include:
- The individual’s consent – even if their information is publicly available
- Performing or fulfilling a contract with the individual
- Fulfilling regulatory requirements and obligations
- Public health incidents or emergency situations
- Necessary for accurate news reporting or monitoring public opinion in the public interest
- Compliance with other Chinese laws and regulations
PIPL requires that consent must be clear, voluntary and well-informed. In addition, there are specific consent requirements for certain situations:
- Specific opt-in consent required for processing Sensitive Personal Information
- Parental consent for processing Personal Information of minors below the age of 14 – if the Personal Information Processor knows or should have known that it processes the Personal Information of a child.
- Consent for automated decision making processes. Consent – along with specific disclosure in the organization’s privacy notice – for the transfer or sharing of Personal Information and automated decision-making mechanisms. And similar to California’s privacy law, the use of Personal Information for automated decision-making “shall not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions”
PIPL does not provide any specific time when it comes to obtaining consent. The law does imply that it must be provided in a “timely manner,” although it doesn’t specify what “timely” means.
As opposed to current data localization requirements under the China Security Law (CSL), the PIPL provides more specific requirements for organizations that must store information processed specifically within the borders of the PRC. The Personal InformationProcessor that processes a certain threshold of Personal Information will have to pass a security assessment organized by the regulator of the PIPL: the Cyberspace Administration of China (CAC).
PIPL requires a security assessment administered by the CAC – as well as notice and consent – for any cross-border data transfers. Organizations must carry out an internal risk assessment prior to transferring personal information out of the PRC and keep records of such transfers. Personal Information Processors can also utilize PIPL approved transfer mechanisms such as a certified third-party security assessor or entering into a standardized cross-border data transfer agreement.
In the event of a security breach, PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. Unlike the GDPR and most US state breach notification laws, there is no specific timeline for notification.
Enforcement & Fines
PIPL provides a relatively broad private right of action – the ability for individuals to sue – as well as general enforcement by the CAC.
Under PIPL, an organization that unlawfully processes personal information or fails to take necessary security measures to protect personal information may be subject to baseline fines up to 1 million RMB. If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organization’s annual revenue for the prior financial year.
The law also has a provision for personal liability in the context of a violation: the personnel who is directly responsible for the personal information processing may be fined up to RMB 1 million.
How to Achieve Compliance with PIPL
The PIPL – together with China’s brand new Data Security Law applicable to critical information that has national security concerns – is part of the PRC’s effort to strengthen its regulatory framework for privacy and data protection. Legislative reform in PRC is also quite swift – PIPL will be effective November 1st of this year while it’s recently passed Data Security Law will be effective on September 1st. Indeed, the CAC announced this summer it would launch an investigation into Didi Global, China’s ride-hailing app, for allegedly violating user privacy.
These regulations will have a major impact on companies operating or doing business with China. But as the Chinese proverb Nàixīn, jiānchí hé hànshuǐ shì chénggōng de bìshèng fǎbǎo. goes – “patience persistence and perspiration make an unbeatable combination for success”. Although many implementation details remain unclear, organizations should start reviewing and assessing their information processing activities now against the requirements of the comprehensive regulations. BigID can help organizations operationalize their privacy programs – from PI inventories to automating data rights fulfillment to monitoring cross-border transfers – get a 1:1 with our data privacy experts to find out how to achieve compliance with PIPL – and where to start.