China’s Personal Information Protection Law, adopted August 20, 2021, becomes effective on November 1. The PIPL establishes a comprehensive data protection structure for the collection, use, and disclosure of the personal information of individuals located in China. The law, similar to the EU’s General Data Protection Regulation (GDPR), has extra-territorial reach applying to businesses without a presence in China and applying broadly to businesses that offer goods or services or analyze or assess the activities of an individual located in China.
For businesses subject to its requirements, it is important to quickly assess compliance and take steps to mitigate risk.
Here are a few steps for your business to take:
First, determine whether your business is collecting and processing personal information from individuals located in China. If so, confirm that your business practices conform to the PIPL’s seven data protection principles to govern the processing of personal information. These include legality, explicit purpose, minimum necessary, transparency, accuracy, accountability, and data security.
Second, evaluate whether you are prepared to honor consumers’ rights to their personal information. The PIPL provides consumers with a host of rights, including: (i) the right to know; (ii) the right to decide on and limit or object to the processing of their personal information; (iii) the right to access; (iv) the right to a copy of their information; (v) the right of correction; and (vi) in limited circumstances, the right of deletion. Additionally, a consumer has the right to withdraw previously granted consent to process personal information.
Third, confirm that you have an appropriate legal basis to process personal information. The contemplated legal bases include consent, executing or performing a contract, performing a legal obligation or duty, responding to a public health event or protecting the safety of an individual’s life or property, or publication of news and supervision of public opinion for the public interest (within reasonable scope). Unlike the GDPR, the PIPL does not recognize a business’ legitimate interest as a valid legal basis.
Fourth, if you are delegating processing to a third party (vendor or service provider), review your agreement to ensure it stipulates: the purpose of the processing, the types of information being processed, protection measures, and allocation of liability.
Finally, if you must transfer data outside of China, be aware that the cross-border transfer provisions of the law have certain open questions. The law requires that data be localized unless (and until) the business can comply with the data transfer provisions of the PIPL, which vary depending on the type of business transferring the data. Additionally, consent of the individual is always required prior to a cross-border data transfer.
The broad reach of this law combined with its speedy implementation will make compliance challenging for many businesses. If you do business in or with individuals in China, we recommend that you track this law closely.
