China’s new Personal Information Protection Law imposes additional requirements for multinational companies in the region, adding legal and regulatory challenges for businesses already grappling with U.S. state-level and European privacy regimes.
The law, which takes effect Nov. 1, requires businesses to conduct impact assessments and honor consumer data rights requests. It may complicate cross-border data transfers, attorneys say.
“If you’re an international business and want to move data in and out of China, you need to think deeply about this law,” said Scott Warren, a Tokyo- and Shanghai-based partner at Squire Patton Boggs LLP. “The penalties are significant, and there’s a private right of action.”
While the PIPL bears resemblance to other privacy laws, notably Europe’s General Data Protection Regulation, it also carries subtle differences and additional obligations, said Lindsay Zhu, a partner at Squire Patton Boggs in Shanghai.
Among the law’s provisions is a category called “critical infrastructure information,” she said.
“Chinese data protection law governs not only personal data but also critical data,” Lindsay Zhu said. “A company needs to evaluate whether their business handles critical infrastructure information and may need to adjust their operations based on that assessment.”
Operators or entities processing a large amount of personal information in that sector must under the law store that data within the country, Warren said. Chinese regulators are expected to clarify down the road what types of entities would fall into that category, he added.
The PIPL has an extraterritorial effect, meaning it applies to companies that process the data of Chinese individuals outside of China as well, said Carolyn Bigg, a partner at DLA Piper in Hong Kong. That means even businesses without a sizable presence in China may need to take a hard look at what sorts of information they’re processing, she said.
“Companies with China entities need to know what data they’re processing in China, as well as what sorts of data on China residents they’re processing in other parts of the world,” Bigg said.
Data Processing, Transfers
While businesses may use “legitimate business interest” as a valid basis for data processing activities under the GDPR, that standard won’t fly for the new PIPL, said Kevin Powers, director of Boston College’s M.S. cybersecurity policy and governance program and a professor at its law school.
Businesses will have to find a different basis for processing, such as individual consent, Powers said.
And noncompliance can bring penalties of up to 50 million renminbi (about $7.7 million) or 5% of annual turnover, Warren said.
“The cost of failing to get it right can be quite significant,” he said.
On top of that, responsible personnel within a company may also be found personally liable and fined for violations. Such a schema doesn’t exist under the GDPR, said Catherine Zhu, special counsel at Foley & Lardner LLP based in Silicon Valley.
Plus, there’s a private right of action for consumers to sue personal information handlers who infringe their rights, Warren said.
American companies grappling with data transfer questions between Europe and the United States will also likely have to deal with questions about the flow of data between the U.S. and China.
“The biggest question mark is, ‘How are you going to do international data transfers?’” Catherine Zhu said. “A lot is yet to be determined by the Cyberspace Administration of China.”
The law requires businesses seeking to transfer data outside the country to meet one of several criteria, including passing a security assessment; entering into a contract; undergoing certification by a regulatory body; or doing so in accordance with other laws approved by the Cyberspace Administration of China, she said.
One of the largest challenges for businesses is the short runway for compliance, Powers said.
“The GDPR had a two-year headway, whereas here you’re getting a couple of months at best,” he said. “The bigger a company you are, the bigger risk you have if you’re not ready to go by November 1.”
Companies can take some solace in the fact that the GDPR and PIPL are similar, and a compliance program for the former can likely be adjusted to satisfy the latter, Bigg said. But that doesn’t mean it won’t take time or be challenging, she added.
“It’s not reinventing the wheel,” Bigg said. “But even though a lot of the principles may look the same, what they translate to in practice is very different.”
Operational changes, including getting consent from consumers, will take time and include requiring notices in Mandarin, said Catherine Zhu. Getting those translations and posting them in the right location on the website may be a heavy lift before Nov. 1, she said.
Plus, many implementing rules haven’t yet been published, said Sherry Gong, a partner at Hogan Lovells in Beijing. That includes standard contractual clauses and thresholds for data localization requirements on noncritical information infrastructure operators, she said.
Still, the overall shape of the law and requirements are clear, and compliance may take time, so it’s best to get started now, said Mark Parsons, a Hong Kong-based partner at Hogan Lovells.
“Doing nothing at the moment is not the right strategy,” Parsons said. “Companies should review their privacy programs and prioritize compliance with public or consumer-facing operations and other higher risk areas.”