• news-banner

    Expert Insights

China’s Personal Information Protection Law – keeping up with the Joneses or increased cyber-security?

Up until recently, China’s data protection rules could be found through a number of laws and guidelines, found at both a national and local level. As of 20 August 2021, it would appear that the National People’s Congress of China took note of their global neighbours’ activity over the garden fence and implemented a comprehensive piece of data protection legislation, akin to Europe’s GDPR – the Personal Information Protection Law (PIPL).

It is currently unclear whether the driving force for PIPL was indeed to achieve parity with legislation such as the GDPR or whether the move was a result of the Chinese government’s increased focus on “cyber-security”. The parity argument can be made due to the obvious similarities drawn between GDPR and PIPL when looking at the rules surrounding the definitions and legal basis for the handling of personal data.

The cyber-security argument gains significant traction when the strict rules surrounding data localisation and the cross-border transfer of data are considered. An interesting case study that reflects China’s heightened cyber-security focus has been the Cyberspace Administration of China’s (CAC) treatment of Didi. The Chinese company Didi (akin to Uber) recently went public on the New York Stock Exchange, however, in a move that many have hailed as being to protect Chinese data sharing internationally, the CAC ordered app stores to stop offering the app on their platforms.

PIPL is due to become effective on 1 November 2021, leaving organisations with no time to waste in terms of understanding the obligations and effecting policies that ensure compliance with the new law. The recent treatment of Didi would suggest that data protection (and breaches thereof) will be treated severely. In stark contrast with the consequences for non-compliance under the old rules, companies in breach of the PIPL could face fines of up to 5% of the previous years’ revenue.

Below is a very brief overview of some of the key changes implemented by the new legislation.

Data Localisation

PIPL has widened the scope of “Critical Information Infrastructure Operators” (CIIOs) – organisations required to store information in China. Any organisation that reaches a certain threshold of processing personal information will be treated as a CIIO and required to localise data. Unfortunately, this threshold is still unknown. Given the proximity of the implementation date of PIPL, organisations that process large amounts of data should begin to prepare their ability to store data onshore. They should also consider the possibility that a dedicated body need be established or representative appointed in mainland China to meet the new administering requirements and reporting to the CAC.

Cross-Border Transfers

There are several ways in which organisations can transfer data outside of China. One of these methods has been taken straight from the GDPR playbook – standard contracts. As with the Standard Contractual Clauses (SCC) of GDPR, PIPL will require the company in question to enter into a standard contract, drafted by the CAC, with the foreign recipient of the personal information. The drafting has not yet been published, but companies must ensure that any existing contracts for the transferring of personal information are brought in line with these when released. It is important to note that separate consent will still be required from any data subjects whose personal information is to be transferred out of China.

GDPR v PIPL

Under the old legislation in China, express consent is the only legal requirement for processing personal information – PIPL introduces a further six legal bases. These are similar to GDPR (i.e. performance of a contract), however, organisations should take note that the PIPL does not contain a “legitimate interests” legal basis. In general, however, given the similarities, where an organisation is already compliant under GDPR, there should not be a significant requirement for the amendment of privacy policies to ensure compliance with PIPL. The problems will more likely arise where organisations are based solely in China and have not already implemented a GDPR compliant privacy policy.

Consent

Despite the additions of the further legal bases, consent will remain the cornerstone of Chinese data processing. For example, as mentioned above, specific consent will be required for any cross-border transfers that occur and consent may still be needed where separate sectoral laws apply – sector specific laws may even outweigh one of the new legal bases in certain circumstances.

Despite uncertainty surrounding several elements of PIPL, the reality is that there is not a lot of time left to ensure compliance. It will be a useful exercise, for all organisations processing Chinese data, to consider how the minor differences with the GDPR need to be reflected within their existing privacy policies.

Our thinking

  • UAE Polishes Federal Arbitration Law

    Peter Smith

    Quick Reads

  • Drone deliveries: Be Prepared

    Emma Humphreys

    Quick Reads

  • Charles Russell Speechlys expands commercial offering with the appointment of Rebecca Steer

    Rebecca Steer

    News

  • The Times quotes Gareth Mills on the CMA’s preliminary approval of the Activision Blizzard-Microsoft deal

    Gareth Mills

    In the Press

  • City AM quotes Gareth Mills on the CMA’s new set of principles for regulating AI

    Gareth Mills

    In the Press

  • Silicon quotes Gareth Mills on the UK consumer lawsuit against Google

    Gareth Mills

    In the Press

  • South China Morning Post quotes Lisa Wong on Hong Kong's surrogacy rules

    Lisa Wong

    In the Press

  • Bloomberg and The Washington Post quote Richard Davies on multiclub ownership in world sports

    Richard Davies

    In the Press

  • Product compliance and Brexit - UK Government concedes to CE markings indefinite recognition

    Jamie Cartwright

    Quick Reads

  • UAE and the Grey List: Brief Update

    Karl Masi

    Insights

  • A Summer of Sport - Top 5 Legal Considerations

    Anna Sowerby

    Insights

  • Has the Orpéa plan impaired shareholder's consent? - Le plan de sauvegarde d'Orpéa n'a-t-il pas vicié le consentement des actionnaires historiques ?

    Dimitri-André Sonier

    Quick Reads

  • The Express quotes Gareth Mills on the CMA’s report on competition in the groceries sector

    Gareth Mills

    In the Press

  • Reuters quotes Gareth Mills on the CMA’s deadline extension of the Microsoft Activision Blizzard deal

    Gareth Mills

    In the Press

  • Will the downturn in the Paris region property market lead property companies to turn to ad hoc proceedings, as they did in the 1990s?

    Dimitri-André Sonier

    Quick Reads

  • Les défaillances en France proches de leur niveau de 2019 - French insolvencies close to 2019 levels

    Dimitri-André Sonier

    Quick Reads

  • Law.com International quotes Simon Ridpath on the use of AI in the legal sector

    Simon Ridpath

    In the Press

  • Casino Group: An agreement with investors and debt holders is expected at the end of July

    Dimitri-André Sonier

    Quick Reads

  • Raconteur quotes Caroline Swain on misleading pricing practices

    Caroline Swain

    In the Press

  • Charles Russell Speechlys strengthens its international credentials with the appointment of Vanessa Duff

    Vanessa Duff

    News

  • DIAC Issues First Annual Report

    Georgia Fullarton

    Quick Reads

  • PE Hub quotes Richard Davies on private equity interest in football and sports

    Richard Davies

    In the Press

  • Payment Expert quotes Janine Regan on the record £1bn fine against Meta over EU data protection violations

    Janine Regan

    In the Press

  • The Guardian quotes Gareth Mills on Microsoft lodging an appeal against the CMA’s decision to block its Activision Blizzard deal

    Gareth Mills

    In the Press

  • The Times quotes Gareth Mills on the EU’s approval of the Microsoft-Activision deal

    Gareth Mills

    In the Press

  • One year on: "Influencer Culture: lights, camera, inaction" remains astonishingly accurate

    Caroline Swain

    Quick Reads

  • UKTN quotes Gareth Mills on the CMA's review of the UK AI market

    Gareth Mills

    In the Press

  • Saudi Center for Commercial Arbitration publishes new Arbitration Rules

    Peter Smith

    Quick Reads

  • International Secondments cross-border considerations

    Emily Chalkley

    Insights

  • The Financial Times quotes Nick White on risks to content creators promoting counterfeits

    Nick White

    In the Press

  • WhatsAppGate - Should businesses be reviewing their social media policies?

    Anna Rogers

    Quick Reads

  • Missed deadline for registering on the overseas entity register

    Sarah Morley

    Quick Reads

  • Dubai announces its plan to streamline the enforcement of civil judgments and arbitral awards

    Peter Smith

    Quick Reads

  • Sign of the times - the British record football transfer which very nearly didn't happen

    Pei Li Kew

    Quick Reads

  • No love (island) lost for the #muffboss – #ad is great but don’t forget the other ad rules

    Caroline Swain

    Quick Reads

  • Is it really against the law to share your Netflix password?

    Quick Reads

  • Commercial service charges: "pay now, argue later"!

    Samuel Lear

    Quick Reads

  • Omnichannel innovation essential in the face of outlet decline

    Caroline Swain

    Quick Reads

  • Brand owners now required to police influencers

    Katie Bewick

    Quick Reads

  • Ten Years Since The 2012 Saudi Arbitration Law: Where Are We Now?

    Peter Smith

    Quick Reads

Back to top