How to Stay Compliant with China’s New Personal Privacy Protection Law?

How to stay compliant with China's GDPR?

If you are expanding you’re business to China, you will want to ensure you are aware of China’s version of the GDPR- which differs from the West’s laws.

If your website collects personal or sensitive data, you will want to ensure that you understand how China’s Personal Information Protection Law (PIPL) might affect your business’s operations in mainland China.

This post will discuss the PIPL, its data processing, consent requirements, and cross-border data transfer. We’ll look at how it stacks up to the GDPR and then discuss how your foreign company can ensure compliance in China.

What is the Personal Information Protection Law?

The Personal Information Protection Law, the PIPL, is China’s first comprehensive data protection law.  

The PIPL helps form the framework that gives China’s government a broad enforcement capability—resulting in a more regulated environment for international businesses operating in China.

The PIPL’s framework is similar in size and scope to the European Union’s General Data Protection Regulation (GDPR).  Both laws require:

1. A lawful purpose for data collection and processing,

2. require consumer consent to process data, and 

3. give consumers the right to access or delete their information.

However, a significant difference from the GDPR will impact how international companies handle cross-border data transfers.

If companies are compliant with Europe’s GDPR, they are going to be finely complying with the Chinese privacy law

Alexa Lee, Senior Manager of Policy at the Information Technology Industry Council

Key Definitions

Personal information is all kinds of information and data recorded by electronic or other means related to identified or identifiable individuals.

Personal information handling (or processing) includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.

Personal information handler refers to organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling methods.

What is the Purpose of the Personal Information Protection Law?

Article 1  of the law states that the purpose of the PIPL is to: 

1. Protect personal information rights and interests, 

2. Standardize personal information handling activities, 

3. Promote the rational use of personal information.

The purpose of the law, as described in Article 2, is to provide legal protection to Chinese citizens' personal information, stating that "No organization or individual may infringe on citizens’ personal information, rights and interests.”

Who does China's PIPL apply to?

Article 3 outlines that the law applies to any organization or business that is "handling the personal information of individuals within the borders of the People’s Republic of China.”

What Consent is Required to Collect and Process Personal Information in China?

The consent required by the PIPL is very similar to the GDPR. Chapter 2  of the law stipulates that user consent is only considered valid if it is knowingly and explicitly granted. Your organization must provide individuals with the full extent of personal information processing methods and intended use in clear and straightforward terms. 

Users also have the right to withdraw their consent anytime, and your organization must provide an easy option.  

For practical purposes, consent banners and opt-outs for GDPR compliance will likely fulfill the requirement under the PIPL. 

Consent will also be required to conduct marketing to individuals through personal information processing. The PIPL also stipulates that businesses must offer consumers options that do not target personal data or provide a way to decline the processing of their data. 

If the processing method or intended use changes at any time, your organization must re-obtain permission from the individual to process the data.

What Requirements and Constraints Exist for Data Processing in China?

Once an organization has proven the legal basis for personal processing information, the PIPL sets forth a series of requirements and constraints to regulate the processing, including special rules for international organizations operating within China. 

These rules include:

1. Organizations based in China must set up a specialized agency or appoint a representative for data compliance.

2. Cross-border data transfers must be submitted for approval by the Cyberspace Administration of China.

3. Foreign companies operating in China must appoint a local representative who will bear responsibility for PIPL compliance.

4. Data processing contracts are required between controllers and processors. 

5. Organizations must conduct risk assessments before processing sensitive data, transferring data abroad, or using sensitive data for automated decision-making.

6. Data handlers must localize data within mainland China. 

How does the PIPL's Impact International organizations operating in China?

China’s approach to how your international organization must handle cross-border data transfer is more restrictive than under the GDPR as described in Chapter III of the PIPL.

Article 40 states that your organization “shall store personal information collected and produced within the borders of China domestically.”

If your organization truly needs to provide personal information outside of China, article 38 outlines the procedure required to export data, which includes one of the following:

• Passing a security assessment organized by the State cybersecurity and informatization department according to Article 40 of this Law;

• Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;

• Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;

• Other conditions are provided in laws or administrative regulations or by the State cybersecurity and informatization department.
  

What happens if my company isn't compliant with the PIPL?

Chapter 7 describes the legal liability and penalties for organizations out of compliance.

A breach of this new law can significantly impact an international company’s ability to do business in China. 

Imagine that your foreign company is evaluating the opportunity to expand into China. Suppose your website is accessing personal data in China and breaches any PIPL requirements. In that case, your company could be “blacklisted,” which would prevent it from entering the Chinese market. Thus, the PIPL compels any foreign company that accesses personal data in China to implement the necessary protective measures to ensure compliance.  

Companies already operating in China face a different risk.   A breach would put a company at risk of losing its business license and significant financial penalties of up to 50 million RMB or 5% of its yearly turnover.

How can International Organizations stay Compliant?

If your international organization is must to stay compliant with the PIPL's strict new cross border data transfer law, you have a couple of viable options.

Option 1: Store Your Data on Servers in Mainland China

 The simplest and most straight forward solution is to host all of your data on servers in mainland China.

Option 3: Legal Cross Boarder Data Transfer

If your company relies on popular e-commerce platforms like Salesforce Commerce or Shopify, they rely on data centers outside China to store user data.  This means, by default, these sites are out of compliance with the PIPL.

If your company relies on popular platforms like these, or if you need to move data outside of China for other legitimate business purposes, Chapter III provides you with an avenue, as mentioned above. 

A security assessment is required to move personal data outside of China legally.  You can think of a security assessment, like getting a business or ICP license.  The security assessment should be straightforward if you are operating an honest business and the data is for legitimate business purposes. 

What Are the Next Steps?

As you can see, it is not straight forward to stay compliant in China's new Personal Privacy Protection Law.

If you are interested in this subject and need more information, we will be glad to help you tackle China's amazing market. Do not hesitate to contact us!