China’s Personal Information Protection Law (PIPL) Raises the Bar Even Higher

THIS BLOG POST IS NOT LEGAL ADVICE. Handling a data breach requires a careful assessment of the circumstances of each incident, and these recommendations cannot be considered alone nor as legal advice We recommend seeking professional legal advice from competent privacy counsel as soon as you suspect you may have a security incident which could constitute a data breach. To request legal assistance with your compliance program, please contact VeraSafe today.

China’s Personal Information Protection Law (PIPL) took effect on November 1, 2021. While organizations that have worked on compliance with laws such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have a head start on the road to PIPL compliance, the PIPL creates several additional data protection obligations.

Notwithstanding its strict requirements and anticipated disruption of international business, the Chinese PIPL is generally less detailed than other omnibus data protection laws like the GDPR, the CCPA or the Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD). Many questions will remain unresolved until China’s regulators issue additional guidance. In the meantime, this post aims to answer key questions about the PIPL and provide insight on how it compares to the GDPR and the CCPA.

Does the PIPL Apply to Businesses Outside of China?

This new Chinese data protection law applies to organizations that process personal information about individuals located in China, regardless of whether the organization itself is physically located in China. This means that the PIPL applies to your business if:

  • You provide products and services to individuals in China;
  • You “analyze” or “assess”  the behavior of individuals in China; or
  • You process personal information for other purposes provided in China’s laws and administrative regulations.

What Are the PIPL’s Key Requirements?

If your business has worked on a data protection program aligned with the GDPR requirements, many of the PIPL’s concepts will be familiar.

For example, the new Chinese data privacy law addresses: 

  • Consent. As a general rule, the PIPL requires informed, voluntary and explicit consent as a prerequisite to processing personal information. The PIPL also requires separate consents under certain circumstances, such as when disclosing personal information to a third party, processing sensitive personal information, or transferring personal information outside of China.
  • Other Lawful Bases for Processing. The PIPL does not require consent if the processing is: (1) necessary to conclude or fulfill a contract in which the individual is an interested party; (2) necessary to conduct human resources management activities; (3) necessary to fulfill statutory duties and responsibilities; (4) necessary to respond to sudden public health incidents, or to protect persons’ lives, health, or property in an emergency; (5) carried out within the context of implementing news reporting, public opinion supervision, and other such activities for the public interest; or (6) related exclusively to personal information that has been disclosed by persons themselves or otherwise already lawfully disclosed. In addition, other laws and administrative regulations can establish circumstances where consent is not required.
  • Notice. Individuals must receive information about: (1) the identity of the “personal information handler” (the data controller); (2) the purposes and methods of processing; (3) categories of personal information processed; (4) retention periods for personal information; (5) how individuals can exercise their data subject rights; (6) disclosures of their personal information; and (7) cross-border transfers.
  • Data Subject Rights. The substantive rights granted to individuals under the PIPL are largely similar to those under the GDPR. For example, both laws include the right to be informed of the processing of one’s personal information, the right of access, the right to rectification, the right to erasure, and the right to data portability, among other rights.
  • Security. The PIPL’s data security provisions address: (1) high-level IT security requirements encompassing both technical and organizational measures; and (2) data breach notification requirements.
  • Data Processor (or Service Provider) Obligations. The PIPL requires organizations to execute contracts with data processors and imposes independent security obligations on data processors.
  • Local Representative. The processing of “certain quantities” of personal information as defined by the Cyberspace Administration of China triggers a requirement to appoint a local representative to supervise personal information processing.
  • Cross-border Transfer Restrictions and Data Localization Requirements. The PIPL’s cross-border transfer restrictions have generated the most headlines so far. Before transferring personal information outside China, organizations must meet one of the following conditions:
    1. Pass the Cyberspace Administration of China’s security assessment;
    2. Obtain a personal information protection certification from a specialized body designated by the Cyberspace Administration of China;
    3. Execute a transfer agreement in accordance with the Cyberspace Administration of China’s standard contractual clauses; or
    4. Comply with other conditions provided in laws or administrative regulations, or by the Cyberspace Administration of China.

The PIPL takes cross-border transfer restrictions a step further than most data protection laws by imposing data localization obligations on certain entities. Article 40 requires the following entities to store personal information locally in China:

  • Critical Information Infrastructure (CII) operators; and
  • Personal information handlers that process personal information at a certain volume to be set by the Cyberspace Administration of China.

Since the PIPL does not define CII operators or offer any additional information on the scope of the localization requirement, this will certainly generate confusion. However, organizations that meet the definition of CII operator under China’s other laws, such as the 2016 Cybersecurity Law (CSL), should anticipate a requirement to follow the PIPL’s localization requirement. Article 37 of CSL, which took effect in June 2017, already imposes data localization requirements on CII operators. Article 31 of CLS indicates that CII operators are companies operating in critical sectors such as:

  • Public communication and information services;
  • Energy;
  • Transportation;
  • Water conservancy;
  • Finance;
  • Public services;
  • e-Government;
  • National defense science and technology industries; and 
  • Other important industries that are critical to national security, national economy, people’s livelihoods, and public interests.

How Does the PIPL Compare to the GDPR?

Although the PIPL has several underlying principles from the GDPR and other major data protection laws, it differs in several areas. 

For example, the PIPL:

  • Does not permit an organization to process personal information based on its  “legitimate interest,” as organizations are permitted to do under Article 6(1)(f) of the GDPR;
  • Requires the proactive deletion of personal data when, for example, the processing is no longer necessary to achieve its original purpose or the individual revokes consent to processing;
  • Does not permit personal information transfers to third countries based on adequacy determinations; and
  • Contains data localization requirements and prohibits organizations from sharing personal information stored in China with foreign judicial or law enforcement authorities.

In many other respects, however, the PIPL is similar to the GDPR. For example, the PIPL:

  • Applies extraterritorially;
  • Requires identifying a legal basis to process personal information, such as consent;
  • Requires concluding data processing agreements (DPA) with data processors;
  • Requires certain PIPL-covered organizations located outside China to appoint  local representatives for handling data protection matters; and
  • Requires prior information impact assessments in certain circumstances, although the triggers for this requirement under the PIPL are different from those under Article 35 GDPR.

Are My Current Privacy Policies and Data Processing Agreements (DPAs) PIPL-Compliant?

VeraSafe recommends adjusting certain sections of your customer-facing privacy notice or policy to align the language with PIPL Article 17. For example: 

  • Lawful Basis of Processing: Since PIPL Article 13 does not recognize “legitimate interests” as a basis for processing, your privacy notice must specify an alternative basis.
  • Data Subject Rights: The PIPL’s equivalent to the right to portability contains the caveat that the transfer must comply with the Cyberspace Administration of China’s conditions. Your privacy notice should reflect these types of nuances.

VeraSafe also recommends a review of all data processing agreements (DPAs) with vendors to confirm they comply with PIPL Article 21. Fortunately, PIPL’s requirements for DPAs generally align with the requirements under Article 28 GDPR.

Even if your business is still in the process of making your privacy notices and DPAs GDPR-compliant, VeraSafe can help you simultaneously tackle the PIPL’s requirements and prioritize your business obligations.

What Are the Consequences of Violating the PIPL?

PIPL sanctions range from a correction order to a termination of business activities in China. An organization that fails to comply with a correction order faces financial penalties of up to 50 million RMB or 5% of the organization’s annual revenue for the prior financial year. To put this in context, the maximum penalties under Article 83 GDPR are up to 4% of the total worldwide annual turnover of the preceding financial year.

As if the financial penalties were not enough to incentivize compliance, the PIPL also creates a private right of action. Organizations are responsible and financially liable for harm caused by PIPL violations and must compensate affected individuals – unless the business can prove it is not at fault. This presumption of liability will likely result in more active enforcement of data subject rights compared to other jurisdictions.

Need Help with Complying with the PIPL? 

VeraSafe has assisted numerous clients in adapting their data protection compliance programs to non-European and non-U.S. data protection laws, and can help you address the requirements of the PIPL. To request assistance with your data protection compliance program, please contact VeraSafe today.

Contact VeraSafe to discuss your data security management and privacy program today.