China’s new Personal Information Protection Law (PIPL)—the first comprehensive law in China for the protection of personal information of individuals in China—will take effect Nov. 1. Given that China makes up almost a fifth of the world’s population, this means the PIPL’s privacy regulatory framework will soon apply to one in five individuals on the planet.
Given the magnitude of its applicability, the PIPL cannot be ignored by companies who operate globally.
The new law comes on the heels of the Data Security Law (DSL), which was passed in June, establishing rules on how companies must classify collected data based on its economic value and potential impact on national security. Together, the enactment of the PIPL and DSL are part of an overall tightening of regulations by the Chinese government around data collection and sharing.
When the EU General Data Protection Regulation (GDPR) went into effect in 2018, it became the most stringent comprehensive data protection regulation in the world and set a new global standard for data protection. While the PIPL appears in some aspects to be based off the GDPR, there are material distinctions between these two privacy protection frameworks.
What Companies Need to Comply With PIPL?
The PIPL applies to companies who are handling (i.e., processing) personal data of individuals within China. For companies who operate outside of China, the law will apply if the purpose of processing is to (a) provide goods or services to those in China, (b) analyze or assess activities of individuals in China, or (c) other circumstances provided by laws and administrative regulations.
The scope of applicability of the PIPL appears to be based off of the GDPR in that it applies extra-territorially to companies who offer goods or services to or monitors behaviors of covered individuals. However, the overall scope may be broader than the GDPR since the PIPL reserves broad discretion for Chinese regulators to prescribe other circumstances where the PIPL is applicable.
Basis for Data Processing
Like the GDPR, the PIPL establishes certain rights of individuals with respect to their personal data and also the requirement for companies to have a proper legal basis for processing individual’s personal data. However, the legal bases for data processing under the PIPL as compared to the GDPR is noticeably narrower for companies, while reserving broader discretion for the regulator.
In particular, the PIPL does not provide for legitimate interests as a justified basis for data processing, which is often relied on by businesses as a legal basis under the GDPR. Rather, outside of consent, under the PIPL companies may only process data in narrowly defined circumstances.
One distinction to note is that a separate consent is required under the PIPL, regardless of the original basis of processing, in the event of a disclosure of personal information to a third party, the processing of “sensitive” personal information, or international transfer of the personal information.
Like the the GDPR, the PIPL places restrictions when it comes to cross-border data transfers.
Under the PIPL, a company may only transfer personal data outside the country if it meets one of the following conditions: (a) where it has passed a security assessment by the Cyberspace Administration of China (CAC), (b) undergoes a personal information protection certification from a specialized regulatory body, (c) enters into a contract in accordance with a standard contract formulated by the CAC, or (d) does so in accordance with other laws or regulations prescribed by the CAC.
As compared to the GDPR, the PIPL grants significant broad discretion to the CAC to regulate and authorize (or restrict) international data transfers. It’s likely we will see a PIPL counterpart to the EU standard contractual clauses as a template to be used in international data transfers.
Moreover, under the DSL, if a company is considered a critical information infrastructure operator (CII), defined broadly as infrastructure that might seriously endanger national or public interests, then the CII will be required to store data locally in China. A company who is not a CII but processes personal information “in a volume that reaches the threshold specified by the CAC” will also be required to store data locally.
Penalties for Noncompliance
The PIPL and GDPR both carry hefty fines for violations of the laws calibrated to a company’s annual revenue, with PIPL fines up to 50 million RMB (about $7.76 million) or 5% of the company’s annual revenue the prior fiscal year for “grave violations” and a fine of up to 1 million RMB (about $155,000) for less serious violations.
However, unlike the GDPR, the PIPL additionally provides for the personal liability of “responsible personnel” within a company. Under the PIPL, responsible individuals can be fined between 10,000-100,000 RMB (between $1,500 and $15,500) for less serious violations and between 100,000 to 1 million RMB (between $15,500 and $155,000) for “grave” violations, and responsible individuals may also be prohibited from holding leadership positions within the company for a certain period.
What Does This Mean?
The PIPL is more stringent than the GDPR in many respects, and, unlike the GDPR, provides significant discretion for the government regarding personal data and promotion of national security interests.
With the passage of the PIPL, China has declared its intent to “vigorously participate” in the development of consumer data privacy protection regulation. The CAC is likely to aggressively enforce the PIPL and DSL as part of a larger crackdown on tech platforms currently taking place.
Companies must ensure they are in compliance with the PIPL if they are doing business on an international level. At a minimum, this will require clearly understanding the distinctions between the PIPL and GDPR, and tailoring internal compliance programs with precision.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Catherine Zhu is a data privacy and technology transactions attorney with Foley & Lardner LLP. She advises high-growth companies on commercial and data privacy matters, including how to implement business intelligent privacy strategies within a complex regulatory environment.