China had a lot of legislative movement in the area of data privacy this year. On June 10, 2021, the Data Security Law (DSL) was passed and it became effective on Sept. 1, 2021. This is a broader law applying to data processing activities for personal and non-personal information, both electronic and non-electronic. It addresses many critical gaps present in the country’s 2016 Cybersecurity Law. On Aug. 20, 2021, the Personal Information Protection Law (PIPL) was passed and went into effect on Nov. 1, 2021. This law more closely mirrors the EU’s GDPR and regulates processing personal information. It provides more rights to Chinese consumers like the ability to access, correct, and delete their personal data. Both laws place emphasis on national security and accordingly model principles around data processing, cross-border transfers, and enforcement. Organizations located in the U.S. that handle Chinese data need to understand the sweeping effects that will follow from these laws and make all necessary changes to privacy compliance plans.

Key Features of Each Law 

As noted, the DSL is broader and operates more like catchall legislation because there were many gaps hindering data handling regulation and enforcement under the Cybersecurity Law. Below are some of the DSL’s key provisions:

• The Cybersecurity Law primarily focuses on managing data and security applying to website and app operators, but the DSL more widely encompasses all organizations that process data (electronic and non-electronic) that could affect national security, public interest, or lawful consumer rights. The definition of public interest is still unclear and could be interpreted broadly when enforcement actions ensue. The DSL also regulates the entire process of obtaining, exporting, and using data to ensure all activities are monitored appropriately.
• The DSL applies to activities outside of China, which means US companies that handle data falling under this law need to ensure it is protected and used properly.
• The DSL directs the Chinese government to establish a data classification system that dictates which data is of the utmost importance and requires heavier scrutiny – like information pertaining to national security or key public interests. Guidance on data classification and data processing is expected to be released in the near future.
• Data processors are required to establish a security policy and system to monitor risk. There are regular reporting requirements for processors that handle data needing higher levels of protection. All other processors are only required to report security breaches. The DSL also endorses the Cybersecurity Law’s safety review requirement when exporting core data – like information pertinent to national security.
• Penalties are more severe under the DSL with fines up to RMB2 million (almost 310,000 USD) for data breaches. The penalty ceiling increases to RMB10 million (almost 1.6 million USD) if the data affects national interests. An organization that does not maintain compliance with the law may also face potential suspension or closure. It is still unclear which agency will carry out enforcement under this law.

The PIPL more narrowly regulates data processing activities related to personal consumer information, like social security numbers and other sensitive identifiers. Below are some of the PIPL’s key provisions:

• Data processors need to notify consumers of their data rights, like the right to know the purpose for collecting personal information and the right to modify or delete data. Consent is necessary before data collection, sensitive information should only be minimally processed when necessary for a legitimate purpose, and retention should be controlled so consumer data is not just sitting on company servers with no purpose.
• Data controllers need to appoint a personal information protection officer and conduct continual impact assessments to ensure data is handled appropriately. The presumption of fault rests with the data processors.
• There are restrictions on data transfers between China and other countries, including a security review mandate or standard data transfer agreement.
• Organizations that do not maintain compliance will face fines up to five percent of their annual turnover or $7.7 million USD, whichever is a higher amount.

Data Privacy Compliance Tips

The emerging trend with global privacy laws is that being proactive fosters successful compliance. It can be difficult to keep up with what laws apply to an organization’s activities, as most new privacy laws have an extraterritorial effect similar to China’s new laws. The good news is that this is not the first rodeo for many larger corporations that likely have already implemented a global privacy compliance program or have one in the works. While some of an organization’s data controls will undoubtedly further compliance under the DSL and PIPL, there are some specific considerations requiring policy changes in light of the broadly worded legislation and strict security review standards.

When dealing with cross-border data transfers falling under the purview of either law, U.S. organizations need to be prepared for China’s security review. Being proactive with data use and retention policies and tightening security measures can help streamline this process. Also pay close attention to the collection practices of any technology or vendors the organization utilizes to ensure the standards are sufficient. Risk assessments should be conducted periodically, especially when implementing new technology workflows or partnerships.

Organizations should also include consent tracking in their privacy compliance plans, monitor further directions from China regarding data classification and enforcement, maintain regular impact assessments, create training manuals for employees handling or exporting Chinese data, and make compliance comparison charts to differentiate between other privacy laws like the GDPR or any applicable U.S. state laws.

To learn more about U.S. privacy laws, consider reading U.S. Data Privacy Roundup – What is on the Horizon?

[View source.]