China’s Personal Information Protection Law – keeping up with the Joneses or increased cyber-security?

Up until recently, China’s data protection rules could be found through a number of laws and guidelines, found at both a national and local level. As of 20 August 2021, it would appear that the National People’s Congress of China took note of their global neighbours’ activity over the garden fence and implemented a comprehensive piece of data protection legislation, akin to Europe’s GDPR – the Personal Information Protection Law (PIPL).

It is currently unclear whether the driving force for PIPL was indeed to achieve parity with legislation such as the GDPR or whether the move was a result of the Chinese government’s increased focus on “cyber-security”. The parity argument can be made due to the obvious similarities drawn between GDPR and PIPL when looking at the rules surrounding the definitions and legal basis for the handling of personal data.

The cyber-security argument gains significant traction when the strict rules surrounding data localisation and the cross-border transfer of data are considered. An interesting case study that reflects China’s heightened cyber-security focus has been the Cyberspace Administration of China’s (CAC) treatment of Didi. The Chinese company Didi (akin to Uber) recently went public on the New York Stock Exchange, however, in a move that many have hailed as being to protect Chinese data sharing internationally, the CAC ordered app stores to stop offering the app on their platforms.

PIPL is due to become effective on 1 November 2021, leaving organisations with no time to waste in terms of understanding the obligations and effecting policies that ensure compliance with the new law. The recent treatment of Didi would suggest that data protection (and breaches thereof) will be treated severely. In stark contrast with the consequences for non-compliance under the old rules, companies in breach of the PIPL could face fines of up to 5% of the previous years’ revenue.

Below is a very brief overview of some of the key changes implemented by the new legislation.

Data Localisation

PIPL has widened the scope of “Critical Information Infrastructure Operators” (CIIOs) – organisations required to store information in China. Any organisation that reaches a certain threshold of processing personal information will be treated as a CIIO and required to localise data. Unfortunately, this threshold is still unknown. Given the proximity of the implementation date of PIPL, organisations that process large amounts of data should begin to prepare their ability to store data onshore. They should also consider the possibility that a dedicated body need be established or representative appointed in mainland China to meet the new administering requirements and reporting to the CAC.

Cross-Border Transfers

There are several ways in which organisations can transfer data outside of China. One of these methods has been taken straight from the GDPR playbook – standard contracts. As with the Standard Contractual Clauses (SCC) of GDPR, PIPL will require the company in question to enter into a standard contract, drafted by the CAC, with the foreign recipient of the personal information. The drafting has not yet been published, but companies must ensure that any existing contracts for the transferring of personal information are brought in line with these when released. It is important to note that separate consent will still be required from any data subjects whose personal information is to be transferred out of China.

GDPR v PIPL

Under the old legislation in China, express consent is the only legal requirement for processing personal information – PIPL introduces a further six legal bases. These are similar to GDPR (i.e. performance of a contract), however, organisations should take note that the PIPL does not contain a “legitimate interests” legal basis. In general, however, given the similarities, where an organisation is already compliant under GDPR, there should not be a significant requirement for the amendment of privacy policies to ensure compliance with PIPL. The problems will more likely arise where organisations are based solely in China and have not already implemented a GDPR compliant privacy policy.

Consent

Despite the additions of the further legal bases, consent will remain the cornerstone of Chinese data processing. For example, as mentioned above, specific consent will be required for any cross-border transfers that occur and consent may still be needed where separate sectoral laws apply – sector specific laws may even outweigh one of the new legal bases in certain circumstances.

Despite uncertainty surrounding several elements of PIPL, the reality is that there is not a lot of time left to ensure compliance. It will be a useful exercise, for all organisations processing Chinese data, to consider how the minor differences with the GDPR need to be reflected within their existing privacy policies.