China Passes Data Privacy Law That Affects Chinese and Foreign Companies

Publish Date

Type

Cyber Alert

Topics

  • Privacy
  • Cybersecurity

The government of China passed a data privacy law on August 20, 2021, with far-ranging implications for companies in China, and for companies located outside China doing business with Chinese consumers. The Personal Information Protection Law of the People's Republic of China (PIPL) is scheduled to come into effect on November 1, 2021.

The PIPL affects all companies and other entities, both in China and outside China, engaged with personal information about individuals residing in China. This includes private equity firms and their portfolio companies. The privacy rights afforded to individuals are similar in scope to the European GDPR and other large scale privacy laws.

The PIPL is scheduled to go into effect in November 2021. Therefore, companies that will be impacted must prepare now to be compliant.

Highlights of the PIPL include:

  • Personal Information – Any information relating to identifiable natural persons in China, recorded in any form, that has not been anonymized
  • Processing – Activity related to personal information, including collecting, storing, using, transmitting, refining, publicly disclosing, deleting, and more
  • Legal Basis for Processing – Processing of personal information (PI) must follow establishment on the basis of one of the following:
    • Consent by subjects
    • Contract purposes per accepted labor rules
    • Public health emergencies or similar circumstances
    • News reporting and similar acts of public interest
    • Data already made public by data subjects
    • Other circumstances stipulated by Chinese law
  • Personal Information Impact Assessment - A PIIA is required for multiple scenarios, including:
    • Processing sensitive personal information
    • Using personal information to conduct automated decision making
    • Entrusting third parties to process personal information, providing personal information to third parties, or publishing personal information
    • Providing personal information abroad
  • External Companies Must Establish PI Liaison Contacts – If a current liaison does not exist, companies outside China must:
    • Designate specific individuals within the company, and or
    • Designate a representative in China for dealing with PI matters
    • Report the name and contact details to the relevant Chinese PI Protection Authorities (including the Cyberspace Administration of China – CAC, relevant state council and local government representatives)
  • Cross Border Processing – Depending on the type of organization and type of data, firms will have to implement one or more of the following mechanisms to legitimize the transfer of PI outside of the PRC
    • Consent from individuals (with revelation of purposes, methods, procedures)
    • Consent from legal authorities (CAC certification)
    • In limited circumstances (e.g., critical infrastructure), a security assessment
  • Privacy Rights – Individuals in China have the privacy-related right to:
    • Know and decide related to PI
    • Restrict or prohibit use of PI
    • Consult and copy private information from processors
    • Get their PI in portable form
    • Correct and delete PI
    • Request that processors explain processing rules
  • Penalties
    • Fine of up to 50 million renminbi (RMB) or 5% of processor turnover amount
    • Confiscation and rectification of illegal gains
    • Suspension of operating permits
    • Potential direct liability of individuals (directors, supervisors, PI protection officers)
    • Potential public interest action

ACA guidance

The Chinese PIPL data security law is far-reaching, and similar in scope to the European GDPR and other large scale privacy laws. The necessity to establish direct contact with Chinese authorities regarding privacy protection as well as the stiff penalty structure of this regulation further underscores the seriousness with which companies engaged with Chinese PI must treat this law.

Additionally, the PIPL stands alongside two other key Chinese data security and cybersecurity laws. The Data Security Law (DSL) was passed in June of 2021, and goes into effect on September 1, 2021, and the CyberSecurity Law (CSL), which has been in effect as since 2017. Together these laws form a “three-legged-stool” approach to a comprehensive data protection regime.

The short timeframe for implementation likewise adds to the urgency involved. Firms that have staff or teams engaged in privacy protection efforts will need to adapt their existing models to accommodate the new Chinese regulation. Firms that do not have privacy programs in place are urged to rapidly develop them, and/or engage the services of trusted third-party service providers in this regard. Firms that have taken a wait and see approach with China should immediately begin to assess their exposure.

Many of the details regarding the PIPL are still being fine-tuned. ACA will provide further information as it becomes available, including developing a frequently asked questions (FAQ) document. This document will provide more granular detail regarding specific requirements, operational impact of requirements (including mergers and acquisitions), steps firms can take to meet these obligations, and areas that require further clarification by regulators.

How we help

ACA Aponix® offers the following services related to China’s data privacy regulations and other existing and forthcoming data privacy regulations:

If you have any questions, please reach out to your ACA Aponix consultant or contact us below.

If you have any questions, please contact your ACA Aponix consultant or contact us here.