It’s no secret that cybersecurity issues in China have been a hot topic of debate lately. Chinese data security is particularly relevant for businesses with commercial connections in the country.
While many countries have tightened their privacy laws in recent years—like the European Union’s General Data Protection Regulation (or GDPR)—it’s been widely accepted that China is falling behind in their data protection efforts.
That changed on November 1, 2021: China established the Personal Information Protection Law (PIPL). China’s very first comprehensive data protection law, the PIPL was a critical evolution of Chinese data protection efforts, recognized internationally as a positive step in our increasingly connected cyber world. And yet, it poses new challenges to companies processing data in China or related to residents of the country.
So, what exactly does PIPL do?
Like most cybersecurity legislation, the primary purpose of the PIPL is to safeguard personal information rights and interests, regulate the processing of personal information, and encourage appropriate use of personal information (read: collect and securely store personal information when necessary, and use it only for the purpose for which it was collected). The PIPL adds to China’s previously lacking cybersecurity and data security legislation, bolstering the country’s regulatory approach to cyberspace alongside Canada, the US, Europe, and the like.
The PIPL contains several key provisions that are set to impact businesses operating in China. For one, it requires that firms only collect personal information that is lawfully obtained, truthful and accurate. The PIPL also regulates how personal information should be processed, including requirements for technical measures to protect personal information against cyber threats. (Luckily, we specialize in delivering technical measures to protect that sensitive information.)
Under the PIPL, “personal information” is defined as any data relating to specific or identifiable natural persons recorded by electronic or other means, except for data that has been anonymized. In other words, it’s the center of what we do here at TeraDact: Personally Identifiable Information, or “PII.” The new Chinese law also regulates and protects the “processing” of that personal information, which includes the gathering, storage, usage, altering, transmission, provision, public disclosure, and removal of personal data.
Let’s get into the nitty-gritty. (We won’t blame you if you want to scroll on past this part.)
Here we go.
The PIPL is made up of eight main chapters. They include:
- General Provisions
- Personal Information Processing Rules
- Rules for Cross-Border Provision of Personal Information
- Individuals’ Rights in Personal Information Processing Activities
- Obligations of Personal Information Processors
- Departments Performing Personal Information Protection Functions
- Legal Liabilities
- Miscellaneous Provisions
The following is a general overview of some of the key provisions outlined within these eight chapters.
- Data Minimization Principle: The PIPL’s main tenet is that personal information should be collected, processed, and retained to the bare minimum extent necessary for each project in question.
- Legal Basis for Processing: The PIPL mandates a legal basis for the processing of personal data, with the most important being individual consent. This is similar to the GDPR in its approach. Several exemptions are permitted, including those related to the performance of a contract in which the individual is a participant or when processing is required as part of the management of public health emergencies.
- Extra-Territorial Scope: The PIPL is comparable to the GDPR in that it establishes a broad territorial scope, covering both the processing of personal information within China and actions undertaken outside of China where the personal data of an individual residing in China is utilized for (i) providing goods or services to individuals in China, or (ii) analyzing and evaluating the behavior of people within the country. In the case of qualification, there is an additional requirement that the foreign processor nominate a local representative to handle compliance.
- Cross-Border Transfer: In the case of a personal information processor wanting to send such data outside of China, it must do so under contract with the Chinese government, pass a security inspection by the Chinese cyberspace administration, or obtain accreditation for data handling from a state-approved body. This obligation creates a significant compliance challenge for firms operating in China.
- Separate Consent: The PIPL also addresses several situations in which data subjects’ separate or written consent will be required, including cross-border transfers, the sharing of personal information with third parties, and the processing of sensitive personal information such as medical records and financial records.
- Data residency: The PIPL goes a step beyond the GDPR and CCPA in that it adds an explicit additional obligation for Critical Information Infrastructure Operators (CIIO), and other organizations that process personal data at a predetermined volume threshold, to store such data within China’s borders. While the exact definition of a CIIO is not specifically defined in the PIPL, the Regulations on the Security Protection of Critical Information Infrastructure of China’s cybersecurity law state that Chinese government authorities are responsible for identifying CIIOs.
- Presumption of Liability: The PIPL implies that if the processing of personal information infringes on those rights and interests, and causes harm, the processor has the burden to prove it is not at fault.
Enforcement and Application of the PIPL
The PIPL will be enforced by the CAC, or the Cyberspace Administration of China (CAC).
Overall, the PIPL appears to be a valuable addition to China’s data privacy regulation, and with its imposition businesses will be more inclined to comply in order to avoid hefty fines for processors who break the law, including fines up to 5% of their yearly turnover. Other notable forms of penalization include the revocation of business permits/licenses and individual liability for business executives.
Unlike the GDPR, the draft PIPL does not stipulate that a data controller or processor must have an “establishment” in China. However, aside from one minor exception, it does require that all data processing activities be carried out in China.
The PIPL appears to apply to a data controller or processor’s activities in China even if it does not have an established presence in the country. Alternatively, the PIPL may not apply to a data controller or processor who has an establishment in China, but whose processing activities are not executed in the country.
The PIPL will have extraterritorial applications and cover the following types of processing activities.
- Collection, processing, and storage of personal information on natural persons within the People’s Republic of China.
- Processing of personal information of natural persons within China from outside of the country, if such processing is:
- For the purpose of offering goods or services to natural persons in China
- To assess the behavior of natural persons in China
- Other circumstances, as dictated under legal provisions and administrative rules
Essentially, the PIPL applies to and regulates any data processing that happens within Chinese territory and/or related to persons residing in China. If a firm outside of China handles personal information as described above, the PIPL requires it to establish a dedicated institution or designated representative in China for the purpose of dealing with personal information protection issues. It is required to provide the name and contact details of such a facility or representative to the Chinese authorities.
Concerned parties conducting business in China or otherwise processing personal information of Chinese nationals should act swiftly to adapt to the new restrictions if they have not already done so.
Given its extra-territorial application and the necessity to designate a local representative in certain circumstances, compliance with the new PIPL is even more essential for foreign business people operating in China. Similarly, foreign actors must quickly assess whether they qualify as “essential information infrastructure operators” or have crossed the bar of personal data processing in order to develop an IT infrastructure in China.
PIPL compliance is something that impacted businesses should be prepared for, especially if they transfer personal information from China to the United States. Companies in affected industries should assess their existing data privacy policies and procedures for PIPL compliance, as well as make any necessary modifications.
It’s yet to be seen exactly how these protections will be made under the new PIPL once it’s fully established, but we’re willing to bet regulated companies will look to providers like TeraDact to protect their sensitive data. We have two products (Tokenizer+ and Redactor+) in our growing suite, developed just for purposes like this. It’s what we do best.