Does your company have Chinese clients? Do you hire local Chinese employees or engage with Chinese third-party suppliers? Do you keep records of Chinese nationals in your CRM? Then you better pay close attention to China’s Personal Information Protection Law (PIPL). Over recent months Beijing has outlined its regulatory vision, in keeping with the global data protection trend, and parallel to the European GDPR, PIPL is the first law specifically regulating the protection of personal information in China. The law was officially enacted on November 1st 2021, after an expedited process – an act on its own that testifies to the high priority the Chinese government gives to personal information protection.
The essence of the law – explained
leaks, scams, or the illegal trade of personal information, the law aims to make personal information processing much more transparent.
Practically speaking, personal information processors must notify their data subjects that information about them is being collected, and get their consent. Furthermore, companies doing business in China have to explicitly explain to their data subjects the specific purpose the information is being collected for and store this data for the shortest amount of time necessary. In return, individuals can refuse to deliver information and ask for it to be deleted in the future.
Personal information handlers’ duties are not confined to obtaining consent only. In addition, they are required to establish internal mechanisms to guarantee the protection of information during each information-processing stage: collection, storage, usage, provision, disclosure, and deletion.
While the law is mainly enforced within China, it also stretches its judicial arms outside of China. PIPL’s extra-territorial application states that under several circumstances, and in cases where there are valid international agreements in place, the laws allow the cross-border transfer of personal information to take place so long as the data is unidentifiable. Moreover, data exporters are obligated to ensure data protection standards aren’t compromised, neither in China nor outside of it.
Practical Takeaways for companies in China
As happens with other laws in China, a striking concept that international companies have a hard time adjusting to is that the law’s implementation might vary between provinces in China, and sometimes even between cities within the same province. Put differently, international companies doing business in China must ensure they comply with both the national and local regulations in the specific location where they are registered and operating. Those who will have a harder time navigating the new laws are companies doing business in several localities, such as internet companies, who are required to abide by the local regulations in each province where they engage in business. It goes without saying, that noncompliance will be heavily sanctioned, and it’s interesting to note that PIPL fines are considered to be among the highest in China. One more noteworthy issue is, that the one to bear the legal responsibility and consequences for violation is the company’s legal representative in China (in case there is no appointed data officer).
Until there are clearer local regulations in place, here are some things international companies doing business in China can take into consideration at this stage:
Put someone in Charge
Appoint a data security officer, whose job is to monitor the law’s national and, most importantly, its local implementation. It’s recommended that this person be physically located in China to closely follow the developments and be personally contacted when needed. It is also advised to appoint someone in the HQ to liaise with this data officer to ensure that regular updates and communications flow smoothly between the entities.
Implement data mapping & digital audit processes
International companies with business ties in China must constantly monitor that they are fully compliant with all the Chinese laws requirements. According to 2023 regulations rolled out from Beijing, every company engaged in cross-border transfer of personal information of Chinese nationals, for whatever reason, should follow two steps:
(1) Create and submit The personal information protection impact assessment report. This report should include information on the type of data transferred, reasons for transferring it outside of China, who might have access to this data, and how it is handled and protected, among other things.
(2) Draw up a standard contract outlining the responsibilities of the parties involved in the cross-border data transfer. The government published a template for the contract.
These regulations concern any company engaged in cross-border personal data transfer regardless of the nature of its business and the quantity of data they transfer.
Separate and manage a CRM server for China
International companies with branches in China and overseas might need to utilize separate CRM servers, one for China and one for their local parent company. It’s recommended to start looking into the technical implementation of this requirement and to be prepared when it is needed in the future.
Learn about the new cross-border data transfer policy
As aforementioned, cross-border data transfer is now rigorously restricted. If you need to transfer the personal information of Chinese nationals outside of China, you should:
- Pass a security assessment
- Undergo a personal information certification
- Conclude a contract with the foreign receiving side in accordance with a standard contract formulated by the State (article 38/3)
Consider getting consent as early on as the hiring processes
Consent can be waived in several situations, such as when concluding an employment contract in China or if employment laws exclude this obligation. However, this exemption is subject to strict conditions, so to stay on the safe side, it is recommended to get consent in any case and as early as possible in your engagement with a prospective Chinese employee.
Although PIPL has already been ratified into national law, local governments have yet to issue their specific compliance requirements. While it is unclear when local regulations will be publicized, it is estimated that after the Chinese New Year (around mid-February 2022), local authorities will push to enact their respective regulations in their jurisdictions. In some areas, Shanghai, for instance, is already in draft phases. In the meantime, bear in mind that PIPL adds another pillar in China’s data governance and legal frameworks, and it should be viewed in tandem with China’s Data Security Law and Cybersecurity Law, as a potential point of contention for your business.
As compliance becomes more complicated, it’s advised to get in touch with a local China expert to enjoy comprehensive China business support and to ensure that your business is covered.
