Key Takeaways
1. The Personal Information Protection Law (PIPL) regulating use of personal data has now come into force in China.
2. PIPL requirements cover all companies handling the data of Chinese citizens, whether they are a domestic or international business, and whether large or small.
3. There are similarities with the EU General Data Protection Regulation (GDPR), as well as significant differences (e.g. PIPL has a state-backed regulator, while GDRP is regulated by independent regulators in EU member states).
4. Businesses which fail to meet PIPL requirements could pay large fines and risk being put on a blacklist by the Chinese government. In the case of foreign companies, this could open the door to political clashes and retaliation by their home governments.
5. The PIPL could come to have even wider implications if used as a model for other countries currently developing their own personal information protection laws (e.g India, Vietnam).
China’s Personal Information Protection Law (PIPL) came into force on 1 November 2021 after being adopted in August. PIPL regulates use of personal data by all companies operating in China, including international businesses. While PIPL provides a clear framework which might better enable data protection compliance, foreign companies must ensure they align quickly with the new legal requirements or face large fines and potential blacklisting.
With the advent of PIPL, Yahoo and LinkedIn have chosen to withdraw operations from China. Apple has chosen to stay, having already taken privacy and security measures to protect their Chinese business – measures which some see as concessions to the Chinese government and its desire to access and control the data of its own citizens.
Companies of all sectors and sizes must make their own decisions on the feasibility and desirability of meeting PIPL requirements, as well as meeting the already potentially challenging Chinese employment and labor laws. It is vital that CTOs, COOs and CEOs grasp the PIPL’s potential implications, risks and opportunities for their businesses, and make the right strategic and operational decisions to address them.
Definition of personal information in the PIPL
Personal information, and sensitive personal information, are more clearly defined in the PIPL than in previous relevant Chinese laws (e.g. the Cybersecurity Law or Data Security Law), with the core definition being very similar to that used in the GDPR.
For PIPL purposes, personal data is any type of information record relating to identified or identifiable individuals, whether in electronic or other forms. Sensitive personal information is personal information that could easily cause a range of specified harms if leaked, or illegally used. Personal information of children under 14 is classified as sensitive. Anonymized data is not included in this definition.
GDPR and PIPL define personal information more sharply than personal information protection laws in some other countries, e.g. Brazil’s LGPD.
How does the PIPL compare with the GDPR?
When the Chinese government was researching and drafting the PIPL, it looked around the world for examples of viable current practice on personal data protection to inform development of its own laws. This review included the GDPR in Europe as well as parallel laws in the USA and other countries, and is the likely source of similarities in framing, wording and some legal concepts.
While individual data privacy or consumer rights lie at the heart of GDPR and similar data protection policies elsewhere, the introduction of PIPL may have been driven more by Chinese government concerns around national security and preserving social order. This fundamental difference in motive may be a source of of some the key differences we find between the GDPR and PIPL.
Key similarities
- Broad scope
- Both GDPR and PIPL cover data privacy in a very wide sense, including ‘extraterritorial’ applications, where citizens’ data is recorded or processed outside the borders of the EU or China.
- Centrality of consent
- Both laws use the concept of consent as a primary legal justification for the use of individual data.
- Minimization of data gathering
- In common with GDPR, PIPL requires that companies must limit personal information gathering to the minimum amount required by the data’s purpose
- Right of access to individual data
- In the case of individuals, both GDPR and PIPL allow people to access data held on them, withdraw consent for companies to hold or use their data, or ask for it to be corrected or deleted.
Data protection measures
Both laws require companies to take measures to protect any personal data they hold, and as part of this to employ a Data Protection Officer above certain levels of data processing or in circumstances that cover most businesses. As with the GDPR, this may require a Data Processing Agreement be in place between a company that controls the data and any third party that processes it.
- Fines for non-compliance
- Aside from any criminal charges or other legal remedies, both GDPR and PIPL allow non-compliant companies to be given large fines for breaches of the law.
Key Differences
Independence of regulator
The authority for GDPR in each member state is held by an independent regulator. In contrast, the PIPL is overseen by a state-backed regulator, the Cyberspace Administration of China (CAC).
- Application to government
- PIPL does not restrict the Chinese state’s ability to access and use citizens’ personal data. GDPR does influence how national governments handle data, which might be covered by several legal bases in the GDPR including via the legal basis of legitimate interests, which does not exist in the PIPL.
- Political alignment
- The GDPR has its roots in the rights of individuals to own and control their personal data, and is not aligned with the political aims of EU member states or the EU as a bloc. PIPL, however, aligns with and reinforces the political and national security aims of the Chinese state.
Video: CNBC on the PIPL
See CNBC’s analysis and critique of the PIPL, including an explanation of its application to government actors.
Why does this matter to overseas companies operating in China?
PIPL applies to all companies processing Chinese citizen data and cannot be ignored by any business with clients or customers in China. Measures contained in the PIPL have the potential to affect business on many levels and international companies are likely to feel impacts more than Chinese businesses.
Intelligent planning and mitigation are required for your company’s Chinese interests to thrive in the new data environment. Companies with extensive Chinese investments, offices etc.. may need a full China PIPL compliance strategy covering all business areas. Any company operating in China will need a data protection plan adapted to the PIPL. Whatever your level of future planning, consider the following:
Ease of doing business
Depending on the size and nature of your business, the PIPL could make doing business more complicated (e.g.if you have to make major changes to your current ways of working with employees, stakeholders and customers). It might also make working simpler and more predictable through providing a clearer data handling framework with less room for ambiguity.
- Potential politicization of business
- Overseas companies who don’t comply with PIPL, or are alleged to have harmed Chinese national security, could be blacklisted and effectively banned from any data processing in China. This step could then open the door for retaliatory actions from the home country of the company or its allies.
- Costs of doing business
- Operating costs relating to China could rise significantly if, for example, your business is required to appoint a DPO and completely change customer information database processes. You will need to balance any increase in operating costs against current and future opportunities in the Chinese market.
- Corporate functions and processes
- Existing corporate functions, processes and databases with China links must be reviewed and updated to ensure PIPL compliance, whether customer facing or relating to HR and employment data. You might choose to work with a partner organization who can provide Global PEO services, taking on the employer of record role for staff in China.
Which areas of PIPL are most important for international business?
Understanding the PIPL is important for any company with serious future plans for the Chinese market. You should seek professional advice on adapting your business operations if you don’t have relevant expertise in-house. Some areas of the PIPL might be more relevant for certain sectors and services than others but there are points of broad relevance:
Transferring personal information
All multinationals transferring personal data out of China must conduct “personal information protection impact assessments” and obtain professional data protection certification. Companies will also need consent from the individuals whose information is being transferred.
Where the data held by a company covers more than a million Chinese citizens, or is otherwise important, data transfer out of the country is subject to a multi-step national security review process which explains why the data is being transferred.
Personal data around law enforcement or judicial issues cannot be transferred without Chinese government consent.
Storing personal information
PIPL expands on existing Chinese cybersecurity law requirements for personal data to be stored within China’s borders. Previously this measure applied to telecoms, transport, and other companies categorized as part of China’s critical national information infrastructure. Now it applies to any company which collects a certain amount of personal information (exact figure still to be confirmed).
Required presence in China
The PIPL requires that foreign data-handling companies have a legal entity or representative within China. Compliance may come with burdensome costs, especially for SMEs or start-ups.
HR and management information are in scope
In contrast to previous data protection-linked laws in China, the PIPL includes HR and employment management data under the scope of protected personal information. In practice, this means that any information about HR, pay, performance etc.. for a Chinese employee cannot be sent out China without informed consent from the individual/s concerned.
Global businesses with multi-country lines of management, or HR and payroll departments based outside China, will need to consider this measure carefully.
Penalties for non-compliance can be severe
Breaches of PIPL could result in rectification orders or warnings. Companies who fail to act on rectification orders could be fined up to 1 million yuan ($150,000). The individual responsible for the company’s PIPL compliance can also be fined 10,000-100,000 yuan ($1,500 – $15,000).
Fines of up to 50 million yuan ($7.5 million) or 5% of annual turnover can be handed down in more serious cases, with the possibility of all company operations being suspended or necessary business permits and licenses revoked.
Horizons supports businesses through the PIPL
Despite the introduction of PIPL, the complexity of employment and labor laws, and a rising minimum wage, China remains an attractive market for many businesses. The reality of PIPL will be seen and felt in how Chinese authorities interpret and enforce its measures over the coming months and years.
International businesses assessing risks in China and developing PIPL compliance strategies will need to understand both the law itself and the likely behaviors of Chinese authorities, local companies, and customers in China.
Horizons is an experienced operator in China with the knowledge and insight to ensure compliance with the PIPL. Get in touch with Horizons today to discuss how we could help you secure and grow your business in China’s new data environment.
Frequently Asked Questions
China has a new data privacy law called the Personal Information Protection Law (PIPL). This was adopted on 20 August 2021 and came into effect on 1 November 2021. It’s the latest development in a Chinese government push to clarify and toughen laws around individual personal data and data security in China.
China has been taking an increasingly strict line on privacy and personal data protection laws and with PIPL, now has one of the toughest data protection regimes in the world. Companies operating in China or handling Chinese citizen data should take compliance with PIPL seriously.