China has prioritized data protection, data privacy, and cybersecurity through a series of laws and regulations in the last five years. Implementing rules, clarifications, and other relevant industry norms are periodically updated and released. Companies are advised to assess the relevance of these laws and regulatory updates on their business scope as well as exposure to compliance risks in case the laws are not comprehensive enough. Making necessary changes ahead of time will enable enterprises to be able to continue to operate in China without disruption.
In recent years, China has been making great effort to protect the data of its citizens and companies. This has required several laws to be amended and new ones to get promulgated, so that the legal voids for protection of these matters are filled.
This is nothing new, regulating on data privacy has been an hot topic for the better part of four years now. In Europe, for example, the European Union, enacted the GDPR – General Data Protection Regulation, which came into effect on March 25, 2018 and ever since then has caused major shifts in the way companies process, store, and protect the data of their employees, clients, and associates.
China’s major laws regarding IT compliance
In China, similar steps have been taken and the main laws that every firm doing business in the country are discussed below.
The Personal Information Protection Law (‘PIPL’) entered into force November 1, 2021, and is China’s first comprehensive law on protection of personal information.
Other related laws include the Cybersecurity Law (“CSL”), which became effective June 1, 2017 and contains personal information protection requirements imposed on all companies that operate a computerized information network system. It is the fundamental law regulating cyberspace, focusing on multi-level protection of cybersecurity, the protection of critical information infrastructure, cybersecurity reviews, and inspection as well as the certification of key network devices and special cybersecurity products. The law imposes certain obligations upon companies, such as performing periodical security reviews of the data they handle, and obligation that certain data be stored on servers located on mainland China. In addition to the above, companies are required to have structures and protocols in place to better protect their data and user data. Specifically, they must have a tiered network security protection system. You can know more about the specificities of the CSL in an article we published here.
Another relevant law is the Data Security Law (“DSL”), which is the fundamental law for data security, and it designs a series of policies, to ensure data development and use. The supporting laws, regulations, and guidelines for implementing these policies are expected in the future. The DSL came into force on September 1, 2021.
In the future, more industries will have the duty to categorize and classify their data, especially for those industries that bear the responsibility of supervising data security as per Article 6 of the DSL (e.g., telecommunications, transportation, natural resources, hygiene and health, education, and technology). You can take a look at the DSL specificities in an article we published here.
Finally, the Civil Code of the People’s Republic of China (‘the Civil Code’), effective from January 1, 2021, expressly provides the right of privacy and personal information protection.
The PIPL in depth
Considering the more imposing nature of the PIPL to companies and individuals, in this article we will focus more on this law. While many believe it was modelled on the GDPR, China has had the GB/T35273 since 2017, where legal concepts like personal information, sensitive personal information, and processing of personal information was defined. The PIPL mentions its exterritorial jurisdiction and creates a frame for data protection, such as principles of personal information processing, consent and non-consent grounds for processing, cross-border transfer mechanisms and rights of data subjects; foreign businesses can note that these concepts are mentioned in the GDPR as well.
To ensure your company is fully compliant with the PIPL – irrespective of meeting EU compliance standards, you can check the differences between the GDPR and PIPL dedicated article we published recently here.
The PIPL, together with two other major laws on cybersecurity and data protection, has created the present legal regime on data protection for the People’s republic of China.
The processing of personal information and the concept of “Consent”
One thing that PIPL does, is that it goes beyond the GDPR’s “legitimate interests” requirement to process personal information.
This means that a given subject’s personal information may be processed with the express “consent” of the individual, or in certain other limited circumstances. This “consent” shall be, as per Article 14 of the law:
- should be given by the data subject and the data subject must have full knowledge of what she/he is consenting to
- should be freely given in a voluntary and explicit manner
should be demonstrated by a clear action of the individual (through email, signed letter, or e-form, etc.)
In more detail, an individual’s separate consent to process their personal information is required when:
- sensitive personal information is processed
- the personal information is provided by the processor to another processor
- the personal information is transferred outside of China
Exceptions to the “consent” rule
There are, however, some exception to the “consent” rule and in fact, Article 13 of PIPL permits the following exceptions whereby personal information may be processed without the individual’s consent. These are:
- The processing is necessary for the conclusion or performance of a contract in which the individual is a party, or necessary for human resources management in accordance with the labor rules and regulations established in accordance with the law and the collective contracts signed in accordance with the law.
- The processing is necessary for the performance of statutory duties or obligations.
- The processing is necessary for the response to public health emergencies, or for the protection of life, health, and property safety of natural persons in emergencies.
- The personal information is reasonably processed for news reporting, media supervision, and other activities conducted in the public interest.
- The personal information disclosed by the individual himself or other legally disclosed personal information of the individual is reasonably processed in accordance with this Law.
- Other circumstances as provided by laws or administrative regulations.
Individuals’ rights and prerogatives
Again, similar to the GDPR, the PIPL offers the same options with respect to an individual’s rights concerning their personal information, namely:
- the right to access, correct, erase, object to and restrict the processing of the individual’s data
- the right to data portability
- the right not to be subject to automated decision making
- the right to withdraw consent
- the right to lodge a complaint with the regulator
As per Article 18 of the PIPL, it is required that the processing entities “timely” answer an individual’s requests concerning their data. Under PIPL, individuals also will have the right to bring lawsuits against processing entities if they reject the individuals’ requests to exercise their rights. (as per Article 50)
Processors’ obligations to safeguard personal information and consequences of non-compliance
Like the GDPR, PIPL sets forth a regulatory framework that imposes tight security safeguards and controls on all entities that process personal information, including:
- Formulating internal management systems and operation procedures
- Implementing classified management of personal information
- Adopting corresponding technical security measures, such as encryption and de-identification
- Reasonably determining the operational authorizations for personal information and providing regular security education and training for operational staff
- Formulating and implementing response plans for security incidents relating to personal information
- Conducting regular compliance audits
- Adopting other security measures as stipulated by laws and regulations.
A processor that provides an important internet platform service, has a large user base and/or operates complex types of businesses is further required to build a robust data compliance program (including preparing a personal information protection compliance policy) and establish/appoint an independent body to supervise its implementation. They are also required to monitor the behaviors of the service or product providers on their platform that may violate any laws and regulations.
Should an entity violate the above explained rules, regulators may order it to take actions, issue warnings, confiscate illegal income, suspend services, revoke operating permits or business licenses, or issue a fine. This fine can be up to RMB 50 million or 5 percent of an organization’s annual revenue/turnover for the prior financial year. Naturally, any violations may be recorded into the credit files of the processing entity under China’s national social credit system.
As for individual punishments, the person in charge or other directly liable individuals also may be held liable and subject to a fine up to RMB 1 million. These individuals may also be restricted from serving as director, supervisor, senior management, or personal information protection officer during a specific period, if not indefinitely.
Moreover, the processing entities will be liable for tort damages if they infringe the rights and interests of personal information.
Extra territorial reach
Like the GDPR, the PIPL also imposes some duties on the processing entity that plans to transfer personal information to entities outside of China. These entities are required to:
- Provide individuals with certain specific information about the transfers and obtain separate consent.
- Adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under PIPL.
- Carry out a personal information protection impact assessment.
This means that the effort made by companies to implement high-level security systems for processing of data, also extends to performing due diligence of the entities they cooperate with on an international level and make sure that said entities have the same level of systems. (Although the Chinese government won’t supervise these foreign entities directly, the local data processing entity in China is obligated to do so).
In summary, China’s PIPL, along with the other laws that we mentioned, impose a culture of greater protection and rights to the country’s residents over their personal data. Domestic or foreign organizations that process personal information of China’s residents are now subject to heightened requirements, including but not limited to:
- Obtaining individuals’ consent to process personal information
- Addressing individuals’ requests to exercise their rights over personal information
- Implementing adequate safeguards and security measures to protect personal information
- Adhering to limitations on cross-border transfers of personal information outside of China
- Conducting Personal Information Protection Impact Assessments
- Supervising third-party processors to ensure compliance with PIPL
This means that if you own or manage a company and you employ people, than further precautions and systems must be implemented to safely store, process and transfer all the data that belongs to the company, its employees, clients, or any other type of associates.
Companies are recommended to perform a certain investment in creating or improving their IT and general procedures that they use for the treatment of data.
As the Chinese government appears to be more and more concerned and invested in the protection of data, privacy, and cybersecurity, not following these regulations may have a disastrous impact on the companies’ ability to operate in this market.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at firstname.lastname@example.org.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.