China’s Personal Information Protection Law – keeping up with the Joneses or increased cyber-security?
Up until recently, China’s data protection rules could be found through a number of laws and guidelines, found at both a national and local level. As of 20 August 2021, it would appear that the National People’s Congress of China took note of their global neighbours’ activity over the garden fence and implemented a comprehensive piece of data protection legislation, akin to Europe’s GDPR – the Personal Information Protection Law (PIPL).
It is currently unclear whether the driving force for PIPL was indeed to achieve parity with legislation such as the GDPR or whether the move was a result of the Chinese government’s increased focus on “cyber-security”. The parity argument can be made due to the obvious similarities drawn between GDPR and PIPL when looking at the rules surrounding the definitions and legal basis for the handling of personal data.
The cyber-security argument gains significant traction when the strict rules surrounding data localisation and the cross-border transfer of data are considered. An interesting case study that reflects China’s heightened cyber-security focus has been the Cyberspace Administration of China’s (CAC) treatment of Didi. The Chinese company Didi (akin to Uber) recently went public on the New York Stock Exchange, however, in a move that many have hailed as being to protect Chinese data sharing internationally, the CAC ordered app stores to stop offering the app on their platforms.
PIPL is due to become effective on 1 November 2021, leaving organisations with no time to waste in terms of understanding the obligations and effecting policies that ensure compliance with the new law. The recent treatment of Didi would suggest that data protection (and breaches thereof) will be treated severely. In stark contrast with the consequences for non-compliance under the old rules, companies in breach of the PIPL could face fines of up to 5% of the previous years’ revenue.
Below is a very brief overview of some of the key changes implemented by the new legislation.
PIPL has widened the scope of “Critical Information Infrastructure Operators” (CIIOs) – organisations required to store information in China. Any organisation that reaches a certain threshold of processing personal information will be treated as a CIIO and required to localise data. Unfortunately, this threshold is still unknown. Given the proximity of the implementation date of PIPL, organisations that process large amounts of data should begin to prepare their ability to store data onshore. They should also consider the possibility that a dedicated body need be established or representative appointed in mainland China to meet the new administering requirements and reporting to the CAC.
There are several ways in which organisations can transfer data outside of China. One of these methods has been taken straight from the GDPR playbook – standard contracts. As with the Standard Contractual Clauses (SCC) of GDPR, PIPL will require the company in question to enter into a standard contract, drafted by the CAC, with the foreign recipient of the personal information. The drafting has not yet been published, but companies must ensure that any existing contracts for the transferring of personal information are brought in line with these when released. It is important to note that separate consent will still be required from any data subjects whose personal information is to be transferred out of China.
GDPR v PIPL
Despite the additions of the further legal bases, consent will remain the cornerstone of Chinese data processing. For example, as mentioned above, specific consent will be required for any cross-border transfers that occur and consent may still be needed where separate sectoral laws apply – sector specific laws may even outweigh one of the new legal bases in certain circumstances.
Despite uncertainty surrounding several elements of PIPL, the reality is that there is not a lot of time left to ensure compliance. It will be a useful exercise, for all organisations processing Chinese data, to consider how the minor differences with the GDPR need to be reflected within their existing privacy policies.
Data Protection in the Spotlight Series
During 2021 we have seen (and will continue to see!) a waterfall of change in the converging space of tech and data law.
Sports Business: Five Current Themes
Nick White goes early with his thoughts on this year's Sports Business themes.
Darren Bailey will be evaluating the impact of the law /lawyers in the world of sport.
Jonathan McDonald quoted by The Guardian and the Evening Standard on the Google Supreme Court decision
Jonathan comments on the implications of Lloyd v Google LLC.
Charles Russell Speechlys advises Puma Private Equity on their investment into Everpress
Puma Private Equity offers a wide range of award-winning investments that help to support investors.
Lloyd v Google – Supreme Court to deliver judgment tomorrow (on 10 November 2021) – a reminder of the issues at stake
Fairhurst v Woodard: Property audio and video surveillance system breached GDPR
A recent judgment from Oxford County Court raises significant questions about the increasing use of smart doorbells and cameras.
Top 5 Data Protection Tips
Jonathan and Marc-Us explore the top 5 data protection tips
Can machines be inventors?
Will JP Morgan’s digital only Chase launch shake up the UK retail banking sector?
Chase is JP Morgan’s consumer brand and is one of the largest retail banks in the United States with over 4,700 branches.
Who? Where? What on earth is an “NFT”!?
An NFT is a “Non-Replaceable Token” meaning only one of its type can ever be created and recorded on the blockchain it is connected to.
How does the FCA Cryptoasset AML/CTF Regime affect UK cryptoasset businesses?
With the notable exception of security tokens, the majority of cryptoassets remain unregulated in the United Kingdom.
Closing the Cookie Jar
Opportunistic claims for misuse of online tracking cookies are on the rise. Proactively ensuring compliance is key to avoiding claims.
Regulating AI – the impact of two key recent proposals: the UK’s National AI Strategy and the EU’s proposed Artificial Intelligence Regulation
With the hype surrounding artificial intelligence continuing to gather pace, we pause and consider some of the proposed regulatory changes.
Review of the Department for Digital, Culture, Media & Sport consultation
On 10 September 2021 the Department of Digital, Cultural, Media and Sport (DCMS) published a consultation titled ‘Data: a new direction’.
Charles Russell Speechlys advises shareholders of eCommonSense on sale to ECI Software Solutions
eCommonSense is a technology solutions provider focused on the construction and building materials supply sectors.
Resilience vs. Recovery - How the Facebook outage highlights important lessons
The recent Facebook outage disrupted all of its key global platforms, including Instagram and WhatsApp.
The United Arab Emirates Joins the Madrid System
Charles Russell Speechlys advises the founders of Compandben on the sale of the business to TopSource Worldwide
Compandben is one of the longest established international providers of employment solutions.