Q&A: How to Understand the Implementation of the PIPL in China?

Posted by Written by In conversation with Thomas Zhang Reading Time: 4 minutes

In effect from November 1, 2021, China’s Personal Information Protection Law (PIPL) is a significant first for the country and is expected to have a profound impact on both local and foreign invested companies doing business in and with China.

Likely to be strictly implemented, many companies are voicing concerns about being compliant with the new regulations.

In a recently held webinar organized by Dezan Shira & Associates on November 2, 2021, Thomas Zhang, Dezan Shira & Associates’ Group IT Director, introduced the PIPL and explained several key considerations for companies to build a roadmap for compliance.

Here we have selected some typical questions asked by companies with brief answers. To listen to and download the China’s Personal Information Protection Law: What to Know and How to Prepare webinar, please click here.

Q1: PIPL states the company should appoint “a person in charge of personal information protection” (个人信息保护负责 人)when processing personal information on a large scale based on the criteria specified by the CAC. Consequently, is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?

A: No, it’s not mandatory; however, for companies who don’t have an office in China and still want to provide services in China, a DPO or representative is necessary. In general cases where the company has an office in China and they can find a local person to play the role of representative, there is no need to have a DPO. But we have seen many companies don’t have enough internal resources to support this, so from that angle – an external DPO can be very helpful for companies.

Q2: Can a company send aggregated information derived from personal information across borders? If it doesn’t contain any specific personal information on Chinese citizens, can we aggregate this data and send it across borders?

A: Yes, because we are talking about aggregated data – which doesn’t have any specific personal information of individuals. This means that it will be “abstract” data that cannot be tracked to one single individual. In this case, the data will not be treated as personal information or as sensitive personal information, and you are allowed to transfer it outside of China.

Q:3 We are exchanging data with our headquarters in Germany via SAP. Will it be deemed as cross-border transfer and require a Data Protection Impact Assessment (DPIA)?

A: Yes. If your IT system is located in Germany, but your business operations in China are processing personal information, you will need a DPIA. Whether you are allowed to transfer personal information out of the country or not is based on the scale of the personal information. The Cyberspace Administration of China (CAC) will specify the criteria about which kind of personal information will not be allowed to be transferred out, but for now we will need to wait for more details from the government.

Q4: If personal data is transferred to Hong Kong, Macao, or Taiwan, would it be considered an international data transfer?

A: Yes, for now it would be as Hong Kong, Taiwan, and Macao are implementing different laws from Mainland China.

Q5: Do we need separate consent from our employees, one for payroll processed in China and the other for HR management purposes, assuming all data will be transferred outside of China to HQ in Singapore? Is it necessary for two consents from employees in China in this situation?

A: Our opinion is that you can use one single consent form. In this case, we understand that the purpose of processing this information for payroll and HR is quite close/tied to each other. It is a common practice for companies to process payroll and HR together, so in this case we think you can use one single consent form.

Q6: There are many international schools storing student data. What about the protection of data for children under 14 years old? Are there special protections under the PIPL?

A: Yes. Information from those under 14 will be regarded as sensitive information. If you are going to process sensitive personal information, you must collect separate consent and conduct a DPIA.

Q7: Is employee name and mobile phone number in MS Azure active directory considered personal information?

A: Yes. The definition of personal information is very wide under the PIPL. For any information that can be tied to one single individual, it is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual. Names are also a kind of personal information. Although a name can be common and used for multiple people, under the PIPL it is still considered personal information.

Q8: How about security logs (e.g., firewall and active directory)? Are they considered personal information as they are usually linked to an IP address or account name and not directly linkable to the user easily?

A: Yes. Under the GDPR, IP addresses are defined as personal information, and this is the same for the PIPL. We know that IP addresses are dynamic, but from an IT perspective we can still trace an individual to their IP address most of the time with certain efforts, making IP addresses one kind of personal information under the PIPL.

Q9: If we store processed personal information through a third-party vendor, such as Google Drive, does it fall into the vendor’s responsibility to formulate a proper information protection that complies with the PIPL?

A: Similar to GDPR, under PIPL, it’s the information controller – the one who makes decisions on how to collect and store the data – that assumes the responsibility of personal information protection. So, if you are the information controller, and you make the decision to collect personal information and make the decision to transfer it out to save in Google Drive, you are responsible for everything. Of course, you can make a service agreement with your vendor to specify what kind of measures should be taken to protect the personal information.

Q10: If an IP address is a company private IP address, for example, 10.0.0.1, is it considered as personal information?

A: From the technical perspective, yes, it is. For example, in China, the cyber police require companies to set up a firewall or security device, which can allow the company to track the website access logs for users. This means that even if you are using a private IP of your company, your firewall or security can still track these records, and IT can use these records to trace back to the individual using this IP address. In practice, however, at the current stage, IP address information is really a minor consideration for the authorities. There are other more significant issues for the authorities to pay attention to.

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.

Dezan Shira & Associates has offices in VietnamIndonesiaSingaporeUnited StatesGermanyItalyIndia, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The PhilippinesMalaysiaThailandBangladesh.