Like many countries around the world, China has shored up its data protection laws and regulations with the enactment of its Personal Information Protection Law (PIPL). The law constitutes one of the most important pillars of the country’s data protection legal regime, which includes a myriad of other laws — e.g., Cybersecurity Law (CSL) and Data Security Law (DSL) — and other industry-specific regulations and standards. Notably, PIPL explicitly references China’s Constitution and the Civil Code to provide a firmer legal basis for the implementation of its data protection objectives (Article 1). As such, PIPL compliance should not be viewed in isolation but rather examined in relation to other regulatory requirements that serve complementary purposes.
PIPL mirrors Europe’s General Data Protection Regulation (GDPR) in terms of many of its core requirements and penalties, which may make compliance easier for multinational organizations and corporations that have already established sufficiently robust data protection programs under existing law. However, some of PIPL’s requirements are nuanced and different from GDPR and may require a refresh review of the existing company policies and procedures, which may create additional operational burdens. This article provides an overview of some of the key questions that many multinational organizations and corporations have been asking as they assess their PIPL readiness and plan for the most challenging aspects of compliance.
If we are already compliant with CSL and DSL, does that mean we’re automatically aligned with PIPL?
No. While CSL, DSL and PIPL are all parts of China’s data protection legal regime, they are three separate laws, each addressing different sets of regulatory focuses of various branches of the Chinese government and also supplementing one another. CSL covers both the main tenets of DSL and PIPL as a framework law. DSL is designed primarily for people serving within public security and law enforcement. It applies to data processing activities within the People’s Republic of China (PRC) and data processing activities outside of China that could be detrimental to its national security and public interests. It also provides the Chinese government the authority to oversee data security and data categorization based on the importance of the data. CSL is under the Cyberspace Administration of China (CAC), a government agency in charge of cyberspace security and internet content regulation. PIPL straddles between China’s civil law and other rules related to market supervision and regulations, as privacy and the protection of personal information are recognized as civil rights that cannot be infringed by activities in the marketplace, such as big data acquisition, accumulation and monetization. In short, being CSL or DSL compliant does not necessarily make an entity sufficiently compliant to PIPL and vice versa.
Is PIPL applicable to organizations without a presence in China?
Yes. PIPL (Article 3) extends the territorial reach of the law to any organization or individual irrespective of the covered individual’s or organization’s location in the world that handles the personal information of natural persons who are within the jurisdiction of China. For instance, if an offshore entity processes the personal data of individuals located in China (not just PRC citizens) to 1) provide services or products or 2) analyze or assess their behavior, then PIPL is applicable. And this entity must establish a special agency or designate a representative within China for the purpose of managing the entity’s compliance with PIPL. Further, offshore entities are also required to share the contact information of the designated agency or the representative with competent government authorities.
Do we need to register with the data protection authority or designate a Data Protection Officer?
Offshore personal information (PI) processors that meet the requirements outlined in Article 3 of PIPL are required to “establish a special agency or designate a representative within [China]” (Article 53). In addition to this representative requirement, Article 52 of PIPL also requires an appointment of a “personal information protection officer” for both onshore and offshore PI processors if the amount of PI processing reaches a threshold purported by the CAC. Coincidentally, Article 27 of the GDPR also mandates a requirement for the appointment of an “EU representative” for companies outside the EU. Under some circumstances, the EU representative requirement can be waived. PIPL does not provide details on whether and how this requirement can be waived for offshore PI processors.
Does PIPL conflict with existing regulations in other countries?
Quite possibly. PIPL restricts some data transfers out of China. While PIPL can be invoked in response to subpoena or requests for information from a foreign judicial or law enforcement authority, in practice, it may lead to adverse consequences — e.g., being held in contempt of court — for the individual or the entity responding to a foreign law enforcement agency or judicial authority while staying compliant with PIPL. Precisely what constitutes an impermissible cross-border transfer of data in this context requires a careful consideration of all the Chinese data localization laws and the foreign law enforcement or judicial body’s extraterritorial authority, as to how one obtains approval from the Chinese government to export data under the abovementioned circumstances are not entirely clear at this point.
How does the law impact our ability to conduct cross-border data transfers?
Cross-border transfer of personal information is indeed limited under PIPL. Mainly driven by concerns about national security (especially cybersecurity and data sovereignty), PIPL imposes stringent requirements for the transmission of personal data collected or generated within the territories of the PRC. Therefore, while cross-border transfers of personal data are allowed under some circumstances, such transfers are subject to specific and legitimate business needs. Further, the data transferor is also required to take measures to ensure that the processing activities of the recipients outside of the PRC also satisfy the same level of protection standards defined in PIPL. Finally, both a proper legal basis and consent by the data subjects will be required for such a lawful transfer to occur. Additionally, in October of 2021, CAC released the draft Measures on Security Assessment of Cross-Border Data Transfer. Once this measure is promulgated, the data transferor will also need to:
Assess whether they are subject to a security assessment administered by the CAC;
Take a close look at what the security assessment entails; and
Be aware of the government review procedure, as timing for data transfer can be critical, and any delay in security assessment clearance may be detrimental.
What specific protocols or procedures do we need to follow before transferring data?
There are two critical procedures organizations will need to have in place. These include:
Data localization: The critical information infrastructure operators (CIIOs) and personal information processing organizations reaching the threshold (of processing quantity) as prescribed by the CAC are required to store all personal information locally, within the PRC (Article 40, the PIPL).
Data Export Assessment: If a data processor is not CIIO and it has not reached the threshold as prescribed by the CAC, PIPL provides that a data processor may transfer personal information to international jurisdictions, if it meets at least one of the following criteria:
Passed the security assessment administered by the CAC.
Been certified by a specialized agency for personal information protection under CAC’s regulations.
Entered into a standard contract (to be formulated by the CAC) with the data recipient.
Or met other standards as per existing laws, regulations, or otherwise prescribed by the government (Article 38, the PIPL).
Is consent always required prior to processing personal information?
Under the PIPL, organizations can process personal information only on a lawful basis, and there are seven legal bases for doing so. Data subject consent is one of them. In addition to consent, Article 13 of PIPL offers the following non-consent bases:
Necessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts.
Necessary to perform legal responsibilities or obligations.
Necessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property.
To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests.
Processing of personal information already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with PIPL.
Other circumstances as required by laws.
What are best practices regarding how to handle an individual who chooses to withdraw their previous consent?
In situations where the organization relies on consent as its lawful basis of processing, the organization must offer a convenient mechanism for individuals to both give consent and withdraw consent. In addition, they must also provide privacy notices to individuals before processing personal information, which PIPL indicates must be explicit and in clear and easily understood language (Article 14).
For organizations operating outside of China, what are best practices regarding the required appointment of a representative located in China to help meet compliance?
The first step would be to start early. First, check whether PIPL applies to your company. Foreign entities handling or processing personal information of Chinese nationals are advised to have a designated representative located in China to help facilitate communications with the government. This representative can be an individual or an agent entity.
Secondly, start your documentation early. If you identified any practical purposes for PI processing and transfer, document these purposes as they may become part of the lawful basis.
Thirdly, notice and consent from the data subject is the guiding principle under PIPL. Before handling PI, a PI processor must provide notice in clear and understandable language and a convenient method for the data subject to give and withdraw consent.
In addition, it is also pertinent to check if you meet other obligations under PIPL, including but not limited to the following: data subject access rights (DSAR) request mechanism, appropriate measures against unauthorized or unlawful processing, data security breach incident response mechanism and duty to report to relevant agencies, personal information impact assessment (PIPA), internal protocol on data classification and management.
It is also important to note that PIPL does not provide details on how organizations are to handle location data or other specific data under unique circumstances. Guidance for these types of uncommon or otherwise uncovered scenarios will be provided depending on the organization’s sector and other applicable regulations. The key to maintaining compliance will be operationalizing the requirements outlined in PIPL and watching closely for further sector-specific regulations relating to data, personal information, and privacy.
The views expressed herein are those of the author(s) and not necessarily the view of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals. FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.