The PRC Personal Information Protection Law (PIPL) has come into force as from November 1, 2021.
Most multinational companies doing business in China (MNCs) should have implemented some compliant programs according to leading privacy legislations elsewhere, such as GDPR or CCPA. We found that PIPL has quite a few China specific features. As such, for businesses in China who are already GDPR and PIPL compliant, additional efforts may need to be considered and made.
PIPL applies a wide approach of long-arm jurisdiction. When a data processing activity is made for the purpose of (i) providing services or products for persons located in China, or (ii) analysis or assessment Chinese individual’s activity, PIPL will apply. This long-arm approach could in theory subject (many offshore) websites using cookies or similar technology to the PIPL jurisdiction.
Appointment of data protection officer
Under GDPR, if a non-EU entity occasionally process personal data, it could be exempted from the requirement of appointing a data protection officer. PIPL has a different approach and requires any foreign entity collecting personal data in China to appoint a representative officer who should be physically based in China. In addition, unlike GDPR, such a data protection officer faces personal liabilities in some cases.
Cross-border data transfer
PIPL adopted a protective and sophistic approach governing cross-border data transfers. This includes, just naming some, the requirement of “separate consent” by individuals, the government approval or record (by ways of mandatory “security assessment” or “accreditation by government approved agencies), the standard agreements, et cetera. Companies who plan to transfer or aggregate the Chinese data into their global data inventory shall carefully review their data flow, map the data processing acts and adjust technology and security settings.
The term “data processor” confusing
Under PIPL, the term “personal information processor” refers to entities who decides the purposes and means of data processing for themselves, which is comparable to the term “data controller” under the GDPR. Meanwhile, those vendors who are instructed by data controllers to process data (which would be “data processor” under GDPR) are named “entrusted persons” in PIPL.
GDPR-complied privacy notices, data processing agreements and internal data policies should also be reviewed carefully, and should be reworded to PIPL compliant.
PIPL unfortunately contains terms and words without clear definition. For example, PIPL identifies “particular identity of a person” as a category of “sensitive personal information”. However, PIPL provides no definition to clarify the meaning of this critical term. Other vague terms include “right to decide”, “classification of data” and “enforcement departments”. These terms are expected to be interpreted in the future when new laws and regulations become available.
PIPL exhibits certain cultural characters distinctive to those of western countries. For example, PIPL’s scope of “sensitive personal information” contains a few matters that are not deemed to be “sensitive” under the GDPR, such as “financial account information”, “personal movement tracking records” and “particular identity of a person”. In fact, each of these categories of data are deemed to be “sensitive” with certain cultural or social reasons, deriving from precedent cases, industrial regulations or other concerns of the government.
On the other hand, PIPL’s scope of “sensitive personal information” does not include those items more sensitive in western world, such as “racial or ethnic origin”, “political opinions”, “trade union membership” and the “sexual orientation”.
The PIPL must be considered along with other data-related laws in China, including the PRC Data Security Law (DSL) and the PRC Network Security Law (NSL). For example, if a company’s business is deemed a “key information infrastructure”, NSL could be applied to prohibit cross-border data transfer.
Also, since the enforcement authorities of DSL and NSL overlap with the authority of the PIPL, it is predictable that the Chinese authorities may combine their PIPL enforcement team with their teams of DSL/NSL enforcement. Foreign companies who have presence in China need to work with their local counsels to monitor the latest development on the ground.
FuJae has a separate newsletter regarding the recent draft regulations on government assessment and approval of cross-border data transfer. Click here to read.
* * *
Donnie Dong. Admitted to practice in both the State of New York and China, the author is a Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP).