Yahoo Inc. left the China market, suspending its services there as of early November 2021 citing an “increasingly challenging” business and legal environment. The incident came soon after the Personal Information Protection Law (“PIPL”), became effective on 1 November 2021. PIPL consolidates data privacy provisions stated in different laws and together with the new Cybersecurity Law (“CSL”) and the Data Security Law, they establish a broader legal framework for cybersecurity and data privacy protection in China. Significantly, the new privacy law has far-reaching and extra-territorial effect. This is a change that impacts both domestic and multinational companies that process or use personal information of individuals located within China. They must now review their business models and operational procedures regardless of whether the entities processing those personal information are located in China.
The PIPL models the EU General Data Protection Regulation (“GDPR”) and some of the key features of the PIPL are as follows :-
Extra-territorial Jurisdiction
Similar to GDPR, PIPL extends its territorial scope to encompass “personal information processing entities” outside China, if the purpose of the processing is :-
1. to provide products or services to individuals in China;
2. to “analyze” or “assess” the behaviour of individuals in China; or
3. for any other circumstances as provided by law or regulations.
Offshore entities are also required to establish a “dedicated office / entity” or appoint a “designated representative” in China for the purpose of personal information protection.
Consent Necessary for Processing Personal Information
PIPL broadens GDPR’s “legitimate interests” requirement in processing personal information. A data subject’s personal information may be processed with the express “consent” of the individual. Consent should be given based on the principles of legality, fairness, good faith minimum necessity, openness and transparency. The process of personal information should also be specific and of reasonable purpose.
In particular, an individual’s consent for the process of their personal information is required when :-
1. sensitive personal information is processed;
2. the personal information is provided by a processor to another processor; or
3. the personal information is transferred outside China.
Individuals’ Rights
PIPL closely aligns with GDPR with respect to an individual’s rights over his personal information, including (1) the right to access, correct, erase, object to and restrict the processing of the individual’s data; (2) the right to data portability; (3) the right not to be subject to automated decision making; (4) the right to withdraw consent; and (5) the right to lodge a complaint with the regulator.
PIPL requires processing entities to respond in a “timely” manner to an individual’s request concerning his data rather than providing a specific timeline for responding.
Processors’ Obligations to Safeguard Personal Data
Similar to GDPR, PIPL sets forth a regulatory framework that imposes stringent security safeguards and controls on all entities that process personal information, including requirements to :-
1. formulate internal management systems and operation procedures;
2. implement classified management of personal information;
3. adopt corresponding technical security measures, such as encryption and de-identification;
4. reasonably determine the operational authorizations for personal information and provide regular security education and training for operational staff;
5. formulate and implement response plans for security incidents relating to personal information;
6. conduct regular compliance audits; and
7. adopt other security measures as stipulated by laws and regulations.
A processor who provides an important internet platform service, has a large user base and / or operates complex types of businesses is further required to build a robust data compliance program (including preparing a personal information protection compliance policy) and establish / appoint an independent body to supervise its implementation. It must also actively monitor the behaviors of the service or product providers on its platform who may violate any laws or administrative regulations when conducting the processing activities.
Cross-Border Transfer of Personal Data
In general, a processing entity that plans to transfer personal information to entities outside of China is required to :-
1. provide individuals with certain specific information about the transfers and obtain separate consent;
2. adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under PIPL; and
3. carry out a personal information protection impact assessment.
Similar to GDPR, PIPL requires operators or entities processing a large amount of personal information to store personal information locally. If it must transfer such personal information overseas, it has to pass a security assessment administered by the Cyberspace Administration of China (CAC) and other enforcement authorities.
Processing entities can choose to obtain a personal information protection certification from a professional body recognized by the CAC, execute an agreement with the overseas recipient based on a standard contract to be released by the CAC for their transfers, pass the security assessment by the CAC, or meet other requirements as provided by relevant laws and regulations.
Stricter Punishment
Penalties for breach of PIPL for small and medium-sized enterprises are up to a maximum of RMB50 million (US$7.7 million), while for large enterprises, the maximum penalty could be five percent of the previous year’s turnover, or even suspension of business, revocation of business licenses, and direct punishment for the responsible person.
Conclusion
With both the Data Security Law and the Personal Information Protection Law passed this year, China has formulated a strong framework and powerful tool to regulate the activities of domestic and foreign companies with regard to data protection. It is important for all persons conducting business in or with China to have a clear understanding of the new law and make changes to ensure compliance.
If you have any questions on the above eNews or require advice on doing business in China, experienced lawyers in our China Business team will be happy to assist you.