China’s Personal Information Protection Law (PIPL) is now in force, laying out ground rules around how data is collected, used, and stored. It also outlines data processing requirements for companies based outside of China, including passing a security assessment conducted by state authorities.
Multinational corporations (MNCs) that move personal information out of the country also will have to obtain certification on data protection from professional institutions, according to the PIPL.
The legislation was passed in August, after it went through a couple of revisions since it was first pitched in October last year. Effective from November 1, the new law was necessary to address the “chaos” data had created, with online platforms over-collecting personal data, the Chinese government then said.
Personal information is defined as all types of data recorded either electronically or other forms, which relates to identified or identifiable persons. It does not include anonymised data.
The PIPL also applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. They also will have to establish designated agencies or appoint representatives based in China to assume responsibility for matters related to the protection of personal data.
The new legislation encompasses a chapter that applies specifically to cross-border data transfers, stating that companies that need to move personal information out of China must first conduct “personal information protection impact assessments”, according to Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD).
They also will need to obtain separate consent from individuals pertaining to the transfer of their personal information and meet one of several requirements. These include agreeing to a “standard contract” issued by authorities overseeing cyberspace matters and fulfilling requirements outlined in other laws and regulations established by the authorities, the PCPD said.
These MNCs also would have to implement necessary measures to ensure other foreign parties involved in processing the data adhere to data security standards stipulated by the PIPL.
Unclear what security assessments entail
Leo Xin, senior associate with law firm Pinsent Masons, described the legislation as a “milestone” in China’s data protection legal regime and urged MNCs to pay special attention to the rules on cross-border data transfers.
Leo said in a post: “There are still certain areas that remain unclear and require detailed implementation rules, such as how the security assessment should be handled, what the model clauses for data transfer formulated by the China Cyberspace Administration look like, what the approval procedure shall be [if] there is request for personal information by overseas judicial organs or law enforcement agencies.”
The legislation further called for the handling of personal data to be clear, reasonable, and limited to the “minimum scope necessary” to achieve their objectives of processing the information.
The lawyer recommended that MNCs begin evaluating the potential impact of PIPL on their IT infrastructure and data processing activities.
According to the PCPD, the new legislation also encompasses “automated decision-making” data processing, in which IT systems are used to automatically analyse and make decisions about consumer behaviours as well as consumers’ habits, interests, financial, and health.
Here, companies will have to ensure such decision-making processes are transparent and fair. Consumers also must be provided with the option to opt out of receiving personalised content. Security impact assessments must be carried out and these reports retained for at least three years.
Companies that breach PIPL rules may be issued an order for rectification or warnings. Chinese authorities also may confiscate any “unlawful income”, according to the PCPD.
Violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000).
For “serious” cases, Chinese authorities also dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked.
The Beijing administration last month told local media it would take “targeted measures” to address problems it deemed to persist within the digital economy, such as poor data management. According to South China Morning Post, the Ministry of Industry and IT was pushing ahead with its scrutiny of the internet sector as part of a six-month campaign that began in July.
The ministry recently instructed 43 apps to make rectifications after they were found to have illegally transferred user data.
The Cyberspace Administration of China (CAC) in July ordered Chinese ride-sharing platform Didi to remove its app from local app stores, after it breached regulations governing the collection and use of personal data. Did was instructed to rectify “existing problems” and “effectively protect” users’ personal data.
In May, the CAC called out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which included Baidu and Tencent Holdings, also were told to plug the gaps.
Tencent said last month said it was forming a committee to assess its user data protection and privacy policies. This team would comprise technical, legal, and media professionals as well as members of the public, the Chinese tech giant said. The committee will make recommendations on improvements, if and where necessary, to better safeguard user privacy, the company added.