Released late Friday night, the new Personal Information Protection Law (“PIPL”) will come into force on 1 November 2021. Compared to the 18 months for EU enterprises to adapt before the GDPR was launched 3 years ago, businesses operating in or with mainland China do not have much time to adjust practices.
Press outlets like the story below are dubbing the PIPL as one of the strictest data privacy laws in the world. While there are various onerous requirements, many articles are modelled on similar concepts under the GDPR and therefore resemble other regimes which have subsequently followed the GDPR in Asia and elsewhere. That will ease compliance in many aspects for international businesses that have already spent time and capital to become GDPR-compliant. Domestic organisations, particularly SMEs (Chinese- and foreign-invested), are arguably the ones with an uphill battle.
For privacy specialists who have been tracking the PIPL since its first public draft last October, there are not many big changes to certain key provisions that will be crucial for cross-border businesses to adapt to (see our previous alert). A summary of some of the key issues is below:
Data exports
- Localisation. The status quo remains for critical information infrastructure (“CII”) operators. These and other businesses handing personal information over an undetermined threshold have a default localisation requirement. If transfers overseas of PII are to be conducted, the same security assessment and business need requirement exists as under the PRC Cybersecurity Law. Unfortunately, we must await details from regulators on (1) who is a CII operator (see our note on the recently published CII rules), and (2) what the security assessment entails.
- SCCs. Unless businesses have to take a security assessment as mentioned above, operators will likely choose the option of conducting cross-border transfers via model contract terms to be released by the internet regulator – the Cyberspace Administration of China. Our sources suggest that these will follow the EU’s standard contractual clauses (or SCCs), so implementation should be a matter of refining to “Chinese characteristics” existing data transfer agreements rather than making wholesale changes to practices already adopted for European requirements. Timing for release of China’s SCCs is yet to be confirmed but businesses will need lead-time unless there will be an informal grace period after 1 November.
- Long-arm jurisdiction restrictions. Prior PRC regulator approval is required to provide personal information to overseas judicial or law enforcement agencies. Presumably these data exports will need industry-level regulator approvals, but this is to be confirmed. The working assumption of many market players is that disclosures prescribed under listing rules and other routine foreign disclosure regimes should be exempt; the conflict of rules should only bite where foreign regulators are conducting investigations or enforcement actions. Multi-nationals will need to build internal clearance protocols into their data management processes to avoid non-compliance, unless they can get consents upfront for set categories of transfers – “white lists” of safe transfers and responsible members of government relations and legal and compliance teams will need to be appointed to oversee this.
Extraterritoriality
- GDPR in reverse. The concept from the earlier drafts of the PIPL remains as is. Similar to the GDPR’s approach that overseas data processing should comply with the PIPL if the purpose is (1) to provide products or services to individuals in the PRC, or (2) to analyse or assess the activities of individuals in the PRC. (Note that “outside of the PRC” here means outside of mainland China, so activities conducted by MNCs’ regional hubs in Hong Kong SAR, for instance, would be caught.) However, PRC law does not have the benefit of European Court of Justice case law or previous regulations in this area on the scope of/limitations to this extraterritoriality. While businesses might think that one-off KYC-type searches on PRC nationals would be permitted (as in the EU) and regular behavioural tracking would not, further PRC rules or guidelines are needed.
- Onshore representatives. Overseas personal information handlers must establish a dedicated entity or appoint a representative in the PRC to be responsible for matters related to the personal information handled by them. This rep must be reported to local authorities to act as an on-the-ground contact. Presumably international organisations will designate a DPO or other officer at a mainland China-based subsidiary, but group-level reporting lines will be important for internal controls.
Processing conditions
- New conditions. Newly introduced processing conditions other than consent (such as the performance of a contract with the data subject) are helpful for businesses to collect and process personal information more freely, as in other Asian jurisdictions that have followed the GDPR-model.
- Consent still key. However, it is still the case that the PIPL’s processing conditions, other than consent, will not automatically override the requirement to solicit consent where specifically set out in other laws (e.g. for banking client onboarding) and much of the data sharing envisaged under the PIPL. There are strict notice and consent requirements under the PIPL for any onshore transfers of personal data to affiliates or third parties which are also data controllers and for any cross-border transfers. In short, each data recipient must be named, its contact details included and a summary of the key terms of its data privacy policy (if not the whole policy) set out – just listing broad categories of recipients as would be general practice currently in the PRC and in many other jurisdictions will not fly. Requiring this level of specificity for data privacy notices/policies and the potential requirement, in practice, to constantly refresh notices and consents if data recipients change is concerning for business operators. The approach that some businesses take to cookie policies in the EU may be a solution but work and consultation is needed on this point.
- Processor transfers. For data processors (or "entrusted persons" as they are called in the PIPL), only a data processing contract between controller and processor is needed, assuming that processing is within the scope originally notified to the data subject. In contrast to the position for controller-to-controller transfers described above, therefore, there would appear no need to name each data processor. This could help lower the compliance burden with careful structuring of data transfers but businesses will again need to think this through.
- Separate consents. Transfers to data processors do not require “separate consent” from the data subject, whereas this new type of consent under the PIPL attaches to transfers onshore to controllers and any transfer on a cross-border basis. Despite requests during the public consultations on the draft PIPL, there still seems to be no clarity from the PRC authorities as to the form of this “separate consent” (i.e. is it an “unbundled consent” or a consent for each transfer on a case-by-case basis?). Clarity from regulators on this point will no doubt be requested as soon as possible.
Sanctions
- Board-level issue. Fines of up to RMB50 million (approximately USD7.72 million) or up to 5% of annual turnover apply to serious violations of the PIPL. However, there is still no clarification as to whether the percentage fine would (like the GPDR equivalent) be calculated based on domestic or worldwide revenue. While there is apparent precedent for recent anti-trust sanctions in the PRC to be calculated based on a group’s domestic revenues, either way boards need to make data compliance a priority in the current climate of enforcement.
- Personal liability. In addition to the organisation, in-charge managers and other directly liable personnel may be fined up to RMB1 million when breaches of the PIPL occur. Personal liability has also been extended under the final form of the PIPL to allow the authorities to prohibit directors, supervisors, high-level managers and personal information protection officers from holding these positions for a certain period. Again, managers have incentive to take note.
Sector-specifics
- Sector-agnostic. The PIPL generally does not target particular sectors, albeit there are specific rules for large platforms and those using AI and other automatic decision-making tools. As such, the types of impact on / topics to be addressed by different businesses operating in the PRC will generally be the same. However, the PIPL’s focus is on personal information (unlike the Data Security Law). Therefore, it is fair to assume, where there are more retail clients associated with a business, it will be more important to ensure client-facing privacy notices, client onboarding contracts, etc., are adjusted according to the PIPL. Changes will of course map across in many cases but, for corporate clients, consents to processing data of corporate representatives will (pending further guidance) need to be obtained via confirmations from the corporate client.
- Industry regulations. How industry-level regulators react following the release of the PIPL will be important too. As is already the case in banking, telecoms and other heavily regulated areas, it can be expected that further rules will be released. Businesses in those sectors need continue to monitor – and where possible provide constructive input into – new regulations as they are prepared and released over the coming months.
The wait is over. Time to implement. One early operational exercise will be to assess data flow arrangements as soon as possible and the impact of the PIPL on data privacy notices and policies and the consent solicitation process.
Happy to discuss.