China’s Privacy Law: How to Assess and Maintain PIPL Compliance
Privacy & Compliance | December 12, 2022
What is the PIPL?
In August 2021 the Standing Committee of China’s National People’s Congress passed China’s first comprehensive data privacy law, the Personal Information Protection Law (PIPL), which went into effect on November 1st, 2021.
Similar in size and scope to the EU’s General Data Protection Regulation (GDPR), the PIPL Imposes serious restrictions on how personal data can be collected, used, and managed.
Along with China’s Data Security Law, the PIPL will form a framework that will give China’s government broad enforcement capabilities and create a strict compliance environment for the nation’s Big Tech companies—and international businesses operating in China—for years to come.
In this post, we’ll break down what we know about the PIPL, its requirements for data processing and consent, and see how it stacks up to the GDPR.
What are the PIPL’s Goals?
The stated goals of the PIPL are to “protect the rights and interests of individuals” and facilitate the “reasonable use” of personal information through the regulation of personal information processing activities.
The four official declared goals of the law are:
- To protect the rights and interests of individuals.
- To regulate personal information processing activities.
- To safeguard the lawful and “orderly flow” of data.
- To facilitate reasonable use of personal information (Art. 1).
Who Does the PPIL Apply To?
The rules set forth by the PIPL apply to any organization that processes the personal information of Chinese citizens for the purpose of providing them with products or services, analyzing or assessing their behavior, or for “other purposes to be specified by laws and regulations.”
The law applies not only to Chinese companies but to foreign firms processing such data, even if the processing occurs outside of China. In order to process the data of Chinese citizens, Foreign “personal information processing entities” must follow certain guidelines and requirements to do so, as outlined below.
The PIPL will not prevent China’s government from accessing or processing personal data.
A Note on Language: While the PIPL largely mirrors the roles of Data Processor and Data Controller set up by the GDPR, the nomenclature has been changed. Under the PIPL, what would normally be called a Data Controller is a Processor, and what we would typically call a Processor is ca;;ed a trusted entity. For clarity, I will be using the original GDPR terms throughout this article.
What is Considered Lawful Basis for Data Processing Under the PIPL?
Like the GDPR before it, under China’s PIPL, any organization that processes personal information must have a lawful basis to do so. In Article 6, the law stipulates that any personal information processing “have a clear and reasonable purpose,” and shall be “limited to the smallest scope for realizing the processing purpose.”
In addition to consent, which we will cover in more detail in the next section, the following are considered a lawful basis for processing under the PIPL:
- Processing necessary to enter into or perform a contract to which the individual is party.
- Processing necessary to conduct human resources management under labor rules formulated and collective contracts entered into in accordance with laws.
- Processing necessary to respond to public health emergencies, or to protect the safety of an individual’s health and property in an emergency.
- Processing for purposes of carrying out news reporting and media monitoring for public interests, to a reasonable extent.
- Other circumstances required by law
What Consent Requirements Exist Under the PIPL?
Consent requirements under the PIPL largely mirror the requirements set forth by the GDPR. User consent is only considered valid if it is knowingly and explicitly granted, with full information of the extent of personal information processing. Users also have the right to withdraw their consent at any time, and an easy option to do so must be made available.
The PIPL also stipulates that consent must be obtained when processing personal information such as medical or health information, biometrics, or financial records.
For practical purposes, that means consent banners and opt-outs set up for GDPR compliance will likely pass muster under PIPL. Finally, consent will also be required to conduct marketing to individuals through personal information processing. The PIPL stipulates that businesses must offer consumers options that do not target personal data, or offer a way to reject the processing of said data. Any application which illegally processes personal data without consent is subject to suspension or termination.
What Requirements and Constraints Exist for Data Processing?
For organizations that have proven a legal basis for personal information processing, the PIPL sets forth a series of requirements and constraints that dictate the rules for processing, including special rules for international organizations operating within China or targeting Chinese citizens for data processing. The PIPL stipulates that:
- Organizations based in mainland China or Hong Kong must set up a specialized agency or appoint a representative for data compliance.
- Cross-border data transfers must be submitted for approval by the Cyberspace Administration of China
- Foreign companies operating in China must appoint a local representative who will bear responsibility for PIPL compliance.
- Data processing contracts are required between controllers and processors
- “Large data handlers” must localize data within mainland China. The CAC will determine what constitutes a large data processor.
- Organizations must conduct risk assessments before processing sensitive data, transferring data abroad, or using sensitive data for automated decision-making.
- Online platforms must appoint privacy review committees and publish social responsibility reports.
Is There a Private Right of Action Under the PIPL?
There is no private right of action under the PIPL. However, violators of the law are required to compensate individuals for any harms, including statutory damages, caused by their violations.
What are the Penalties for Noncompliance with the PIPL? How Will it be Enforced?
Violations of the law will incur fines ranging between $7.7 million up to 5% of the previous year’s business revenue. The law will be enforced by the Cyberspace Administration of China (CAC), the nation’s cyber and data protection regulator.
How the PIPL Compares to the GDPR
While much of the language in the PIPL draws inspiration from the GDPR, other key tenets distinguish it from its predecessor. There is a significant focus on cross-border data transfers and broad governmental rights–It would not be unfair to characterize the law as national security legislation, at least in regards to international organizations. For example, the PIPL affirms China’s intent to defend what it calls digital sovereignty. Essentially, that means anything the government feels infringes on the rights of its citizens, jeopardizes national security, or goes against the public interest will face restrictions. These restrictions may bar some companies from doing business there.
Companies that need to transfer data internationally will need state-approved contracts, will need data processing practices certified by a state-approved body, and may need to undergo a security review by Chinese regulators.
And, as noted above, organizations China considers “critical information infrastructure operators,” or handle large amounts of user data, will need to store data inside China.
Bans on Algorithmic Discrimination
One interesting distinction from the GDPR is the PIPL’s ban on algorithmic price discrimination. According to the law, if personal information is used in automated decision-making, that process has to be transparent, and individuals cannot be subject to different transaction terms. That means platforms cannot show users different prices based on an algorithm’s assumptions on a user’s situation, or ability or willingness to pay.
I’m already GDPR compliant, Does that make me PIPL compliant?
In many ways, complying with the GDPR will help meet many of the requirements under the PIPL. However, there are key differences that go beyond GDPR provisions, including:
Defining lawful basis differently. Some uses under the GDPR may not be acceptable under the PIPL.
- Classifying financial data as sensitive date while the GDPR does not.
- Additional requirements for data localization and different cross-border data transfer regulations.
- Granting rights for personal data upon death
- Requiring representatives in China
- Requiring notification of any data breaches immediately, rather than within 72 hours as specified under GDPR
In short, ensuring GDPR compliance will accomplish many of the objectives of the PIPL, but not all of them.
How to Assess PIPL Compliance
One of the challenges with PIPL compliance is the lack of specificity in much of the law, along with its rapid implementation. While the GDPR gave organizations two years to prepare for implementation, PIPL went into effect less than three months after being passed into law.
However, if you are collecting or processing personal information from individuals in China, you will need to comply. Here are seven key areas that businesses need to address as part of the effort to comply with the PIPL:
- Identify a clear lawful basis for data processing
- Review and implement consent requirements
- Manage cross-border data flows
- Conduct a formal data protection impact assessment
- Create a system to manage data subject requests
- Appoint a Data Protection Officer and China representative
- Review gatekeeper provisions
Identify a Clear Lawful Basis for Data Processing
One of the first things organizations need to do to make sure they comply with PIPL is review their data processing standards. Under the PIPL, businesses must have a lawful basis for any data that is collected, stored, or processed related to a Chinese citizen. The PIPL requires personal information is to be limited to the smallest scope to fulfill that purpose.
You must have a clear and reasonable purpose for data collection or use. Currently, these purposes include data processing that is necessary to:
- Enter into or perform a contract
- Conduct human resources/personnel management practices per labor policies or collective agreements
- Comply with legal duties
- Respond to public health incidents or protect the rights and interests of Chinese citizens
- Report on news or supervision of media to protect the public interest
While the GDPR uses “legitimate interest” as a lawful use, such as commercial interests or marketing, the PIPL has no such stipulation. Businesses that use data for purposes outside those listed here need to take a careful look at their data processing policies with their legal counsel.
Review and Implement Consent Requirements
In most cases, the PIPL requires that organizations obtain consent for data collection and processing. Companies should review their collection and use policies to make sure consent is collected where required.
- This includes consent for data use such as:
- Sharing with other data processors
- Providing personal data to recipients beyond Chinese borders
- Publicizing personal data
- Processing sensitive data
- Data for minors under the age of 14
Articles 14 and 15 of the PIPL clarify that consent is only valid if individuals voluntarily and explicitly provide such consent with the full knowledge of how the data will be processed for each use. Consent banners must be obvious.
Consumers must also have an easy and convenient way to withdraw consent.
Manage Cross-Border Data Flows
There are significant restrictions within the PIPL regarding data that crosses borders. For example, organizations that are designated as Critical Information Infrastructure (CII) operators must submit to a mandatory security assessment conducted by the Cyberspace Administration of China (CAC).
For companies that are not designated as part of the CII, data transfers beyond Chinese borders require organizations to submit to a voluntary security assessment, be certified by agencies appointed by the CAC, or enter into an agreement with the CAC.
Once data leaves Chinese borders, the same protections will continue to apply, including data used by third-party processors.
Conduct a Formal Data Protection Impact Assessment
Organizations that process the data of Chinese citizens are required to conduct a data protection impact assessment (DPIA) and maintain a record of data processing activities. This works as a positive affirmation by organizations that they have complied with the PIPL and have implemented adequate protection measures to secure data in their possession.
Create a System to Manage Data Subject Requests
Under the PIPL, consumers have the right to request access and copies of data collections along with corrections or deletions of data, withdrawal of consent at any time, or portability of data.
Similar to the provisions in the GDPR, organizations must implement internal processes and policies for responding to requests promptly.
Appoint a Data Protection Officer and China Representative
To comply with the PIPL, you may also need to appoint a data protection officer (DPO) if you exceed a certain threshold amount as determined by the CAC. However, the PIPL does not specify what this threshold is.
You must also establish a local representative in China to handle matters relating to personal information processing.
Review Gatekeeper Provisions
Additional obligations are placed on large platform operations that include establishing an independent supervising body with external members to:
- Help create and manage rules on personal data protection
- Reject product or service providers that violate the PIPL
- Publish period reports on personal data protection policies
Organizations will want to review the “gatekeeper” provisions in the PIPL with their legal counsel.