Avoid Breaking China’s Personal Information Protection Law

On August 1, 2021, China passed the Personal Information Protection Law (PIPL), which is a major piece of legislation that will regulate how businesses handle personal information.

It went into force on November 1 and applies to any company considering doing business in China, even if they are not based there.

The Personal Information Protection Law, commonly known as the PIPL, has been in the works for quite some time. China has discussed this kind of omnibus legislation on personal information since at least 2015.

The current law stems from a non-compulsory 2017 standard called “Personal Information Security Specification,” which was implemented in 2018 and subsequently revised in 2020.

The PIPL vsn contrast, which will become compulsory beginning next year, is that it is a bit more comprehensive in its coverage of all personal data, and importantly, it is now going to be enforceable.

PIPL appears to follow many of the same rules as the European Union’s General Data Protection Regulation (GDPR), which went into force in May 2018. Essentially, it will give individuals control over how their personal data is utilized.

This authority includes choosing whether or not to receive marketing offers, as well as allowing and permitting the usage and processing of more sensitive data such as biometrics, financial information, and location services.

The PIPL is based on GDPR, which means it has the same principles and operational structure. Controllers, processors, the legal basis for processing, security procedures, organizational measures, notification of breaches, and more are all included.

The distinction is that this is taking place from a Chinese perspective, which implies there will be no independent watchdogs. The following sentence from the EU’s GDPR reads:

“Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing and to facilitate the free flow of personal data within the Union.” The sharpest distinction between China’s PIPL and the USG is that, in China’s PIPL, the term “sharp” does not appear.

If the PIPL has supervisory authorities, they are not separate from the state. In that respect, the PIPL is consistent with previously passed legislation, such as China’s Cybersecurity Law.

Organizations that handle more than a certain amount of personal data will be expected to hire a data protection officer who is responsible for data protection and will be subject to additional stringent rules in relation to specific activities, including cross-border transfers of personal information, among others.

The Cyberspace Administration of China (CAC) has published a draft set of rules, the Security Assessment of Cross-border Data, on October 29. The CAC’s draft measures state that for cross-border data transfers subject to mandatory agency hiring, there should be no limits to the amount transferred.

These restrictions, among other things, will force any cross-border company that collectively handles the sensitive personal information of more than 10,000 Chinese individuals to submit a security self-assessment to Chinese authorities for approval. In other words, the threshold for cross-border data transfers of personal information is extremely low, so such transfers will be closely scrutinized.

Many enterprises have effectively been GDPR compliant to date, but China is far less likely to accept firms that skirt the rules or do so minimally, and repercussions can be severe.

In addition to exponentially high fines, non-compliant businesses may have their business license revoked or their firm shut down permanently. The influence in China as well as across the world will be significant.

The strengthening of enforcement of all cybersecurity, data security, and data processing rules will result in a more severe approach from the Chinese authorities. Given China’s growing importance as a global force, the government desires to project a powerful image on data protection.

The GDPR will have a significant impact on our increasingly global society, regardless of whether companies that are already compliant with the GDPR feel less impact.

Regardless of how little you feel GDPR compliance has had an influence on your company, it will have an impact.

The government has the power to block any access to its citizens. Any violation of the PIPL may also result in a management penalty up to RMB 50 million or 5% of the processor’s revenue from the prior year.

Foreign governments are designated as “exceptional circumstances” in the law, and they will be treated differently than other foreign investors.

“If [foreign countries] adopt measures against China in the area of personal information, China may adopt retaliatory measures.”

China’s apparent targeting of US businesses in fresh action against the US suggests that these rules may be a direct response to Trump’s trade war with China.

This is a catch-all provision that provides little insight into, or control over, what China considers discriminatory. It has the potential to affect the flow of information, which is crucial in international commerce.Finally, here are a few Dos and Don’ts for achieving effective compliance with the PIPL:

  • Conduct a compliance self-assessment. In China, this will be crucial. You must begin to analyze your own position in order to know where you stand and where you have room for improvement in terms of non-compliance.
  • Know the dangers involved with each option you choose regarding PIPL.
  • However, continue to perform routine compliance checks.
  • Do not just brush it off.
  • Don’t expect to fly under the radar.
  • Don’t use a VPN to get around compliance regulations.

The PIPL is a long-awaited measure from China that will most certainly not be the last digital regulation to emerge from the country. It’s critical for businesses of all sizes to follow the rules of any new laws they may encounter.