On 20th August, China passed the Personal Information Protection Law (“PIPL”). Like the GDPR, PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information”. The law will come into force on 1st November, giving companies that operate in China a little over two months to prepare.
Below, we give an overview of what the law means, why it’s been introduced and how to know if it applies to your business.
The story of PIPL so far
The PIPL is the latest in a series of regulations passed by China, following the introduction of the Cybersecurity Law and Data Security Law. Combined, it appears these laws have two purposes. As the Wall Street Journal notes:
China’s evolving data governance regime emphasizes consumer privacy while also prioritizing national security through data localization measures, cross-border data flow restrictions, and continued surveillance and law enforcement powers.
Indeed, as the digital economy becomes more globalised, it appears China is wary of trusting other nations with its citizens’ data. More so, while this law is framed as an attempt to protect citizens rights, it is also full of information security obligations that give a lot of power to the state of China. It could be said, then, that the PIPL is just as much about protecting national interests and control as it is about personal data protection.
To exemplify this point, and before we dive into the technicalities of the law, let’s take a look at Didi.
Didi is China’s equivalent of Uber. Earlier this year, Didi was listed on the US stock market. The move was one for the history books. Didi’s US IPO was the largest by a Chinese firm since Alibaba debuted in 2014. However, things quickly took a dark turn.
Within days, China’s cybersecurity regulator, the Cyberspace Administration of China (“CAC”), launched a review into Didi, over concerns about how it processed personal data. Quickly after this, it mandated that new user registrations were suspended and removed Didi from app stores.
The reasoning for the crackdown on Didi is vague to say the least. Analysis in the media is far ranging. Some speculate that China is genuinely concerned about its citizens’ privacy. Others wonder if the government is paranoid about the potential impact of international data sharing. Regardless of reasons, though, it’s clear that, with moves like this and the introduction of the PIPL, China is cracking down on data privacy – and organisations need to take note.
So, let’s dive into the law. The first thing to understand is if the law applies to you.
PIPL: A law with extraterritorial effect
The PIPL applies not only to companies based in China, but also international companies that process the data of Chinese citizens. Its applications are noted as follows:
- Organisations based in China that process the personal information of China’s citizens
- Organisations based outside China that process the personal information of China’s citizens processing, including:
- To provide products or services to citizens based in China
- To analyse the behaviour of citizens based in China
What all this means is that, if your business collects, processes or interacts with the data of people based in China, then the PIPL applies to you.
The PIPL vs the GDPR
The PIPL borrows many principles from the GDPR, but also has its own unique laws that require special action. We take a look at some of the main implications below:
- You will need a special institution or representative in China: Under the GDPR, you may need to appoint an EU representative if you fall within the territorial scope of the Regulation and are not established in the EU/EEA. Similarly, for the PIPL, you must set up a special institution or hire a representative in China who can handle personal data matters on your behalf. You also need to make this person/organisation known to China’s regulatory body, CAC.
- You will need a lawful basis for processing: Again, like GDPR, the PIPL mandates that organisations have a “lawful basis” for processing personal information. However, the PIPL does not give “legitimate interests” as a lawful basis. It also allows the processing of personal data – without consent – based on circumstances:
- Where the organisation needs the data to perform legal responsibilities
- In the case of a public health emergency
- To carry out news reporting – within reason
- Acquiring consent: PIPL’s definition of consent follows similar thinking to the GDPR, in that it must be freely given, informed and demonstrated by a clear action by the individual. It can also be withdrawn. The PIPL also requires separate consent for instances where a processing entity wishes to share personal information with another processing entity, disclose information publicly, process sensitive information or transfer personal information internationally.
- The right to claim compensation: Again, like the GDPR, the PIPL puts power in the hands of citizens to bring lawsuits against companies that violate their data privacy rights.
- Blacklisting: The PIPL gives the Chinese government a lot of power over who gets to process Chinese citizens’ data. There is an article that enables the government to create a blacklist of overseas organisations, who will not be allowed to process the personal data of Chinese citizens. This would be on the basis that a company has violated China’s national security of public interests.
While there is some overlap with GDPR when it comes to cross-border transfers, this point needs a little more explanation. Similarly to the GDPR, cross-border transfers require extra diligence, including:
- Providing individuals with information about the transfers and obtaining their consent
- Conducting a personal information protection impact assessment prior to processing
- Ensuring that overseas recipients have suitably robust levels of protection as required under the PIPL
As well as this, in cases where a processor is deemed to process a large amount of personal information – or this information is considered critical infrastructure information (CII) – they will need to store their data in China. If the processor wishes to transfer any of this information overseas, they will need to pass a security assessment that is conducted by the CAC.
What is CII?
This brings onto CII – a term that has existed in Chinese law since the introduction of the Cybersecurity Law five years ago. In the case of Didi, which we discussed above, CII was the critical point of contention. China felt that Didi was a CII operator. Its IPO in the US, then, and potential to internationally transfer critical information across tense borders, might have been looked upon disapprovingly.
However, the definition of CII is sketchy at best. The PPL does not contain a definition, while China’s Cybersecurity Law only broadly defines it as “an infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest.”
As with the GDPR, there are penalties for organisations found to be in violation of the PIPL. Regulators can issue warnings, order corrective actions to be made and issue fines – hefty ones at that.
Fines can be up to 5% of an organisation’s annual revenue for the previous financial year or up to 50 million RMB. It’s worth noting that, thus far, the PIPL hasn’t specified whether annual turnover refers to revenue generated in China or global revenue – but this is likely to be clarified in due course.
While the PIPL is only a couple of months away from reality, there is still quite a lot left to be clarified. The Chinese authorities can be expected to publish additional guidelines that clarify organisations’ duties. As well as this, given the onslaught of action against organisations in China for data privacy infringements already, compliance with the PIPL may end up being a case of learning from others’ mistakes.
Moreover, it’s worth remembering that this law is about more than just consumer privacy – it’s about protecting national interests. As Karman Lucero, a fellow at Yale Law School Paul Tsai China Centre, noted, the PIPL will not have “legal limits on government surveillance. … Chinese civil society still has very limited means of ‘watching the watchmen.”
If you think the PIPL applies to your company, then the time to act is now.
Ultimately, the PIPL will need its own unique strategy for compliance. Most multinational organisations will be impacted by the law and must take immediate steps to ensure compliance.