The China Personal Information Protection Law (PIPL)

China’s Personal Information Protection Law (“PIPL”) was officially adopted in August 2021 and came into effect on November 1st, 2021.

This is part of a three-pronged regulatory structure, which aims to regulate all cyber/internet/privacy-related matters. The structure includes three separate pieces of legislation under the authority of the Cyberspace Administration of China (CAC), which is also responsible for its enforcement.

The PIPL is one of the pieces of this regulatory structure and addresses all things privacy-related. The scope of the PIPL applies on a national level as well as extraterritorial to foreign entities processing personal data in China, offering goods and services in China, or monitoring Chinese data subjects.

Although sometimes referred to as the Chinese GDPR, and although there are many similarities, the PIPL does differ in some major aspects.

We collected 5 of these differences that we thought you should know:

1. Data localization under the PIPL

For organizations that process a specific type of data for a certain amount of data subjects, all personal information collected and generated in China by Critical information infrastructure operators (“CIIOs”) and organizations processing personal information reaching a certain amount designated by the authority is required to store such information in China.

Any cross-border transfer thereof shall be subject to a security assessment by the Cyberspace Administration of China (CAC).

2. Personal liability for DPO/ executives

The concept of the corporate veil can be very comforting for executives and other senior decision-makers in a company. When such a company acts as a data controller in its processing activities, the decisions affecting the scope of data collection and usage are run by these executives prior to the processing. Combining the potential in the monetization of personal data and the constant pressure on executives to generate more value for shareholders, together with the protection provided by the corporate veil, can easily lead to excessive data collection and sharing.

Different from the GDPR, the PIPL seems to have recognized this conundrum and answered it by including the option of imposing personal liability on high-level executives and/or Data Protection officers when a company’s operations do not comply with the PIPL. It remains to be seen how and to what extent this will be enforced. However, one can be sure that the discussions around how to handle personal data will take a significant turn. Maybe it’s time to remember what was said by Confucious… Do not do to others what you do not want to be done to yourself.

3. No legitimate interest as a legal basis under the PIPL

The GDPR provides data controllers with the option of using their legitimate business interests as a lawful basis to collect or otherwise process personal data. Since the enaction of the GDPR, this lawful basis has become the most commonly used throughout different sectors that are subject to the GDPR (and even beyond).

Some of the more recent and ever-multiplying privacy laws have adopted a similar business-friendly and flexible option. The PIPL, however, does not provide this option as a lawful basis and instead remains in the world of consent (the conditions for valid consent being very similar to those of the GDPR).

As we know, collecting, recording, and managing consent is no small feat when providing digitized services to thousands of data subjects. This should be kept in mind when planning a product or providing services in China.

Consent is not the only lawful bases the PIPL offers, and it may be worth assessing those options before falling back to consent. Some of these additional options are – compliance with legal responsibilities, public health emergency necessity, processing already published information (within a reasonable scope), for public interests, and other circumstances permitted by laws and regulations.

4. Limitations on international transfers under the PIPL

Data controllers may do the cross-border transfer in reliance on one of the legitimate approaches recognized under PIPL, including entering into a standard contract (following a template to be issued by CAC) with overseas data recipients.

The PIPL sets up obligations regarding data transfers for critical information infrastructure operators (CIIO) and big personal information processors who process personal information on a large scale.

First, the PIPL requires that personal information processors shall not provide personal information to foreign public authorities without getting the permission of the competent Chinese authority (CAC).

Furthermore, the CAC will compose a restricted and prohibited list of personal information transfers. If the organizations or individuals outside of China infringe on a Chinese citizen’s personal information or process personal information to damage the national security or public interest, they might be listed in the restricted or prohibited list, and the data will not be transferred or restricted to transfer to them.

5. Bonus. Panda fact

Pandas generally are not covered by the PIPL. This is surprising given their close proximity to humans. The reasoning behind this may be that they spend the entire day chewing bamboo and don’t have extra time to lobby their personal information interest. On the other hand, someone should tell them that if they do not stop wasting all the energy, they get from bamboo on actually eating the bamboo, they will not survive anyway, so why bother? If this offends anyone, please inform the Pandas that there is more nutritious food out there that requires less chewing.

In conclusion, data localization and data transfer obligations under the PIPL are of particular importance and will no doubt impact the global data strategy of some international organizations as well as both data importers and exporters.