Hoi Tak Leung, our regular contributor from Hong Kong, outlines the important parts of China's new Personal Information Protection Law which came into force on 1st November.
Data privacy laws in China has traditionally been fragmented, but efforts to consolidate those various regulations have intensified in recent years – culminating in the National People Congress passing the Personal Information Protection Law ("PIPL") on 20 August 2021. The PIPL will become effective on 1 November 2021.
The PIPL is a substantial and significant new legislation – and it will pose significant challenges to many companies' personal data practices, both in relation to its complexity and in adding another new law to many multinational organisations' international compliance efforts.
What does the PIPL mean in practice? We set; out below the key aspects and actions required by the new law.
Introduction and summary
China has historically had a patchwork of different laws (both in effect and in draft (but influential) form) containing different data protection requirements. The PIPL is China's first comprehensive law on personal data protection, and together with the Cyber Security Law ("CSL") and the Data Security Law ("DSL"), represents China's foremost legislative efforts for regulating its digital economy. It also draws extensively from (but does not duplicate) the European Union's General Data Protection Regulation.
In short – the PIPL will significantly increase the data protection requirements in China, with a particular focus on:
Given the short timeframe for implementation and our expectation that the Cyberspace Administration of China will issue further implementing measures and guidelines for the PIPL (including the standard contractual clauses for cross-border data transfer), it will be difficult to implement "fully compliant" solutions by 1 November 2021 – but there are various steps that can be taken right now by organisations looking to comply with the PIPL as part of its international data privacy compliance efforts.
What is a "data controller"?
At the outset, it's important to remember the following differences in PIPL terminology with various other data protection laws:
We will use the above terms in the remainder of this article – these are important differences when interpreting the PIPL.
China's data protection-related laws have historically focused on activities within China.
A significant expansion under the PIPL is that while it focuses on data processing activities within China, it also has extraterritorial effect – specifically, it applies to the processing of PRC residents' personal data outside PRC:
It is not clear at this stage how any extraterritorial application of data privacy laws would occur in practice.
What are the bases for processing personal data?
The PIPL remains focused on express notice and consent as the primary basis for processing personal information. One of its biggest distinctions with the GDPR (and other jurisdictions) is that there is no "legitimate interest" basis for processing and no explicit recognition of deemed or implied consent – despite various international lobbying efforts.
International data privacy trends is increasingly moving away from consent as the primary basis for processing personal data, so this is a surprising development in some ways.
Having said that, the PIPL provides other bases for processing personal data that, collectively, align with international standards:
In addition, there is a requirement for notification (rather than consent) where personal data is transferred for mergers, division, dissolution, and bankruptcy.
Any consent issued may be revoked, subject to not impacting on data processing that took place prior to the revocation. Data processors may not refuse provide products or services if the data subjects withhold or withdraw their consent to non-essential processing.
What about separate or unbundled consent?
Design of consent mechanisms is a constantly evolving area that is of key interest to companies – both in terms of legal compliance and customer-relationship management (e.g. UX design).
A key (and to be monitored) aspect of the PIPL is that it requires separate / unbundled consent for the following activities:
It is not clear at present what a "separate / unbundled" consent means in practice. Does it mean that consent requires a separate acknowledgement or checkbox in writing to be made? That would be particularly difficult to achieve for digital economy companies. Also, can consent be procured on an "opt out" basis or does it have to be "opt in"? Any company in the digital economy would be keenly interested in these questions (both in China and elsewhere), given the commercial focus on ensuring as little "friction" as possible in procuring consent. This is an area that we will continue to monitor for regulatory and market practice guidance.
Will we need to keep personal information in China?
China has had different draft laws and standards that applied to cross-border transfer of personal information. Many of you will note that the CSL mandated localisation of "personal data" and "important data" (i.e. data that raises national security/strategic issues to the China government), applying to "operators of critical information infrastructure" (but with draft implementing measures indicating that it may apply to "network operators" as well). For example, the CAC has issued rules requiring automakers to store drivers' data in China.
The PIPL aims to create a standard applying to all such activities, in the following manner:
a personal information risk assessment on such transfer has been taken by CAC;
a personal information protection certification via a certification body accredited by the CAC has been obtained; or
a contract (in the form of standard contract released by CAC) with the offshore data recipient has been signed, satisfying relevant requirements in and ensuing offshore processing of Personal Data complies with the PIPL.
In practice, the above means that if consent is withdrawn by or not procured from the data subject, the data processor will need to have local data processing arrangements in place.
Finally, we note that the PIPL requires prior approval from a "competent Chinese authority", before any personal information in China can be provided to a "foreign judicial or law enforcement agency".
Neither of the quoted terms has yet been defined, and this may cause issues to foreign companies subject to overseas regulators.
Mandatory data breach notification
Data processors are required to take remedial measures and notify relevant competent authorities and impacted individuals of any data breach incidents – whether actual or potential. The notification's content includes:
However, data processors will not be required to notify breaches to individuals if remedial measures may be taken without harm being caused to individuals, unless required otherwise by authorities.
Also, under the PIPL (and unlike the GDPR or other data breach requirements globally), there is no materiality threshold or specific notification period for notifications –
Increasingly, data breach notifications are managed on a multi-jurisdictional basis. Without regulatory guidance, it is difficult to interpret how the China requirements would align with overseas requirements in the event of any multinational data breach. We await further regulatory guidance regarding this; in the meantime, we continue to advocate best and responsible practices for companies in dealing with any data breach, in managing and balancing legal, commercial and reputational risks.
Other points to note
The PIPL contains other points that are worth noting:
implementing internal management structures and operating rules;
undertaking data classification exercises;
adopting security measures (e.g., de-identification or encryption) to safeguard the personal data they process;
regularly conduct security education and training for employees;
formulate and implement security incident response plans; and
other measures specified by law.
In addition, before a data processor can conduct high risk activities (e.g. processing sensitive personal data or cross-border transfer of personal data), it shall carry out personal information protection impact assessments.
data subject has been informed of such processing including the necessity of such processing and impact on data subject's rights and interests;
personal information protection impact assessment is undertaken prior to such processing; and
separate/unbundled consent is obtained from the data subject.
establish and implement compliance frameworks for personal information protection;
establish an independent body to supervise compliance;
decline to provide (or terminate provision of) services to third parties on platform that breach personal data-related laws; and
regularly publish social responsibility reports.
any such decision-making will be non-discriminatory;
provide data subjects with information to ensure their understanding of such decision making where it significantly impacts their rights and interests; and
for such decision making per above point, ensure that such decisions are not made by purely automated basis.
Conclusion and next steps
The PIPL brings significant compliance challenges, particularly given the short timeframe.
In practice, how an organisation will comply with the PIPL is likely to differ on an organisation-to- organisation basis, including with reference to any further sector-specific regulations that may apply. We are currently helping a number of clients with their PIPL compliance efforts – and we recommend the following steps are taken as a first step towards compliance:
We note that some of the above processes can be aligned closely with an organisation's international practices but will also need to be reviewed in line with the DSL, CSL and other relevant requirements.
In a broader context, the PIPL marks a significant milestone for data protection in China. It is also a continuation of the China government's efforts to regulate the digital economy sector. On the same day that the PIPL was passed, the state media outlet People's Court Daily published an op-ed regarding the PIPL, calling for entities that use algorithms for "personalized decision making" — such as recommendation engines — to obtain user consent first. According to newly issued industry guidelines entitled "Automated Intelligence Ethics Guidelines" dated 25 Sep 2021, service providers should expressly inform users where AI technology is used, specify the functions and limitations of the AI products and services and provide easy solutions for users to opt out of the AI facilitated services so as to protect the privacy of users. Such guidelines are not given the status of law but are considered best industry practice and will likely have de facto binding effect if the regulators seek to proactively enforce, which will expand the scope of "consent". Organisations that use the AI technology to serve the clients shall closely monitor this space for further developments.
As both China and the world contemplate how to regulate the Internet, digital economy and the data flow – we expect the regulators in China to issue significant regulatory guidance that will affect how the PIPL is interpreted and enforced.