You may have worked hard on the compliance of the GDPR during the past three years, either smoothly or painfully. You may have worked harder to localize your privacy policies to comply with privacy laws in many other targeted markets of your business, like the CCPA and CPRA of the California law, the Data Protection Act in Thailand, in Brazil and in India.
Now you hear that in China, a Personal Information Protection Law (PIPL) was issued in August 2021 and will be enforced on November 1st, 2021. You read a few articles posted by lawyers who speak Chinese and realized that the Chinese law appears not to be fundamentally different from the GDPR norms – It admits the right to erase and the portability right. It provides means of lawful use of personal data further to customer consents. You relieved. It appears that the PIPL looks like another GDPR-modeled law. What you should do appears to be simple – sit back and simply edit the text of your privacy notice.
It’s not true. And here are why.
1. Conceptual Differences
There are a few general conceptual differences between the GDPR and the PIPL. For example, the PIPL introduced a term “personal information processor” to refer to any entity who processes personal data, either for its own purposes or for the purpose of processing data on behalf of a principal “data controller” under the GDPR. This requires the data controllers to amend their GDPR-complied privacy notices, data processing agreements and internal data policies. It also burdens the IT service providers and other vendors (i.e., the “data processor” in the context of GDPR) to launch the PIPL compliance program.
Another example is the scope of “sensitive data”, which requires higher attention of data users. Under the PIPL, the scope of sensitive data does not cover the categories of “racial or ethnic origin”, “political opinions”, “trade union membership” and the “sexual orientation”, which are all provided to be “special categories of personal data” in the context of the GDPR. On the other hand, the PIPL does include certain categories of data that are not highlighted to be sensitive under the GDPR, such as “financial account information”, “travel record” and “particular identity of a person”. Each of them derives from the practice of privacy protection in China and relates to a precedent cases or industrial regulations.
As such, so long as your company processes these “sensitive” data in China, you must adopt your GDPR-complied measures to include them. You might have to change the way of data collection and customer consent, the access control, the storage plan and many other aspects of your privacy program. In particular, if your business are in the industries of finance, tourism, entertainment or education, it wouldn’t be surprised that a thorough audit or even a restructuring of your privacy program is required.
Unlike the GDPR, which requires each EU member to establish an authority particularly supervising the enforcement of privacy laws, the PIPL will be enforced by multiple government authorities. This requires data users to establish a strategy particularly for China to respond authorities’ enforcement actions. Your existing strategy designed for the GDPR would not work.
Further, the PIPL must be considered along with other data-related laws and regulations in China, including the PRC Data Security Law (DSL) and the PRC Network Security Law (NSL). These laws also granted enforcement powers to multiple government authorities. Therefore, it is predictable that some authorities may combine their PIPL enforcement team with their team of DSL/NSL enforcement. Foreign companies who have presence in China need to monitor the latest development on the ground, by which a practical strategy of government relationship could be formed.
3. Cross-border Data Transfer
Cross-border data transfer won’t be a big issue for local Chinese companies who do not have a plan to extend their business overseas, but will certainly be an issue deserves investment by MNCs. To comply with the PIPL, a foreign company (or its JV/subsidiary in China) may need to apply for a “security assessment” conducted by government authority or a “certification” process provided by government-appointed institutes. Also, you may have to use standard data transfer agreement published by the Chinese government even in the circumstance where the data transfer is between your affiliated entities, so long as the data is to be transferred from China to your country.
Again, consideration will have to be taken under the bigger picture of multiple laws other than just PIPL. For example, if a company’s business is deemed a “key information infrastructure”, the PRC Network Security Law could be applied to prohibit cross-border data transfer. Moreover, China has applied a general prohibition to the “large-scale data processing” outside of China. These regulations, prohibitions and their exemptions are different from the GDPR. Therefore, it is necessary to hire appropriate adviser to assess the risks according to the PIPL and in the context of the Chinese legal system.
4. Data Protection Officers
Under the GDPR, if a non-EU entity occasionally process personal data, it could be exempted from the requirement of appointing a data protection officer. In contrast, the PIPL requires any foreign entity collecting personal data in China to appoint a representative officer who is physically based in China. Therefore, you should immediately consider expanding your DPO team in China. Because of all the above-mentioned reasons, your team member in China should not be a fresh guy or someone spending part of his/her time on data privacy matters.
Further, the PIPL extends its punishments to individual data protection officers. This means that your colleague in China should receive sufficient power and authority to restrain your local business team’s activities, or they may even refuse to take the position due to the risk of personal liability.
In short, a good compliance with the GDPR would certainly be a good start for foreign companies to comply with the PIPL, but it’s only a start. There are quite a lot of works to be done for MNCs to localize their global privacy strategy into China. Data protection officers must act now to hire proper local experts if your company still remain (or plan to launch) significant businesses in China. The PIPL will be enforced on November 1 – 26 days counting down!
* * * * *
Author: Donnie Dong. Admitted to practice law in both the State of New York and China, the author is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP/CIPM)).
This communication is provided as a service to FuJae Partners’ clients and contacts. It is intended for informational purposes only. It is not intended to create an attorney-client relationship or to constitute any form of advertisement.