China passed the Personal Information Protection Law (“PIPL”), on August 20, 2021, with the law effective beginning November 1, 2021. The PIPL is essentially China’s version of the EU’s General Data Protection Regulation (“GDPR”): a comprehensive set of rules for how companies should collect, use, process, share, and transfer personal information in China; those entities subject to PIPL should familiarize themselves with the details of the regulation, especially given the short timeline between enactment and enforcement.
What rights does PIPL grant to individuals?
Similar to the GDPR and the CCPA, the PIPL provides individuals with a number of rights, which center around providing individuals with the right to know and make decisions on the processing of their personal information (“PII”), as well as the right to restrict or object to that processing. Specifically, prior to collection a data subject must be clearly informed of:
- The identity and contact information of the personal information controller;
- The purpose and method of processing personal information, and the type and retention period of the processed personal information;
- The method and procedure for the individual to exercise the rights provided herein; and
- Other matters to be notified in accordance with the provisions of laws and administrative regulations.
Similar to GDPR, the goal is to ensure transparency of the processing of data subjects’ personal information and to empower individuals to control the flow and usage of their data. Specific rights granted under PIPL include:
- right to know and to decide relating to their personal information;
- right to restrict or prohibit the processing of their personal information;
- right to consult and copy their personal information from the processors;
- right to portability of their personal information;
- right to correct and delete their personal information; and
- right to request the processors to explain the processing rules.
Companies should familiarize themselves with the rights granted under PIPL and ensure that their data subject access request framework is up-to-date and scalable; given the massive population of China a scalable DSAR approach is crucial to avoid violations.
Does the PIPL apply to companies based outside of China?
Yes. in addition to activities within China, the PIPL retains jurisdiction over data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviors of individuals located in China. Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities. Foreign organizations or individuals may be put on a “blacklist” that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens, or harm the national security or public interest of China.
What are the lawful bases for processing personal information under PIPL?
The general rule is that explicit consent is the primary lawful basis for processing PII, however for purposes of PIPL, consent is not required for
- performing a contract where the data subject is a party to that contract, or where necessary for the implementation of human resources management in accordance with the lawfully formulated companies’ employment policies and lawfully concluded collective labor contracts;
- fulfilling statutory duties or obligations;
- responding to sudden public health incidents or protecting individuals’ lives, health, or properties under emergency conditions;
- acting in the public interest for news reporting and media supervision within a reasonable scope; or
- processing personal information disclosed by data subjects or other legally disclosed personal information within a reasonable scope.
Are there rules regarding cross-border data transfers?
There are. Companies that process personal information that exceeds an amount threshold (which threshold has not yet been published) will need to undergo security assessments approved by the Cyberspace Administration of China (“CAC”). Companies not exceeding the threshold may transfer PII outside of China by doing one of the following:
- Obtaining personal information protection certification conducted by a professional institution; or
- Signing a standard contract formulated by the CAC with the overseas recipients
The standard contract is similar to the Standard Contractual Clauses (“SCC”) under the GDPR, but the CAC has not yet published the full text of the standard contract. Once the standard contract is published, business operators that have a need to transfer personal information outside China should review and revise their existing data transfer agreement to make it consistent with the official template.
Does my business need to conduct a personal information impact assessment?
Maybe. Under the PIPL, companies should conduct an impact assessment before the following data processing activities:
- Processing sensitive personal information
- Using personal information to conduct automated decision making
- Entrusting third parties to process personal information, providing personal information to third parties, or publishing personal information
- Providing personal information abroad
- Other personal information processing activities that will impose a major influence on individuals
Does PIPL impose a requirement for my company to have a data protection officer?
The PIPL requires certain companies to designate a person who will be responsible for personal information protection matters, which is similar to the requirements under the GDPR to designate a Data Protection Officer(“DPO”). In contrast to the DPO requirement under the GDPR, the PIPL restricts the application scope only to certain companies—i.e., those that will process personal information exceeding a yet-to-be-announced amount threshold designated by the CAC.
What are the penalties for PIPL violations?
Violations of the PIPL can result in penalties of up to RMB 50 million (approx. $7.5M) or 5% of the last year’s revenues of the company, in addition to having the company’s business license revoked. Interestingly, personal liability can attach to PIPL violations, and for the directly responsible persons of the company, the government authority could impose a fine of up to RMB 1 million (approx. $150K) and may prohibit them from serving as directors, supervisors, senior managers, or DPOs of related companies within a certain period of time.
What is the key takeaway?
The PIPL provides a grace period of less than three months before it takes effect. If your business is collecting and/or processing data from individuals in China, you should familiarize yourself with PIPL’s requirements immediately.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with PIPL, LGPD, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.