1. The Personal Information Protection Law (PIPL) regulating use of personal data has now come into force in China.
2. PIPL requirements cover all companies handling the data of Chinese citizens, whether they are a domestic or international business, and large or small.
3. There are both similarities with the EU General Data Protection Regulation (GDPR) and significant differences (e.g. PIPL has a state-backed regulator, while GDRP is regulated by independent regulators in EU member states).
4. Businesses which fail to meet PIPL requirements could pay large fines and risk being put on a blacklist by the Chinese government. In the case of foreign companies, this could open the door to political clashes and retaliation by their home governments.
5. The PIPL could come to have even wider implications if used as a model for other countries currently developing their own personal information protection laws (e.g India, Vietnam).
China’s Personal Information Protection Law (PIPL) came into force on 1 November 2021 after being adopted in August. PIPL regulates use of personal data by all companies operating in China, including international businesses. While PIPL provides a clear framework which might better enable data protection compliance, foreign companies must ensure they align quickly with the new legal requirements or face large fines and potential blacklisting.
With the advent of PIPL, Yahoo and LinkedIn have chosen to withdraw operations from China. Apple has chosen to stay, having already taken privacy and security measures to protect their Chinese business – measures which some see as concessions to the Chinese government and its desire to access and control the data of its own citizens.
Companies of all sectors and sizes must make their own decisions on the feasibility and desirability of meeting PIPL requirements, as well as meeting the already potentially challenging Chinese employment and labor laws. It is vital that CTOs, COOs and CEOs grasp the PIPL’s potential implications, risks and opportunities for their businesses and make the right strategic and operational decisions to address them.
Definition of personal information in the PIPL
Personal information, and sensitive personal information, are more clearly defined in the PIPL than previous relevant Chinese laws (e.g. the Cybersecurity Law or Data Security Law), with the core definition being very similar to that used in the GDPR.
For PIPL purposes, personal data is any type of information record relating to identified or identifiable individuals, whether in electronic or other forms. Sensitive personal information is personal information that could easily cause a range of specified harms if leaked, or illegally used. Personal information of children under 14 is classified as sensitive. Anonymized data is not included in this definition.
GDPR and PIPL define personal information more sharply than personal information protection laws in some other countries, e.g. Brazil’s LGPD.
How does the PIPL compare with the GDPR?
When the Chinese government was researching and drafting the PIPL, it looked around the world for examples of viable current practice on personal data protection to inform development of its own laws. This review included the GDPR in Europe as well as parallel laws in the USA and other countries, and is the likely source of similarities in framing, wording and some legal concepts.
While individual data privacy or consumer rights lie at the heart of GDPR and similar data protection policies elsewhere, the introduction of PIPL may have been driven more by Chinese government concerns around national security and preserving social order. This fundamental difference in motive may be a source of of some the key differences we find between the GDPR and PIPL.
Why does this matter to overseas companies operating in China?
PIPL applies to all companies processing Chinese citizen data and cannot be ignored by any business with clients or customers in China. Measures contained in the PIPL have the potential to affect business on many levels and international companies are likely to feel impacts more than Chinese businesses.
Intelligent planning and mitigation are required for your company’s Chinese interests to thrive in the new data environment. Companies with extensive Chinese investments, offices etc.. may need a full China PIPL compliance strategy covering all business areas. Any company operating in China will need a data protection plan adapted to the PIPL. Whatever your level of future planning, consider the following:
Which areas of PIPL are most important for international business?
Understanding the PIPL is important for any company with serious future plans for the Chinese market. You should seek professional advice on adapting your business operations if you don’t have relevant expertise in-house. Some areas of the PIPL might be more relevant for certain sectors and services than others but there are points of broad relevance:
Transferring personal information
All multinationals transferring personal data out of China must conduct “personal information protection impact assessments” and obtain professional data protection certification. Companies will also need consent from the individuals whose information is being transferred.
Where the data held by a company covers more than a million Chinese citizens, or is otherwise important, data transfer out of the country is subject to a multi-step national security review process which explains why the data is being transferred.
Personal data around law enforcement or judicial issues cannot be transferred without Chinese government consent.
Storing personal information
PIPL expands on existing Chinese cybersecurity law requirements for personal data to be stored within China’s borders. Previously this measure applied to telecoms, transport, and other companies categorized as part of China’s critical national information infrastructure. Now it applies to any company which collects a certain amount of personal information (exact figure still to be confirmed).
Required presence in China
The PIPL requires that foreign data-handling companies have a legal entity or representative within China. Compliance may come with burdensome costs, especially for SMEs or start-ups.
HR and management information are in scope
In contrast to previous data protection-linked laws in China, the PIPL includes HR and employment management data under the scope of protected personal information. In practice, this means that any information about HR, pay, performance etc.. for a Chinese employee cannot be sent out China without informed consent from the individual/s concerned.
Global businesses with multi-country lines of management, or HR and payroll departments based outside China, will need to consider this measure carefully.
Penalties for non-compliance can be severe
Breaches of PIPL could result in rectification orders or warnings. Companies who fail to act on rectification orders could be fined up to 1 million yuan ($150,000). The individual responsible for the company’s PIPL compliance can also be fined 10,000-100,000 yuan ($1,500 – $15,000).
Fines of up to 50 million yuan ($7.5 million) or 5% of annual turnover can be handed down in more serious cases, with the possibility of all company operations being suspended or necessary business permits and licenses revoked.
Horizons supports businesses through the PIPL
Despite the introduction of PIPL, the complexity of employment and labor laws, and a rising minimum wage, China remains an attractive market for many businesses. The reality of PIPL will be seen and felt in how Chinese authorities interpret and enforce its measures over the coming months and years.
International businesses assessing risks in China and developing PIPL compliance strategies will need to understand both the law itself and the likely behaviors of Chinese authorities, local companies, and customers in China.
Horizons is an experienced operator in China with the knowledge and insight to ensure compliance with the PIPL. Get in touch with Horizons today to discuss how we could help you secure and grow your business in China’s new data environment.
Frequently Asked Questions (FAQ)
China has a new data privacy law called the Personal Information Protection Law (PIPL). This was adopted on 20 August 2021 and came into effect on 1 November 2021. It's the latest development in a Chinese government push to clarify and toughen laws around individual personal data and data security in China.
China has been taking an increasingly strict line on privacy and personal data protection laws and with PIPL, now has one of the toughest data protection regimes in the world. Companies operating in China or handling Chinese citizen data should take compliance with PIPL seriously.