Data privacy in China will receive an important boost once the Personal Information Protection Law comes into effect. While a timeline on the law’s implementation is not confirmed, we discuss how businesses (based in China and those engaged in commercial interactions with people living in China) should prepare ahead to ensure data privacy compliance.
With measures to ensure privacy getting prioritized worldwide, many countries have framed relevant laws and regulations on personal information protection. China too released its draft Personal Information Protection Law (PIPL), which just closed its seeking-opinion period on November 19, 2020.
When the draft PIPL gets passed, China will finally have a central and universal governing law on protecting personal information. Though there is no established schedule yet on passing this law, companies doing business in China are suggested to study the draft law and make necessary preparations wherever possible, considering the PIPL’s potentially wide-ranging impact.
Those familiar with the European Union’s General Data Protection Regulation (GDPR) will find some similarities in the draft PIPL when reading it the first time as some concepts are “borrowed”.
The PIPL will be applicable to any organization and individual who process personal information in China. For companies outside China, the PIPL is also applicable if they provide services or products to people in China or analyze and evaluate the activities of people in China.
The draft PIPL proposes significant penalties for serious violations, including rectification orders, confiscation of illegal gains, business suspension, revocation of business licenses, and fines of up to RMB 50 million (approx. US$7.6 million) or five percent of turnover in the previous year. Individuals in charge of personal information protection will also be subject to penalties that can be up to RMB 1 million (approx.US$153,200).
Below, we share some analysis from the IT perspective on guiding internal operations and address frequently asked questions.
One common misunderstanding on the PIPL is that it is only applicable to internet firms, such as Tencent, Baidu, Bytedance, etc. Actually, as long as you have a business running in China, you will be regulated by the new PIPL as there is always personal information, such as email address and phone number, that gets collected and processed during business operations and interactions with customers.
Besides, even if your company does not have a physical existence in China, it may still be regulated by the PIPL – if your company processes the personal information of the people in China for the purpose of providing products or services to people in China or analyzing and evaluating the activities of the people in China. Examples include selling products via the Tmall international shop to Chinese consumers, or providing online language training courses, or using AI-based technology to surveille people in China (such as facial recognition, location tracking, profiling, etc.).
Under the new PIPL, there are a couple of things you have to consider about the IT infrastructure or system design of your company.
Many small- and medium- sized enterprises (SMEs) use the headquarter (HQ)-based system to support their businesses in China for the purpose of saving costs. This means all data, including personal information, will be transferred outside of China and saved to the system hosted in HQ.
According to the draft PIPL, companies needs to satisfy at least one of the below conditions to transfer the personal information out of China:
Among the conditions, the third one is the easiest to handle by the company itself. Therefore, if your company is in this situation, to keep using HQ-based IT systems, you should work with your legal team to develop a contract that meets all related requirements provided in the PIPL.
To be noted, this strategy does not always work. If your company is classified as ‘critical information infrastructure operator’, which refers to operators engaging in important industries and sectors, such as public communications, information service, energy, transport, water conservancy, finance, and public service and e-government, all personal information is in principle required to be saved within the territory of China, unless you can pass the security assessment organized by the State cyberspace administration. This means your company needs to consider building one stand-alone IT infrastructure in China, either cloud-based or on-premises.
Moreover, even if the company sets up the IT infrastructure and saves all collected personal information within the territory of China, de facto data cross-board transfer may still happen if the company provides remote access tools to staff in HQ for accessing the data saved in China. In this case, your company is advised to consider restructuring the work processes to avoid remote access, or only provide generalized information, such as the summary report, rather than detailed personal information.
‘Sensitive personal information’, according to the draft PIPL, refers to the personal information that may lead to discrimination or serious harm to personal or property safety once disclosed or illegally used, including such information as race, ethnicity, religious belief, personal biological characteristics, medical health, financial accounts, and personal whereabouts. This scope is much wider than that in the GDPR or other laws of the same kind. Under this definition, location information, mobile number, bank account, financial transaction data, etc. are all considered as sensitive personal information.
Sensitive personal information requires extra protection by the law. If your company is going to process sensitive personal information, you would need to consider designing a differentiated privacy notice interface as the PIPL requires “explicit and individual consent” for each purpose of processing sensitive information. It means you cannot let the user tick on one checkbox to consent to all the purposes of data processing that you will do. Instead, you need to list the purposes of processing personal sensitive information, separately, to obtain explicit consent from the user.
The draft PIPL requests the company to manage personal information by hierarchical classification and retain the personal information with minimal and necessary period. It means the company needs to deploy relevant techniques to detect, identify, and classify the personal information being collected and processed, and also implement a proper data retention policy to delete the personal information that is no longer needed for the original purpose of collection.
Therefore, if your company uses mobile apps to communicate with people or deliver service to clients, you should pay more attention in the app development stage, and make sure the access permission requests are proper. This is especially the case where third-party software development kit (SDK) are used to develop the company’s own app as the third-party SDK may have the chance to intercept the collected personal information and use it for other purposes.
According to the daft PIPL, the “data processor”, which actually combines the concept of “data controller” and “data processor” in GDPR, bears the responsibility of taking appropriate measures to protect the personal information processed.
Below are some common measures that companies could take to protect personal information and meet the compliance requirements imposed by the PIPL. For easier understanding, we divide the measure into two categories – technical measures and organizational measures.
Given the potentially wide application of the PIPL and the measures necessary for compliance under Chinese law (such as those discussed in this article), companies expected to be governed by the PIPL must factor in relevant costs incurred for ensuring personal information protection when planning their budget for next year. This is to prevent the circumstance where the PIPL comes in effect in 2021 and the company lacks the necessary budget resources to implement compliance measures.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
We also maintain offices assisting foreign investors in Vietnam, Indonesia, Singapore, The Philippines, Malaysia, Thailand, United States, and Italy, in addition to our practices in India and Russia and our trade research facilities along the Belt & Road Initiative.
Previous Article « Suzhou City Profile: Investment Stronghold and Innovation Trailblazer
Next Article China SME 2021 Business Compliance as Uncertainty is the New Normal »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
Most businesses with experience in China are accustomed to the complex, paper-intensive, and laborious manual ...
The start of a new year tends to be a hectic time for foreign companies in China. During this period, business...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.