How to do data-compliant business in China

A primer on PIPL and the data regulation framework

China has some of the strictest data protection laws in the world. And with the creation of the country’s new Data Security Commission, these laws now have, extra teeth.

The Personal Information Protection Law (PIPL), which came into effect in November 2021, applies to all organizations that process personal information of individuals located in China, regardless of whether the organization is in China or not.

PIPL is unique in that it is the first nationwide framework designed to protect processing of personal information.

Together with the Cybersecurity Law (CSL, 2017) and Data Security Law (DSL, 2021), PIPL forms a three-pronged approach to data security and compliance that all organizations doing business in China should familiarize themselves with.

NEW IN 2023: CHINA’S NEW NATIONAL DATA BUREAU

A creation of the 14th National People’s Congress (China’s Legislature), the 2023 National Data Bureau is a new body that has been created by the Chinese government to strengthen data security in the country.

The Bureau is responsible for coordinating data security policy across different government agencies, and it has the power to issue regulations and directives on data security.

What’s changed? The new Bureau will take over significant responsibility from the Cyberspace Affairs Commission, which was previously the primary supervisory agency for data-related matters.

The Bureau is, at least theoretically, likely to make data compliance both more transparent and more rigorous for firms. it will be responsible for enforcing PIPL and other data security laws.

In terms of financial penalties ,it’s roughly comparable to laws like GDPR, imposing fines of up to 50 million yuan (about US$7.4 million) or 5% of an organization’s annual turnover (in other words, not small change for egregious breaches).

HAS THE CURRENT LAW BEEN APPLIED YET?

Yes, as mentioned in the introduction, we’re seeing a number of cases going through the courts already, most recently a company called China National Knowledge Infrastructure (CNKI) was fined nearly US$& million for developing mobile apps that gathered data without users consent.

This is one of the more prominent cases but there are others. Therefore, it is vital to understand the implications of these new stricter laws and make sure you are abiding by them.

WHAT EXACTLY DOES PIPL REQUIRE OF MY BUSINESS?

The PIPL sets forth a number of requirements for organizations, which will be more-or-less familiar to anyone who has dealt with Europe’s GDPR or California’s CCPA:

• Obtaining consent from individuals before collecting or processing their personal information.
• Providing individuals with access to their personal information and the right to correct or delete it.
• Taking reasonable security measures to protect personal information.
• Not transferring personal information to countries or regions with inadequate data protection laws.

Establishing a data protection officer (DPO) to oversee compliance with the PIPL.

If you’d like to learn more, Deloitte have a good summary of PIPL, which is notable for having a higher level of emphasis placed on “sensitive personal data” than GDPR-like legislation, so it is doubly important to make sure that you’re processing this sort of data correctly if you’re doing business in China.

One key difference with GDPR:

Data outbound from China inherently falls under PIPL’s “risky” category, and will require a Personal Information Protection Impact Assessment (PIPIA) from your company.

In addition to the PIPL, the Chinese government has also taken other steps to strengthen data protection in the country. In early 2023, the government created the National Data Security Commission (NDSC), which is responsible for coordinating data security policy across different government agencies.

The NDSC has the power to issue regulations and directives on data security, and it can also order organizations to take corrective action if they are found to be in violation of data security laws. This is a big step in showing China’s firm intentions in how it plans to deal with data protection breaches.

WHAT’S IMPORTANT FOR ME TO KNOW?

Business that operate in China or collect personal information from Chinese citizens need to be aware of these laws and regulations and take steps to comply with them.

Here are some broad-level tips for businesses on how to observe China’s data protection rules:

1. Ensure you have what PIPL defines as a Personal Information Handler (PIH) to take responsibility for data protection, in much the same way as a DPO does in western countries.
2. Be transparent about how you collect, use, and share personal information. Particularly if this involves cross-border data transfers. PIPL requires impact assessments to be performed if you’re going to transfer data across borders. (Note that this is one of the key provisions that CNKI breached, hence the large fine.)
3. Give individuals meaningful choices about how their personal information is used. PIPL mandates full disclosure of how data will be used and how long it will be retained for. Most importantly provide a mechanism for informed consent for these “data subjects” to provide consent to.
4. Implement appropriate technical and organizational measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. This usually starts with data mapping and risk assessment processes, so you can start here.
5. Have a plan in place to respond to data breaches. Remember that the damage from a data breach isn’t purely a matter of legal liability, it’s reputational too!

GET IN-DEPTH GUIDANCE ON COMPLIANCE

Crown Records Management can provide expert guidance on compliance data protection legislation round the world. If you’d like to chat with an expert about how to ensure you’re compliant with data protection legislation wherever you are in the world, get in touch today.