Introduction
It is worth noting that China’s government has recently approved the Personal Information Protection Law (PIPL) during the 30th Session of the Standing Committee of the 13th National People’s Congress. This law is considered the first of its kind, as it comprehensively regulates issues related to the protection of personal data at a national level. Effective from November 1, 2021, the PIPL will have a significant impact on individuals, organizations, and foreign companies operating within China. Therefore, it is crucial to comprehend the implications of this law and how it will affect data privacy and security in both the public and private sectors.
What is the PIPL?
In recent times, China has taken a significant step towards enhancing data protection by introducing the Personal Information Protection Law (PIPL). The PIPL serves as a complementary measure to the Data Security Law (DSL) enacted in June 2021. The primary aim of the PIPL is to safeguard the personal data and privacy of Chinese citizens, thus, necessitating all Chinese entities and foreign businesses operating within the country to adhere to the provisions of the legislation. This way, the authorities can restrain instances of personal data leakage that may result in unauthorized access to sensitive information, identity theft, or other forms of cybercrime.
Key provisions of the PIPL
The PIPL has several key provisions that individuals and organizations must be aware of. These provisions cover the scope of the application, definition of personal information and sensitive personal information, the legal basis for personal information processing, notice and consent, rights of the data subject, cross-border data transfers, security measures, data protection impact assessment (DPIA), and supervision and inspection.
Scope of application
The Personal Information Protection Law (PIPL) is a law in China that governs the handling of personal data within its territorial boundaries. It is important to note that this law applies not only to the processing of personal information within China but also to the processing of information outside of China if the entity’s objective is to offer goods or services to Chinese individuals or to analyze their conduct within China. This means that any entity that wishes to operate within China or offer its goods or services to Chinese individuals must comply with the regulations set forth by the PIPL to ensure the protection of personal data.
Definition of personal information and sensitive personal information
The PIPL defines personal information as information that can be used to identify an individual, either process personal information alone or in combination with other information. It includes basic information such as name, address, contact information, and information about an individual’s identity, occupation, property, and activities.
Sensitive personal information refers to personal information that, if leaked, may harm an individual or damage their reputation, including details about an individual’s race, ethnicity, religion, personal or medical health information, financial status, and location data.
Legal basis for personal information processing
The PIPL requires that all personal information collection and processing be based on a legal basis, such as the individual’s consent, the performance of a contract, or compliance with a legal obligation. Organizations must also specify the purposes for which personal information is being processed and limit the collection and use of personal information to the extent necessary for achieving those purposes.
Notice and consent
Organizations or personal information processing entities, as noted at the PIPL, must provide clear and complete information to individuals about the collection, use, and processing of their personal information, including the purposes of processing such personal information, the types of personal information being collected, and the rights of individuals. Organizations must obtain individuals’ consent before processing their personal information, and the consent must be specific, informed, and freely given.
Rights of data subjects
The PIPL grants several rights to data subjects, including the right to access their personal information, request correction of inaccurate personal information used, request deletion of their personal information, and object to processing their personal information under certain circumstances. Organizations must respond to these requests on time and justify their decisions.
Cross-border data transfers
The PIPL requires that organizations conducting cross-border transfers of personal information conduct a security assessment and obtain individuals’ explicit consent. Additionally, suppose the recipient is located in a country with a lower level of data protection than China. In that case, the personal information processing entity must obtain approval to transfer personal information from the competent authority.
Supervision and inspection
The PIPL establishes a comprehensive data protection regulatory framework and establishes a data protection authority to supervise and inspect compliance with the PIPL. Organizations that violate the PIPL may be subject to fines, suspension of business, or revocation of their business license.
Compliance requirements for organizations and foreign companies operating in China
Organizations and foreign companies operating in China must comply with the requirements of the PIPL. Failure to do so can result in significant fines and reputational damage.
To comply with the PIPL, organizations and foreign companies must:
Establish a personal information protection policy
Organizations and foreign businesses must establish a comprehensive policy that outlines the specific actions they will take to safeguard personal information and adhere to the Personal Information Protection Law (PIPL). This policy should be communicated clearly to all employees and reviewed periodically to ensure its effectiveness and relevance to the evolving landscape of privacy regulations. By doing so, organizations can ensure that they are not only compliant with the law but also actively protecting the privacy rights of their clients and customers.
Obtain consent
In order to safeguard the fundamental privacy and rights of individuals, organizations must acquire explicit and informed consent before gathering, utilizing, or otherwise processing entities revealing any personal information. The consent provided by the individual should be specific to the purpose of data processing, which will promote a culture of transparency and accountability. This, in turn, will foster a sense of trust between the organization, data processor, and the individual, thereby promoting a mutually beneficial relationship. Organizations must adhere to these guidelines to ensure that the privacy and rights of individuals are respected and protected at all times.
Limit the collection and use of personal information
It is critical that when requesting personal information from individuals, organizations and foreign entities should exercise caution and only collect the information that is necessary for the specific purpose it is being collected for. It is equally important to ensure that such information is only used and disclosed for the same purpose and with the individual’s written consent. Failure to abide by these principles could result in a breach of privacy and trust, which could have severe legal and ethical implications. Therefore, data collectors must take a proactive approach to safeguard the privacy of individuals and operate with transparency and integrity at all times.
Establish a data protection impact assessment (DPIA) mechanism
Organizations and foreign entities must adopt a responsible approach by implementing a comprehensive system to carry out Data Protection Impact Assessments (DPIAs) before undertaking any data processing activities that pose a high risk. The DPIA process must involve a thorough evaluation of the potential risks of personal information processing activities that could threaten the rights and freedoms of individuals and recommend appropriate measures to mitigate those risks effectively. This approach ensures that data processing activities are carried out in a manner that complies with data protection regulations and safeguards the privacy of individuals.
Implement security measures
In order to ensure the protection of personal information from any unauthorized access, disclosure, alteration, or destruction, organizations, and foreign companies must put in place a combination of technical and organizational measures. These measures should be carefully selected and implemented under each organization or company’s specific needs and requirements. They must also establish an emergency response plan in case of a personal information security incident. Doing so can establish a robust and practical framework that will help safeguard sensitive information and prevent any potential data breaches or security incidents.
Develop a breach notification plan
It is of utmost importance that organizations and international companies establish a comprehensive notification plan for breaches that encompasses notifying the relevant individuals and authorities in case of a personal data breach. This plan should be meticulously designed and executed to ensure that all necessary parties are informed promptly and efficiently, minimizing the potential for further harm or damage. By prioritizing protecting personal data and implementing effective breach notification protocols, businesses can demonstrate their commitment to maintaining the trust and confidence of their stakeholders.
Cooperate with regulatory authorities
It is crucial for domestic and foreign companies to collaborate closely with regulatory authorities in case of an investigation or audit. This not only helps ensure that all parties are working together effectively, but it also helps to promote transparency and accountability throughout the process. By working cooperatively and collaboratively, organizations can ensure that potential issues or concerns are addressed quickly and efficiently while demonstrating their commitment to compliance and good governance. Ultimately, this can build trust and confidence in the organization internally and externally and promote a more positive and productive working relationship with regulatory authorities over the long term.
Establish a data protection officer (DPO)
Under the regulations outlined in the Personal Information Protection Law (PIPL), it is deemed compulsory for both organizations and foreign companies to appoint a Data Protection Officer (DPO). This individual is entrusted with overseeing all data protection activities and ensuring that the organization remains fully compliant with all relevant regulations and laws pertaining to data privacy and security.
Foreign companies operating in China must also appoint a local representative responsible for handling data protection matters in China.
Comparison of the PIPL with Other Data Privacy Regulations
In several respects, the PIPL is similar to other data privacy regulations, such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Like the GDPR and CCPA, the PIPL imposes strict requirements on organizations to protect individuals’ personal information. It grants individuals certain rights, such as the right to access, correct, and delete their personal information. However, there are also some differences between the PIPL and other data privacy regulations. For example, the PIPL imposes stricter requirements on data transfers outside China than the GDPR. It requires that organizations conduct a DPIA before engaging in high-risk processing activities, which is not required under the CCPA.
Conclusion
China has taken a significant step forward in data privacy regulations with the implementation of the Personal Information Protection Law (PIPL). This law sets strict compliance standards and imposes heavy fines and penalties for non-compliance, affecting both domestic and foreign businesses operating in China. To avoid significant financial and reputational harm, organizations must proactively ensure that their data processing activities comply with the PIPL and other applicable data privacy laws. It is crucial for companies to implement effective data privacy measures to maintain the trust of their customers and stakeholders.
