China’s long-waited Personal Information Protection Law (“PIPL”) was finally enacted on August 20, 2021, and will take effect on November 1, 2021. PIPL, which supplements the existing privacy rules established by the Cybersecurity Law and the Data Security Law, focuses on personal information protection, sets comprehensive rules for companies on how to process personal information of individuals, and regulates the lifecycle process of handling personal information, including personal information collection, storage, use, processing, transmission, provision, disclosure, and deletion, etc.
What Are The Significant Challenges?
As a milestone information privacy legislation, PIPL will bring significant challenges to those companies being engaged in processing the personal information of individuals who are within the territory of China, including and without limitation:
- PIPL requires companies to obtain “a specific consent to process sensitive personal information (including biometric identification, religious belief, specific identity, medical health, etc.)” from individuals in addition to a general consent to process their personal information. Few companies have currently satisfied such requirements and, therefore, need to consider conducting an additional review and update on their internal policies in a timely manner.
- PIPL provides more stringent requirements on cross-border personal information transfer—companies need to pass the security assessment organized by the governmental authority, obtain the certification of personal information protection, or sign data processing agreements with the foreign data processors. Despite the fact that the implementing details of such requirements remain unclear or are still being fine-tuned, the companies that have taken a wait-and-see approach should immediately begin to assess their exposure on such matters.
- PIPL echoes the data localization requirement introduced by the Cyber Security Law in 2017, which requires operators of critical information infrastructure to locally store all personal information collected and generated during operations in China. In addition, PIPL extends such requirement beyond the operators of critical information infrastructure, to include all personal information processors that handle personal information in volumes exceeding a certain threshold that will be prescribed by the Chinese government (such threshold has not been determined yet).
- Employees may boycott the companies’ compliant investigation, background check, or HR information collection, with the statutory rights granted by PIPL to them as data subjects, such as the rights to request the companies to correct, supplement, or delete their personal information, or to explain the data handling rules.
It is also worth noting that PIPL sets severe penalties for violations, such as a fine of up to RMB 50 million or 5% of the turnover of the company of the preceding year, revocation of business licenses, or even individual liabilities for company executives. As a result, normal data-related practices by multinationals in the past, such as cross-border personal information transfers during a due diligence or daily HR management, may no longer be sufficient and lead to potential non-compliance risks, including significant administrative fines, or may even jeopardize business operations.
Time-wise, unlike GDPR, which allowed a two-year period for companies to comply with the new law, PIPL requires companies to implement the principles set out in the law within a short time-frame, i.e. three months since its enactment in August 2021. Therefore, companies will need to act fast in order to get their China data management issues identified and resolved before November 1, 2021.
What To Expect?
PIPL is considered a game changer for many companies, in particular hi-tech companies that will use algorithms and data analytics, such as recommendation engines, in behavioral advertising and targeting for their major customers. Under PIPL such customized recommendations are now required to ensure each customer’s right to object, rather than an acceptance by default. We would expect that this will substantively impact the current business and profit model of many hi-tech companies.
In addition, large-scale consumer-facing businesses operating in China are likely to be affected by the enhanced statutory requirements. Tech companies, operating online or in social media marketplaces, must establish fair and transparent rules about how data will be collected and handled on their platforms, among other things. It is essential for international companies doing business with China to review their situation and conduct data audits in order to understand how they fit within the new law and any vulnerabilities.