China’s Personal Information Protection Law comes into effect next week. With its sweeping set of rules and regulations on protecting the personal information of users, companies will have to adapt quickly in order to ensure they remain on the right side of the law. To help companies prepare for the upcoming changes, we discuss some of the core requirements of the law and offer suggestions on how to build a robust IT system, which tools and technologies to use for assessing risks, and how to structure the organization to ensure compliance.
In our previous article, we discussed several technical considerations to comply with the Personal Information Protection Law (PIPL), which will take effect on November 1, 2021. In this article, we take a deeper dive to explore concrete actions companies can take to comply with the PIPL in practice, mainly from a technical perspective.
As a rule of thumb, information security, a long-discussed topic in the IT industry, is the basis of personal information protection. Therefore, all security measures, whether technical or organizational, in the information security field are beneficial for personal information protection. Information security is the fundamental tool for personal information protection and is also an implied requirement of the PIPL. In other words, you cannot have good personal information protection without information security.
However, personal information protection has its own characteristics. Good information security doesn’t guarantee the protection of personal information, and well-placed security measures don’t mean personal information is being well-protected.
Take an example: You provide your address, ID card, phone number, and other personal information to a commercial bank to apply for a debit card account. As we know, commercial banks usually have strong information security, which means your personal information itself is secure inside the bank’s IT system. However, as is common practice, the commercial bank may occasionally want to send you an SMS promoting other investment tools, such as a fund or wealth investment product, especially during the few days when you have a large deposit in your debit card account.
This behavior is a clear violation of your privacy, as you only provided your personal information in order to open an account and may have no interest in the bank’s wealth investment service at all. However, the bank has changed its purpose for processing your personal information and uses it to send out annoying messages. Despite this violation, from an information security perspective, your personal information is still well protected by the bank and there has been no unauthorized access to the information.
In short, information security and personal information protection are intersected while information security is the basis of personal information protection (privacy), but just information security is not enough for privacy.
When we talk about personal information protection, we first need to identify the target for protection, which means we need to answer the below questions:
The above questions are critical for the company to understand the current situation and practices regarding personal information protection inside the organization. The answers will also form the basis for implementing further control measures to protect personal information. The best way to answer the above questions is to carry out data mapping or data flow mapping and is also the first step that we recommend taking when a company starts carrying out privacy management.
Today there are several toolkits available for data mapping, but it’s also possible to use an Excel sheet to record the information, as shown in the below example:
How was this data collected?
What data are you collecting?
Why do you need to collect this data?
Explain how you will store the data, how it will be processed, and who has access to it
When will the data be disposed of?
The key is to have a joint effort between the IT department and operations teams, or even better, to have a personal data protection team, if there is one, as lead, to identify the flow of personal information inside the organization and between external parties.
Article 55 of the PIPL requests the company to carry out Data Protection Impact Assessment (DPIA) when “processing sensitive personal information, making automatic decision-making for the use of personal information, entrusting other parties to process the personal information, and providing personal information to overseas parties”. Article 56 further specifies the DPIA requirements, which should include assessing the purpose of personal information processing, the impact it may have on personal rights and interests, and whether the protection measures currently in place are adequate.
DPIA is also mandatory in most cases under the EU’s General Data Protection Regulations (GDRP), so it is likely already familiar terminology for most foreign companies. As a process for identifying the risk related to personal information, DPIA usually includes the below objectives:
Once the DPIA process is completed, the below information should have been gained (and saved for at least three years as required by Article 56 of the PIPL):
Many risk models have been developed in the past and some are still popular and instructive for personal information protection in China. These include models such as the NIST Privacy Risk Model, Taxonomy of Privacy Problems, and the Compliance Model of GDPR/PIPL. Whichever model a company chooses, some common steps include:
As in the GDRP, the PIPL does not treat anonymized personal information as personal information. Therefore, a secure and effective way to eliminate the risks posed to personal information protection is making the personal information that a company possesses anonymous by using de-identification technology. Of course, this brings a further challenge to businesses, as many insights cannot be gleaned from the information once the data is anonymized. Striking a balance between the usability of personal information and the protection of said information is therefore a typical challenge that companies face.
The GB/T 37964-2019 Information Security Technology – Guide for De-Identifying Personal Information gives a more detailed introduction to de-identification. It also recommends a few commonly used technologies, such as statistics technology, suppression, encryption, generalization, and pseudonymization, to de-identify sensitive information, including names, ID numbers, bank account numbers, addresses, and phone numbers, among others. Which technology is the most suitable for a given company will depend on the company’s budget, needs, and other circumstances.
Besides de-identification, PETs are also becoming increasingly popular. Differential Privacy is being applied by Apple for privacy protection in its iPhones, while Federated Learning and Secure Multi-Party Computation are used by banks for loan credit decisions and other purposes. However, the application of these PETs is often costly and therefore is mostly supplied by large market players, though some third-party service providers are emerging.
For small and medium-sized businesses, we believe encryption would be an effective low-cost solution to protect personal information. The most common options would be encryption of the Data at Rest, such as databases or files, to make sure data is unrecognizable even if a data leak happens, and encrypting the network traffic with HTTPS to make sure the Data in Motion is well-protected.
If a company is identified as a critical information infrastructure (CII) operator, or the scale of personal data being processed reaches the limitations set by the Cyberspace Administration of China (CAC) as stipulated in the PIPL, and the data inside the company is identified as ‘core data’ or ‘important data’ as defined in the Data Security Law (DSL) of China, then the data should be saved within the territory of China and cannot be transferred outside of China, unless it passes a security review conducted by the CAC.
This data localization can create big challenges for companies, especially for their IT departments. It is common for MNCs to use a universal platform to serve all clients in different countries. Branch offices in China usually use IT systems built and hosted in the company’s headquarters, but this will inevitably lead to cross-border data transfer issues.
BUILDING STANDALONE IT INFRASTRUCTURE FOR YOUR CHINA OPERATIONS? OUR TEAM CAN HELP ENSURE COMPLIANCE
Companies who have standalone IT infrastructure in China in order to save related business data and personal information might still need to further use the data in China for other business purposes, such as AI-based analysis or big data analysis. The use of this data saved in a different location in China would be still considered cross–border data transfer. Moreover, allowing the other countries’ staff to remotely access data saved in China over the internet would in theory also fall under the scope of cross-border data transfer, although we don’t believe this is currently a high compliance risk.
The good news is that the PIPL ‘borrows’ the concept of the Standard Contract Clause (SCC) from the GDPR, which allows companies to transfer personal information to overseas parties by signing a standard template agreement. Unfortunately, this template has not been published by the CAC yet. However, it provides a ray of hope for companies who can expect easier processes to be available in the future, compared to the significant efforts currently needed, such as conducting security reviews or receiving accreditation by an authorized agency, to transfer personal information outside of China.
With the data localization requirements described above, we anticipate that some companies will consider deploying new standalone IT infrastructure in China to support their business as a way of meeting the compliance requirements. Several basic principles related to privacy, which were first introduced by Ann Cavoukian, the former information and privacy commissioner for the Canadian province of Ontario, should be considered when designing and deploying new IT infrastructure and systems:
Finally, all of the work described above must be done by personnel, either by internal teams or outsourced to an external team. Hiring a privacy team with qualified privacy expertise, which usually combines both legal and technology experts, is the top priority for a company when starting to deal with compliance risks. Companies that don’t have a legal entity in China but provide services or products to people in China, or data processors who handle large amounts of personal information, are required by the PIPL to appoint specific personnel to be in charge of personal information protection. This is similar to the data protection officer (DPO) required under the GDPR. For small and medium-sized businesses that lack adequate internal resources, seeking a professional agency to play that role is a suitable option.
Meanwhile, the company should consider creating effective processes for managing all work related to personal information protection, with well-defined and clear policies, procedures, and guidelines. Privacy awareness training is necessary to make sure all staff are aware of the importance of personal information protection to the business, clients, other third parties, and themselves. The employee should also have the ability to recognize personal information and must know what actions to take when processing personal information.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « China’s Vocational Education Reform and Foreign Investment Opportunities
Next Article China’s Autonomous Driving Industry – An Introduction for Foreign Investors »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.