China’s Personal Information Protection Law (“PIPL”) is now in effect, prompting a surge in hiring for data protection officers under the nation’s first comprehensive consumer privacy law. The demand is so great, in fact, that the International Association of Privacy Professionals estimates that upwards of 500,000 organizations will appoint a DPO responsible for PIPL in the coming years—the same number of DPO registrations we saw in the first year after the enactment of the General Data Protection Regulation.
The DPO serves a key compliance role under PIPL. In short, the DPO is the point person under China’s new data protection law for both government and individuals’ inquiries. The law provides that DPOs may be personally liable for neglecting their duties under PIPL, enforced by fines and even criminal penalties. Compounding the risk is the fact that PIPL is written in broad and often ambiguous statutory language, making it difficult for firms to determine where they stand — even on the issue of whether they must appoint a DPO in the first place. Therefore, it is important to carefully examine the DPO requirement, first, by comparing the role with its GDPR counterpart; second, by assessing some of the practical responsibilities DPOs can reasonably expect; and finally, by addressing the regulatory gap in determining which organizations must appoint a DPO.
DPOs: GDPR v. PIPL
China’s new law naturally draws comparisons with GDPR because both are grounded in the language of data protection, user rights, and accountability. To achieve the latter, both laws require many organizations to appoint DPOs as the individuals tasked with ensuring compliance and liaising with government agencies. However, key differences exist between each law’s DPO provisions in scope and liability.
The first main difference is the statutory language that creates the DPO requirement. GDPR devotes three of its nearly 100 articles stipulating DPOs’ requisite experience, mandating that organizations allocate enough funding for compliance programs, and providing other important details about DPOs’ duties under the law. PIPL, however, substantively discusses the DPO requirement and officers’ duties only once, saying that they are “responsible for supervising [processing] as well as adopting protection measures, etc.” PIPL does not specify DPOs expertise or skills, though future rulemaking certainly could, giving organizations at least momentary flexibility in staffing the position. And whereas GDPR prohibits organizations’ management from interfering with DPOs’ duties, PIPL only requires that DPOs ensure compliance with the law. Yet, PIPL stops short of enumerating the kinds of compulsory administrative controls organizations must implement as are required under GDPR. But even though PIPL is light on details regarding DPOs, the law creates personal and criminal liability for officers who fail in their duties, which marks a clear departure from the GDPR’s penalties.
PIPL allows enforcement authorities to personally fine DPOs and other personnel involved in violations of the law, the amount of which will depend on severity and other circumstances. The maximum allowable fine against a DPO is ¥1M, which is roughly equivalent to an average officer’s salary. DPOs also risk nonmonetary impacts on their social credit files, being blacklisted from serving in other high-profile positions in China, and facing possible arrest as part of a criminal investigation. Organizations in China may struggle to hire and retain DPOs without internalizing the kinds of staffing, resourcing, and administrative controls that are needed to ensure they comply with the law. Failure to create an environment where DPOs can exercise the degree of oversight called for under PIPL may result in DPO positions staying vacant, causing further compliance issues for organizations.
Almost overnight, PIPL transformed the role of DPOs in China from one that was confined to information security responsibilities to one that now assumes personal responsibility for organizations’ compliance with data protection law. DPOs are now expected to exercise broad oversight functions throughout the entire lifecycle of all covered information held by their organizations because the law’s compliance requirements fall squarely on DPOs.
This is mainly because PIPL creates duties on organizations to be responsible stewards of the personal information they process by preventing unauthorized access, leakage, distortion, or loss of user data. Achieving these ends requires DPOs be given the means by which to formulate internal management controls and operating rules, adopt technological security measures such as encryption and de-identification, determine operational limits for data processing, regularly conduct security training for employees, and formulate and organize the implementation of security incident response plans.
In addition to overseeing their organizations’ compliance programs, DPOs should expect to monitor legislative and regulatory updates to the law, because several of PIPL’s 74 Articles authorize the Cyberspace Administration of China (“CAC”) – the national DPA – to promulgate new rules and issue guidance on PIPL compliance. Some of the areas of potential future changes include:
Circumstances that would trigger extraterritorial applicability of PIPL (Art. 3)
Lawful bases for personal information processing (Art. 13)
The contents of notifications to users regarding the processing of personal information (Art. 17)
Lawful purposes to transfer personal information out of China (Art. 38)
Data localization requirements and compulsory security assessments by the state (Art. 40)
Circumstances triggering the requirement to delete individuals’ personal information (Art. 47)
Measures organizations must implement to comply with PIPL (Art. 51)
The threshold amount of personal information held by organizations that triggers the DPO requirement (Art. 52)
Who needs to appoint a DPO?
Even though PIPL is now enforceable, it remains unclear which companies need to comply with the DPO requirement. This is because the law only requires that organizations that process a certain threshold of individuals’ personal information appoint DPOs, but no threshold number has yet been published by CAC or other agencies. In lieu of official guidance, organizations may look to analogous laws and statements by CAC, many of which indicate that the DPO requirement will apply to organizations that process personal information of hundreds of thousands or millions of individuals—and depend on the information’s sensitivity level.
Two recent documents released by CAC support this conclusion: Article 4 of the draft Outbound Data Transfer Security Assessment Measures and Article 6 of the draft Cybersecurity Review Measures contain threshold figures of 1 million individuals whose personal information is used by organizations. Another hint is found in the Personal Information Security Specification (GB/T 35273-2020), a nonbinding technology standards document that encourages organizations to appoint a DPO under any of the following circumstances: the organizations’ main business activities involves personal information processing, the organization is staffed by more than 200 employees, the organization processes the personal information of more than 1 million people within a 12 month window, or the organization processes sensitive personal information of more than 100,000 people.
What was once a security-oriented role for DPOs in China has been elevated to serve the critical oversight function of ensuring organizational compliance with PIPL. Despite the importance of the role of DPO within PIPL, key questions remain about the role’s full suite of responsibilities. For instance, the position is mandatory for larger organizations, but the threshold size of those organizations is uncertain without clearer government guidance. Such guidance should also bring clarity to what DPOs can do to be successful in their role and to avoid the pitfalls of personal liability contained in the law, which may complicate some organizations’ efforts to staff the position. These unknowns notwithstanding, PIPL and its DPO requirement are here to stay, making it all the more important for organizations to monitor rulemaking and regulatory announcements from Chinese authorities that could fill in some of these gaps.