China’s regulatory environment has undergone many updates in 2021. Towards the end of the year, the Chinese government will impose new rules to enforce better personal data protection. The until now rather loosely regulated cyberspace will be subject to a major update. The new Personal Information Protection Law (PIPL), which will take effect on November 1st 2021, aims at regulating the storing, transferring, and processing of personal information. This will have far-reaching implications for individuals as well as domestic and global businesses. Above all, China’s tech industry will have to adapt to ensure compliance with the new stringent regulations.
Data protection in China: an overview of China’s data privacy regulation
Until mid 2021, China’s data protection law was based on a single pillar. Introduced in 2017, the Cyber Security Law (CSL) has since then regulated cyberspace activity. However, its partially vague formulations have led to criticism. Consequently, the implementation of China’s Data Security Law (DSL) on September 1st 2021 made many people happy, as it built on the CSL and further enhanced data protection in China. However, both laws do not primarily target the personal sphere. This is where PIPL comes into play. By focusing on personal information protection, it will represent the missing element in China’s data protection law.
Thus, PIPL will in a way fill a gap and make China catch up with global personal data privacy standards, such as the European General Data Protection Regulation (GDPR). The CSL, the DSL and the PIPL will represent the three pillars of the Chinese data protection legislative system and together form a comprehensive framework governing data processing and cybersecurity issues.
Personal information protection law (PIPL): targeting personal information protection
Consisting of 74 articles in eight chapters, the PIPL will be the first comprehensive data protection law regulating personal information handling activities. It will substantially expand the legal basis for processing personal information.
Key aspects of China’s new personal data protection law
Fundamentally, the new law calls for companies to get users’ consent before collecting personal data. Hereby, the PIPL addresses the problems related to personal data leakage. The law defines that personal information collection must have clear and reasonable purpose and should have “minimum scope to achieve the goals of handling” data. Moreover, it points out that the collected data should be kept for the minimum time period necessary to achieve the purpose of processing.
How PIPL influences sensitive information
China’s new personal data protection law also defines the obligations and responsibilities of those collecting and handling the data, referred to as processors. Amongst other specifications, the PIPL requires processors to store data within China. Cross-border data transfer will require approval by the Cyberspace Administration of China (CAC). The PIPL provides rules for how companies should ensure the protection of users’ data outside of China. Data transference to other country is an aspect where PIPL and GDPR diverge the most.
It is important to mention that the PIPL has broad extraterritorial jurisdiction, meaning that even companies outside of China can be affected by the regulation if they are collecting data from people who are in China. To ensure a proper functioning, China’s new personal data protection law requires foreign companies to designate a local representative, similar to an agent, to handle issues regarding personal information collected in China.
Special importance is attached to sensitive personal information, as is described in Article 28 of the new PIPL. This sort of data is subject to even more stringent laws. This is particularly interesting as AI-based biometrics, such as facial and fingerprint recognition, which are widely used throughout China, fall under the category of sensitive personal information. Similarly, religious beliefs, medical and health care, financial accounts as well as emotional data are classified to be sensitive personal information.
Far-reaching implications of China’s crackdown on data privacy
On the one hand, China’s new personal data protection law PIPL will give individuals more rights to decide what happens with data generated by them. On the other hand, it forces businesses to rethink their business model.
Protecting users’ personal data: How users benefit from the regulatory update
Comparable to the GDPR, the PIPL grants data subjects with various rights to their personal information, including the rights to access, copy, correct, modify, and delete their personal information. In addition, the final draft of the PIPL puts emphasis on the right of data subjects to withdraw their consent and the right to refuse the processing of their personal information.
What China’s new personal data protection law implies for domestic and multinational businesses
Given that the final draft of the PIPL was confirmed only on August 20, 2021, businesses had to react fast. Preparing to comply with the new rules has been a turbulent journey for many enterprises – notably those that were not yet operating in accordance with the European GDPR. Risking an abuse of the new regulation is not an option, as noncompliance can lead to administrative fines of up to 50 million CNY or 5% of the firm’s turnover in the last year. Multinationals will, above all, have to pay attention to adequately transferring data outside China.
Takeaways of China’s efforts to regulate cyberspace
- Up to now, China has been lacking a comprehensive legislation regulating the protection of personal information. China’s new personal data protection law PIPL, taking effect November 1, 2021, will fill this gap.
- The PIPL shows substantial overlap with the European General Data Protection Regulation (GDPR), but goes even further, notably regarding to cross-border data transfer.
- After the implementation of the new PIPL, data protection in China will be based on three pillars: the CSL, the DSL and the PIPL.
- China’s decision to pursue more stringent regulations on personal data protection reflects the international trend of international data privacy protection laws.
- As a firm doing business in China, it is advisable to seek legal advice, as noncompliance with the new law may result in exorbitantly high fines.
Author: Fabian Haidegger