China’s Personal Information Protection Law: Compliance Considerations from an IT Perspective
Data privacy in China will receive an important boost once the Personal Information Protection Law comes into effect. While a timeline on the law’s implementation is not confirmed, we discuss how businesses (based in China and those engaged in commercial interactions with people living in China) should prepare ahead to ensure data privacy compliance.
With measures to ensure privacy getting prioritized worldwide, many countries have framed relevant laws and regulations on personal information protection. China too released its draft Personal Information Protection Law (PIPL), which just closed its seeking-opinion period on November 19, 2020.
When the draft PIPL gets passed, China will finally have a central and universal governing law on protecting personal information. Though there is no established schedule yet on passing this law, companies doing business in China are suggested to study the draft law and make necessary preparations wherever possible, considering the PIPL’s potentially wide-ranging impact.
Those familiar with the European Union’s General Data Protection Regulation (GDPR) will find some similarities in the draft PIPL when reading it the first time as some concepts are “borrowed”.
The PIPL will be applicable to any organization and individual who process personal information in China. For companies outside China, the PIPL is also applicable if they provide services or products to people in China or analyze and evaluate the activities of people in China.
The draft PIPL proposes significant penalties for serious violations, including rectification orders, confiscation of illegal gains, business suspension, revocation of business licenses, and fines of up to RMB 50 million (approx. US$7.6 million) or five percent of turnover in the previous year. Individuals in charge of personal information protection will also be subject to penalties that can be up to RMB 1 million (approx.US$153,200).
Below, we share some analysis from the IT perspective on guiding internal operations and address frequently asked questions.
1. Will my company be regulated by China’s Personal Information Protection Law?
One common misunderstanding on the PIPL is that it is only applicable to internet firms, such as Tencent, Baidu, Bytedance, etc. Actually, as long as you have a business running in China, you will be regulated by the new PIPL as there is always personal information, such as email address and phone number, that gets collected and processed during business operations and interactions with customers.
Besides, even if your company does not have a physical existence in China, it may still be regulated by the PIPL – if your company processes the personal information of the people in China for the purpose of providing products or services to people in China or analyzing and evaluating the activities of the people in China. Examples include selling products via the Tmall international shop to Chinese consumers, or providing online language training courses, or using AI-based technology to surveille people in China (such as facial recognition, location tracking, profiling, etc.).
2. How to assess the potential impact of the new PIPL on my company’s IT infrastructure and applications?
Under the new PIPL, there are a couple of things you have to consider about the IT infrastructure or system design of your company.
Whether the personal information processed by your company can be transferred out of China
Many small- and medium- sized enterprises (SMEs) use the headquarter (HQ)-based system to support their businesses in China for the purpose of saving costs. This means all data, including personal information, will be transferred outside of China and saved to the system hosted in HQ.
According to the draft PIPL, companies needs to satisfy at least one of the below conditions to transfer the personal information out of China:
- Where it has passed the security assessment organized by the State cyberspace administration;
- Where is has been certified by a specialized in accordance with the provisions of the State cyberspace administration in respect of the protection of personal information;
- Where it has concluded a contract with an overseas recipient specifying the rights and obligations of both parties and has supervised the recipient’s processing of personal information to ensure that the recipient’s processing meets the standards for protection of personal information; and
- Where it has satisfied other conditions prescribed by laws, administrative regulations or the State cyberspace administration.
Among the conditions, the third one is the easiest to handle by the company itself. Therefore, if your company is in this situation, to keep using HQ-based IT systems, you should work with your legal team to develop a contract that meets all related requirements provided in the PIPL.
To be noted, this strategy does not always work. If your company is classified as ‘critical information infrastructure operator’, which refers to operators engaging in important industries and sectors, such as public communications, information service, energy, transport, water conservancy, finance, and public service and e-government, all personal information is in principle required to be saved within the territory of China, unless you can pass the security assessment organized by the State cyberspace administration. This means your company needs to consider building one stand-alone IT infrastructure in China, either cloud-based or on-premises.
Moreover, even if the company sets up the IT infrastructure and saves all collected personal information within the territory of China, de facto data cross-board transfer may still happen if the company provides remote access tools to staff in HQ for accessing the data saved in China. In this case, your company is advised to consider restructuring the work processes to avoid remote access, or only provide generalized information, such as the summary report, rather than detailed personal information.
Whether any sensitive personal information is being processed
‘Sensitive personal information’, according to the draft PIPL, refers to the personal information that may lead to discrimination or serious harm to personal or property safety once disclosed or illegally used, including such information as race, ethnicity, religious belief, personal biological characteristics, medical health, financial accounts, and personal whereabouts. This scope is much wider than that in the GDPR or other laws of the same kind. Under this definition, location information, mobile number, bank account, financial transaction data, etc. are all considered as sensitive personal information.
Sensitive personal information requires extra protection by the law. If your company is going to process sensitive personal information, you would need to consider designing a differentiated privacy notice interface as the PIPL requires “explicit and individual consent” for each purpose of processing sensitive information. It means you cannot let the user tick on one checkbox to consent to all the purposes of data processing that you will do. Instead, you need to list the purposes of processing personal sensitive information, separately, to obtain explicit consent from the user.
Whether any data classification and retention techniques are deployed in your organization
The draft PIPL requests the company to manage personal information by hierarchical classification and retain the personal information with minimal and necessary period. It means the company needs to deploy relevant techniques to detect, identify, and classify the personal information being collected and processed, and also implement a proper data retention policy to delete the personal information that is no longer needed for the original purpose of collection.
Examine whether the company is using any mobile app to communicate with people or deliver service to clients
Therefore, if your company uses mobile apps to communicate with people or deliver service to clients, you should pay more attention in the app development stage, and make sure the access permission requests are proper. This is especially the case where third-party software development kit (SDK) are used to develop the company’s own app as the third-party SDK may have the chance to intercept the collected personal information and use it for other purposes.
3. What measures should I take to ensure compliance?
According to the daft PIPL, the “data processor”, which actually combines the concept of “data controller” and “data processor” in GDPR, bears the responsibility of taking appropriate measures to protect the personal information processed.
Below are some common measures that companies could take to protect personal information and meet the compliance requirements imposed by the PIPL. For easier understanding, we divide the measure into two categories – technical measures and organizational measures.
- General security control measures: Protection of personal information is combined with general information security and the CIA triangle (confidentiality, integrity, availability) to enhance the ultimate information security objective for personal information protection. So to prepare for the PIPL, enhancing the general security control of your company should be the cornerstone and the first step.
- Encryption: Deploying encryption measures for DAR (data at rest) and DIM (data in move) are effective ways to improve cybersecurity, which can also mitigate the consequences of possible security breaches. The common practices include encrypting the database through certain measures (such as transparent database encryption), encrypting the saved files in server and computers by applying BitLocker or similar techniques, and encrypting the network traffic by using https protocol with up-to-date TLS.
- De-identification measures: Applying de-identification techniques to reduce the sensitivity of the personal information, or even get the personal information anonymized, will reduce the risk of violating the PIPL.
- Data classification / date retention / data loss prevention (DLP) measures: Deploying proper data classification and retention techniques with DLP measures can detect, classify, and prevent the sensitive data being leaked out and delete unnecessary data according to the retention policy in an automatic way to achieve “minimal and necessary” retention.
- ‘Privacy by design’ and ‘privacy by default’: When designing the product, companies should not just consider the product functionality, but also consider the personal information protection from the very beginning. Besides, companies should make the default setting of their apps and systems to be privacy-friendly. For example, many companies adopt an opt-out strategy in the personal information protection area, which means the personal information will be collected by default, but users have option to stop the collection, such as “unsubscribe the email”. Nevertheless, under the privacy-friendly settings, an opt-in strategy prevails, which means no personal information would be collected or processed without individual’s explicit consent.
- Running a data protection impact assessment (or called data privacy impact assessment, DPIA): Through DPIA, the company can identify specific risks to personal information protection, analyze how programs/systems collect, use, share, and maintain personal information and determine the measures to address the identified risks.
- Staffing: The company should appoint suitable human resources for the work of personal information protection, which should include a general information security team, a privacy representative, or even a data protection officer (DPO). Besides, according to Article 51 of the PIPL, companies that are outside China but provide service/product to people in China or analyze and evaluate the activities of people in China need to “establish a special agency or designate a representative within the territory of China”.
- Training: According to the draft PIPL, companies are expected to perform regular security and privacy related trainings to all staff for ensuring updated awareness on personal information protection.
Given the potentially wide application of the PIPL and the measures necessary for compliance under Chinese law (such as those discussed in this article), companies expected to be governed by the PIPL must factor in relevant costs incurred for ensuring personal information protection when planning their budget for next year. This is to prevent the circumstance where the PIPL comes in effect in 2021 and the company lacks the necessary budget resources to implement compliance measures.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
We also maintain offices assisting foreign investors in Vietnam, Indonesia, Singapore, The Philippines, Malaysia, Thailand, United States, and Italy, in addition to our practices in India and Russia and our trade research facilities along the Belt & Road Initiative.