The Chinese Personal Information Protection Law (PIPL) has caused a stir in the data privacy world. Mainly due to its accelerated timeline in which the PIPL passed last August and came into effect in November 2021. Businesses and consumers alike had a mere two months to prepare for the law. Thankfully, for you, we have compiled your go-to published guide for navigating your way around the various provisions.
Who Does the PIPL Apply To?
To find out whether your company is impacted by the provisions of the PIPL, one simple question can be asked. Do you process the personal information of Chinese citizens? If the answer is yes, then I suggest you read on.
Any organisation which processes the personal information of Chinese citizens for the purpose of providing them with products or services, analysing or assessing their behaviour or for other purposes to be specified by laws and regulations must comply with the regulation. This applies even if the data processing in question occurs outside of China.
The main difference with the GDPR in this respect is lexical. Under the GDPR, a data controller is someone who determines the purposes for which the personal data is being processed whereas a data processor is anyone who processes personal data on behalf of the data controller. Under the PIPL, a data controller is a data processor, and a data processor is deemed a trusted entity. Simple. Right?
The PIPL: The Don’ts
The next thing to consider is ensuring your data processing is lawful under the Chinese regulation. Under Article 6 of the regulation, ‘the ‘processing of personal information must have a clear and reasonable purpose and should be limited to the smallest scope for realising the processing purpose’. This mirrors the rules under the GDPR in which processing must be limited to what is necessary for the purpose of data processing.
The PIPL operates on a narrower scope than the GDPR provisions with respect to lawful bases. The most obvious sense is that ‘legitimate interest’ has been obviated. This perhaps should be heralded as a positive development in the law because many Big Tech companies utilise this front to continue the unlawful processing of individual’s data. Recently, Google Analytics attempted to argue that it had a ‘legitimate interest’ in gaining a better understanding of its visitors’ behaviour on a website. The Danish Protection Agency did not buy this argument on the basis that visitors could not reasonably expect their information to have been passed onto Google’s wider severs in America. Importantly therefore, the PIPL has the potential to surpass the GDPR in being able to hold companies such as Google and Apple liable for their wrongful doings.
Secondly, the PIPL retains a provision relating to the public interest. However, this is framed more narrowly than under the GDPR due its caveat based on ‘a reasonable extent’. This echoes the political climate in China where the homegrown replacements of Facebook, Instagram, Twitter, and WhatsApp, i.e., Weibo and WeChat are subject to surveillance and censorship by the government. More recently, ahead of the Winter Olympic games, authorities have suppressed activists and critics whilst extending their watchful eyes over Olympic participants.
Apart from these two changes, the PIPL retains similar heads as under the GDPR such as where performance of a contract is necessary or where there is a public health emergency. Additionally, the PIPL includes a lawful head regarding human resources management under the labour rules and law. For companies who may have employees in China, they must pay attention to the employment policies or laws in the country itself.
Consent remains to be a key aspect of the lawful bases under the PIPL. Similar to the GDPR, user consent is only valid where it has been explicitly granted after the user has been informed. There is the same right to withdraw consent at any time and this is stipulated as necessarily having an ‘easy option’ to do so. Practically, on websites, this means that consent banners and opt-outs which are acceptable under the GDPR should similarly pass under the PIPL.
The PIPL: The Dos
Where a legal basis has been established, there are further requirements and constraints that dictate the rules for processing. If your company targets Chinese citizens for data processing or is an international organisation, there are specific rules. This can be differentiated from the system established under the GDPR. The PIPL stipulates that cross-border data transfers must be submitted for approval by the Cyberspace Administration of China and foreign companies operating in China must appoint a local representative who can bear the responsibility for this compliance.
The system does allow for more clarity than under the GDPR because it stipulates there must be a data processing contract between the controllers and processors. This is important because it alleviates the need for much investigation when deciding on a company’s liability as the contract should provide some insight on the duties and therefore liabilities allocated between the two parties.
Large companies who handle a lot of data must localise data within mainland China. So, if a company such as Facebook operated in China through processing the data of Chinese citizens, such localisation would need to take place. The Cyberspace Administration of China is in charge of deciding what constitutes a large data processor.
In any case where your company operates in a cross-border manner then any collection and processing of personal information across more than one country shall entail a data protection impact assessment needing to be filled out. For online platforms this can also mean appointing privacy review committees and publishing social responsibility reports. As compared with the GDPR, the PIPL provides prescriptive language in this respect, and this means the DPIA is a non-negotiable aspect of being compliant with the regulation. Under the GDPR however, the provision requiring an assessment where ‘it is likely to result in a high risk to the rights and freedoms of natural persons’ presents greater ambiguity.
The Rights of Individuals
Data subjects have similar rights to the prescription under the GDPR. The main difference is that the right to data portability must meet the China Cyberspace Administration conditions which allows for a certain discretion afforded to the Chinese authorities. Commentators have argued this allows for a more imprecise adaption of the scheme set out by the GDPR.
For individuals, any processing must take place in a timely manner, and it is possible the Cyberspace Administration will outline further regulations because as of now a wide scope has been established.
Although there is no private right of action under the PIPL, data subjects do have the right to complain or report illegal processing activities to the Cyberspace administration. Additionally, individuals have a right to sue where their rights have been breached and damage has been caused. The Chinese authorities establish a strict system in this respect because even where the fault of the controller cannot be proved, they will be deemed culpable in terms of compensating for the individual’s loss.
The potential for criminal liability forces companies to pay attention to the regulations. Such violations can have a pervasive effect on a company’s stature where their credit rating on China’s social credit scoring system can decrease. This impacts the capacity of a company to attain resources.
What does this mean for you?
The PIPL distinguishes such transgressions into two levels: ordinary cases and serious cases. For companies, fines can therefore range from one million to 50 million and 5% of the previous year’s business revenue. For individuals, personal fines can range between 10,000 to 100,000. Both instances can lead to a reduction in social credit score.
The main point of distinction with respect to penalties is the fact that the PIPL does not set a minimum amount. Regulators have a wide discretion afforded to them which means the provisionary amounts above are liable to increase.
Getting to know the PIPL and all its provisions is therefore vital if you do not want to risk incurring a hefty fine or worse, risk the health of your business in Chinese territory.
The Practical Realities of PIPL Scope
You may well be thinking that why does this matter? The scope of the PIPL is limited to those in the territory of China and thus its scope is more limited than the GDPR. In particular, this rings true for companies such as Facebook, Whatsapp and Instagram who have been banned under Chinese censorship laws. However, it would be wrong to underestimate the extraterritorial nature of these provisions.
The introduction of the PIPL implements a clear system of enforcement against individuals or companies who breach these provisions. There is a risk that high fines will be levied and thus compliance with this regulation is a priority.
The objective of China when enforcing the regulation was to rival the system of the GDPR. Importantly, this is notable as it speaks to the intention of the drafters and the provisions reflect this. China has clearly acknowledged and recognised its position as the second largest economy in the world hosting 18.47% of the total world’s population. Due to the nature of globalisation, companies deal with the Chinese population, most likely without realising and this is why knowing and complying with the PIPL is vital. It is estimated that 32% of Chinese students attend UK universities. This may seem like a scant minority however if we consider that these universities utilised targeted advertising whether to schools in China or to Chinese students themselves, the PIPL would apply. Universities such as University College London are the most dependent on international students and thus the university itself would need to consider the lawful basis on which they are processing data.
You may have noticed that fashion trends are often depicted more extremely in China, with the population always being ahead of the newest designer clothes or accessories. Where there has been advertising from companies such as Chanel or YSL for instance, the PIPL regulation would need to be addressed. This resonates further with travel companies who might organise flights or package holidays internationally for Chinese citizens or the population in China more generally. The scope of the PIPL cannot be underestimated and in fact once you pay attention to the ways in which your company practically uses data processing, you may find that compliance with the PIPL is not just sufficiently met with the measures implemented for compliance with the GDPR.