In effect from November 1, 2021, China’s Personal Information Protection Law (PIPL) is a significant first for the country and is expected to have a profound impact on both local and foreign invested companies doing business in and with China.
Likely to be strictly implemented, many companies are voicing concerns about being compliant with the new regulations.
In a recently held webinar organized by Dezan Shira & Associates on November 2, 2021, Thomas Zhang, Dezan Shira & Associates’ Group IT Director, introduced the PIPL and explained several key considerations for companies to build a roadmap for compliance.
Here we have selected some typical questions asked by companies with brief answers. To listen to and download the China’s Personal Information Protection Law: What to Know and How to Prepare webinar, please click here.
A: No, it’s not mandatory; however, for companies who don’t have an office in China and still want to provide services in China, a DPO or representative is necessary. In general cases where the company has an office in China and they can find a local person to play the role of representative, there is no need to have a DPO. But we have seen many companies don’t have enough internal resources to support this, so from that angle – an external DPO can be very helpful for companies.
A: Yes, because we are talking about aggregated data – which doesn’t have any specific personal information of individuals. This means that it will be “abstract” data that cannot be tracked to one single individual. In this case, the data will not be treated as personal information or as sensitive personal information, and you are allowed to transfer it outside of China.
A: Yes. If your IT system is located in Germany, but your business operations in China are processing personal information, you will need a DPIA. Whether you are allowed to transfer personal information out of the country or not is based on the scale of the personal information. The Cyberspace Administration of China (CAC) will specify the criteria about which kind of personal information will not be allowed to be transferred out, but for now we will need to wait for more details from the government.
A: Yes, for now it would be as Hong Kong, Taiwan, and Macao are implementing different laws from Mainland China.
A: Our opinion is that you can use one single consent form. In this case, we understand that the purpose of processing this information for payroll and HR is quite close/tied to each other. It is a common practice for companies to process payroll and HR together, so in this case we think you can use one single consent form.
A: Yes. Information from those under 14 will be regarded as sensitive information. If you are going to process sensitive personal information, you must collect separate consent and conduct a DPIA.
A: Yes. The definition of personal information is very wide under the PIPL. For any information that can be tied to one single individual, it is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual. Names are also a kind of personal information. Although a name can be common and used for multiple people, under the PIPL it is still considered personal information.
A: Yes. Under the GDPR, IP addresses are defined as personal information, and this is the same for the PIPL. We know that IP addresses are dynamic, but from an IT perspective we can still trace an individual to their IP address most of the time with certain efforts, making IP addresses one kind of personal information under the PIPL.
A: Similar to GDPR, under PIPL, it’s the information controller – the one who makes decisions on how to collect and store the data – that assumes the responsibility of personal information protection. So, if you are the information controller, and you make the decision to collect personal information and make the decision to transfer it out to save in Google Drive, you are responsible for everything. Of course, you can make a service agreement with your vendor to specify what kind of measures should be taken to protect the personal information.
A: From the technical perspective, yes, it is. For example, in China, the cyber police require companies to set up a firewall or security device, which can allow the company to track the website access logs for users. This means that even if you are using a private IP of your company, your firewall or security can still track these records, and IT can use these records to trace back to the individual using this IP address. In practice, however, at the current stage, IP address information is really a minor consideration for the authorities. There are other more significant issues for the authorities to pay attention to.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « Companies with Equity-Based Compensation Plans are Subject to More Reporting Obligations in China
Next Article RCEP FTA Signed: What Can Foreign Investors in China Expect? »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.