PIPL China: Suggestions for Technical Compliance with Personal Information Protection Law

China’s Personal Information Protection Law comes into effect next week. With its sweeping set of rules and regulations on protecting the personal information of users, companies will have to adapt quickly in order to ensure they remain on the right side of the law. To help companies prepare for the upcoming changes, we discuss some of the core requirements of the law and offer suggestions on how to build a robust IT system, which tools and technologies to use for assessing risks, and how to structure the organization to ensure compliance.

In our previous article, we discussed several technical considerations to comply with the Personal Information Protection Law (PIPL), which will take effect on November 1, 2021. In this article, we take a deeper dive to explore concrete actions companies can take to comply with the PIPL in practice, mainly from a technical perspective. 

Relationship between information security and personal information protection 

As a rule of thumb, information security, a long-discussed topic in the IT industry, is the basis of personal information protection. Therefore, all security measures, whether technical or organizational, in the information security field are beneficial for personal information protection. Information security is the fundamental tool for personal information protection and is also an implied requirement of the PIPL. In other words, you cannot have good personal information protection without information security.   

However, personal information protection has its own characteristics. Good information security doesn’t guarantee the protection of personal information, and well-placed security measures don’t mean personal information is being well-protected.  

Find Business Support

IDENTIFY YOUR COMPANY'S COMPETITVE ADVANTAGE IN CHINA'S IT INDUSTRY

Take an example: You provide your address, ID card, phone number, and other personal information to a commercial bank to apply for a debit card account. As we know, commercial banks usually have strong information security, which means your personal information itself is secure inside the bank’s IT system. However, as is common practice, the commercial bank may occasionally want to send you an SMS promoting other investment tools, such as a fund or wealth investment product, especially during the few days when you have a large deposit in your debit card account.

This behavior is a clear violation of your privacy, as you only provided your personal information in order to open an account and may have no interest in the bank’s wealth investment service at all. However, the bank has changed its purpose for processing your personal information and uses it to send out annoying messages. Despite this violation, from an information security perspective, your personal information is still well protected by the bank and there has been no unauthorized access to the information. 

In short, information security and personal information protection are intersected while information security is the basis of personal information protection (privacy), but just information security is not enough for privacy.

Information flow and data mapping 

When we talk about personal information protection, we first need to identify the target for protection, which means we need to answer the below questions: 

• Who collects the data, in which way, from whom, and for what purpose? 
• Which system is used to save personal data and in which format? Where is the physical location of the system? 
• Who has access to the data and for what purpose? 
• Is the data being shared with a third party and for what purpose, if any? 

The above questions are critical for the company to understand the current situation and practices regarding personal information protection inside the organization. The answers will also form the basis for implementing further control measures to protect personal information. The best way to answer the above questions is to carry out data mapping or data flow mapping and is also the first step that we recommend taking when a company starts carrying out privacy management. 

Today there are several toolkits available for data mapping, but it’s also possible to use an Excel sheet to record the information, as shown in the below example:

The key is to have a joint effort between the IT department and operations teams, or even better, to have a personal data protection team, if there is one, as lead, to identify the flow of personal information inside the organization and between external parties. 

Data Protection Impact Assessment or Privacy Impact Assessment 

Article 55 of the PIPL requests the company to carry out Data Protection Impact Assessment (DPIA) when “processing sensitive personal information, making automatic decision-making for the use of personal information, entrusting other parties to process the personal information, and providing personal information to overseas parties”. Article 56 further specifies the DPIA requirements, which should include assessing the purpose of personal information processing, the impact it may have on personal rights and interests, and whether the protection measures currently in place are adequate.  

DPIA is also mandatory in most cases under the EU’s General Data Protection Regulations (GDRP), so it is likely already familiar terminology for most foreign companies. As a process for identifying the risk related to personal information, DPIA usually includes the below objectives: 

• Identifying specific risks to personal data. 
• Analyzing how programs or systems collect, use, share, and maintain personal data to ensure compliance. 
• Determining the risks to personal data inherent in programs and systems. 

Once the DPIA process is completed, the below information should have been gained (and saved for at least three years as required by Article 56 of the PIPL): 

• Description of the processing and its purpose. 
• The legitimate interests within the processing.
• An assessment of the necessity and proportionality of the processing. 
• An assessment of the risks to individuals (or data subjects in the GDPR context). 
• The measures envisaged to address the risks. 
• All of the safeguards and security measures to demonstrate compliance.

Many risk models have been developed in the past and some are still popular and instructive for personal information protection in China. These include models such as the NIST Privacy Risk Model, Taxonomy of Privacy Problems, and the Compliance Model of GDPR/PIPL. Whichever model a company chooses, some common steps include: 

• Identifying the need for DPIA – does the personal information processing involve the information type specified in Article 55 of the PIPL? 
• Describing the information flows – this can usually be combined with data mapping or ‘borrowing’ the output of the data flow mapping process.
• Identifying privacy and related risks – what kind of risk is posed to individuals? For example, profiling, which is widely used, could lead to the individual paying higher prices to obtain the same service. 
• Identifying and evaluating privacy solutions – can any Privacy Enhancement Technology (PET) be applied for better protection of personal information? 
• Sign-off and recording the outcomes – the outcomes mentioned above need to be confirmed and recorded as the basis for the next phase of work.
• Integrating the outcomes into a project plan – the outcomes of DPIA identify the existing issues, and the next step is to fix these problems. 
• Consulting with internal and external stakeholders – privacy involves lots of stakeholders, both inside and outside the organization, and good communication with all stakeholders will lead to earlier success in privacy management. 

Adoption of privacy-related technologies 

As in the GDRP, the PIPL does not treat anonymized personal information as personal information. Therefore, a secure and effective way to eliminate the risks posed to personal information protection is making the personal information that a company possesses anonymous by using de-identification technology. Of course, this brings a further challenge to businesses, as many insights cannot be gleaned from the information once the data is anonymized. Striking a balance between the usability of personal information and the protection of said information is therefore a typical challenge that companies face. 

The GB/T 37964-2019 Information Security Technology – Guide for De-Identifying Personal Information gives a more detailed introduction to de-identification. It also recommends a few commonly used technologies, such as statistics technology, suppression, encryption, generalization, and pseudonymization, to de-identify sensitive information, including names, ID numbers, bank account numbers, addresses, and phone numbers, among others. Which technology is the most suitable for a given company will depend on the company’s budget, needs, and other circumstances. 

Besides de-identification, PETs are also becoming increasingly popular. Differential Privacy is being applied by Apple for privacy protection in its iPhones, while Federated Learning and Secure Multi-Party Computation are used by banks for loan credit decisions and other purposes. However, the application of these PETs is often costly and therefore is mostly supplied by large market players, though some third-party service providers are emerging. 

For small and medium-sized businesses, we believe encryption would be an effective low-cost solution to protect personal information. The most common options would be encryption of the Data at Rest, such as databases or files, to make sure data is unrecognizable even if a data leak happens, and encrypting the network traffic with HTTPS to make sure the Data in Motion is well-protected. 

Considerations for cross-border data transfer 

If a company is identified as a critical information infrastructure (CII) operator, or the scale of personal data being processed reaches the limitations set by the Cyberspace Administration of China (CAC) as stipulated in the PIPL, and the data inside the company is identified as ‘core data’ or ‘important data’ as defined in the Data Security Law (DSL) of China, then the data should be saved within the territory of China and cannot be transferred outside of China, unless it passes a security review conducted by the CAC.  

This data localization can create big challenges for companies, especially for their IT departments. It is common for MNCs to use a universal platform to serve all clients in different countries. Branch offices in China usually use IT systems built and hosted in the company’s headquarters, but this will inevitably lead to cross-border data transfer issues.  

Find Business Support

BUILDING STANDALONE IT INFRASTRUCTURE FOR YOUR CHINA OPERATIONS? OUR TEAM CAN HELP ENSURE COMPLIANCE

Companies who have standalone IT infrastructure in China in order to save related business data and personal information might still need to further use the data in China for other business purposes, such as AI-based analysis or big data analysis. The use of this data saved in a different location in China would be still considered cross–border data transfer. Moreover, allowing the other countries’ staff to remotely access data saved in China over the internet would in theory also fall under the scope of cross-border data transfer, although we don’t believe this is currently a high compliance risk. 

The good news is that the PIPL ‘borrows’ the concept of the Standard Contract Clause (SCC) from the GDPR, which allows companies to transfer personal information to overseas parties by signing a standard template agreement. Unfortunately, this template has not been published by the CAC yet. However, it provides a ray of hope for companies who can expect easier processes to be available in the future, compared to the significant efforts currently needed, such as conducting security reviews or receiving accreditation by an authorized agency, to transfer personal information outside of China. 

Privacy by design and by default 

With the data localization requirements described above, we anticipate that some companies will consider deploying new standalone IT infrastructure in China to support their business as a way of meeting the compliance requirements. Several basic principles related to privacy, which were first introduced by Ann Cavoukian, the former information and privacy commissioner for the Canadian province of Ontario, should be considered when designing and deploying new IT infrastructure and systems: 

• Proactive, not reactive; preventive, not remedial: In the software engineering industry, the cost of fixing a problem is always higher than preventing a problem from occurring in the first place. We believe this can also be applied to privacy protection. The best strategy for privacy protection when designing the system or IT infrastructure is letting privacy drive the design, instead of allowing the design to dictate the privacy measures. When a privacy violation likely cannot be avoided, further actions need to be taken to remedy the issue, incurring high costs. 
• Privacy as the default setting: When designing or configuring the systems or defining the internal data management process, privacy preservation should be the default setting. One common example of this is the choice offered when starting to collect personal data – should the data collection be opt-in or opt-out? The former gets an individual’s consent before collecting or processing personal data and lets the individual decide whether to allow his or her personal data to be processed. Opt-out just gives the option to withdraw consent after the personal data has been collected or processed. The opt-out method will be an obvious violation of any privacy law, including the GDPR and the PIPL. Similarly, some companies use CRMs to manage client contacts, for which there is usually a setting to control whether or not to allow the marketing team to send out promotional emails to contacts. This function should be turned off or set to ‘disallow’ by default unless the operator is certain that sending emails is an appropriate action under the current circumstances. 
• Privacy embedded into the design: This aspect may be particularly defined for the design of the software or IT system used for processing personal information. Like the design principle of ‘failure leads to safety’ used for third–generation nuclear power plants, privacy should also be so ingrained into the design that the system or process would fail without the privacy-preserving functionality. The privacy team should be involved from the beginning of the project to analyze system or process requirements and work with the system architect, software engineer, developer, and operations team to define the privacy requirements at each stage of the process. 

Organizational control measures 

Finally, all of the work described above must be done by personnel, either by internal teams or outsourced to an external team. Hiring a privacy team with qualified privacy expertise, which usually combines both legal and technology experts, is the top priority for a company when starting to deal with compliance risks.  Companies that don’t have a legal entity in China but provide services or products to people in China, or data processors who handle large amounts of personal information, are required by the PIPL to appoint specific personnel to be in charge of personal information protection. This is similar to the data protection officer (DPO) required under the GDPR. For small and medium-sized businesses that lack adequate internal resources, seeking a professional agency to play that role is a suitable option. 

Meanwhile, the company should consider creating effective processes for managing all work related to personal information protection, with well-defined and clear policies, procedures, and guidelines. Privacy awareness training is necessary to make sure all staff are aware of the importance of personal information protection to the business, clients, other third parties, and themselves. The employee should also have the ability to recognize personal information and must know what actions to take when processing personal information. 

• Previous Article Analisi ravvicinata della Legge cinese sulla sicurezza dei dati, in vigore dal 1 settembre 2021
• Next Article China’s Autonomous Driving Industry – An Introduction for Foreign Investors