On August 20, China’s Personal Information Protection Law (PIPL) received its final read and formally passed into law. This legislation marks China’s first comprehensive legal attempt to define personal information (PI) and regulate the storing, transferring, and processing of personal information. It has major implications for companies that rely on data for their operations in China. The implementation of the law will provide a legal foundation for the protection of personal information for foreign firms’ operations in China. However, it will also potentially limit cross-border transfer of such information, especially for data related to critical information infrastructure (CII) due to national security implications. The business community needs to understand the law’s impact on their data operations.
Personal Information: Filling a Legal Gap
Before the law was passed, China did not have any comprehensive legislation regulating the protection of personal information. PIPL fills that gap. It offers a detailed definition of “personal information” and clarifies the concept of “sensitive personal information.” Moreover, the law’s flexible auditing requirement makes it easier for companies to implement proactive internal monitoring to avoid PI-related criminal activities.
Unlike previous laws, such as the Cybersecurity Law, the Civil Code, the Data Security Law, and the E-Commerce Law, PIPL defines the concept and scope of personal information, and introduces the principle of minimization (Article 28-30). The Cybersecurity Law from 2017 does not include specific requirements on the review process information processors should conduct, nor does it stipulate the enforcement mechanism for the regulations. The Civil Code only states the fundamental legal principles of PI protection, but without any details on implementation. The Data Security Law focuses on the general principles regarding data security without specific reference to personal information. The E-Commerce Law only has a narrow focus on e-commerce-related personal information.
In comparison, PIPL clearly defines PI and sensitive PI, and sharpens the focus on information transfers. Moreover, like EU’s General Data Protection Regulation (GDPR), PIPL states that personal information gathered by a company must be limited to the minimum amount necessitated by the purpose of the data (Article 6). This will reduce the likelihood of future abuses of PI.
PIPL’s mandate on companies’ self-review is designed to help companies to prevent PI-related criminal activities. According to the law, companies processing PI should conduct internal audits on a regular basis and assess the risk level when the information is sensitive (Article 54). Regulators are authorized to mandate audits of companies if there is a complaint (Article 61 and 64). This has been necessitated by the unlawful abuse of personal information, especially criminal activities due to the lack of protection of personal information, and the overflow of personal information with the rapid growth of tech giants.
In 2016, a Chinese college-bound student died from cardiac arrest after her family’s savings were emptied by a phone scam facilitated by the leak of her personal information. The case drew widespread attention in China and facilitated the passage of the law amid public demand. PIPL’s auditing requirements allow companies to flexibly construct their self-monitoring systems to avoid such PI leaks.
The Impact of the Law on Foreign Firms
PIPL marks the latest effort by Beijing to regulate companies in possession of personal data. The law’s restrictions on cross-border data transfers may not affect retailers that operate domestically, and hence have no need to transfer information abroad. However, the story is vastly different for two types of companies: those in possession of large amount of personal information and those in possession of information on critical infrastructure. Moreover, PIPL declares that the authority of domestic regulators supersedes that of international treaties.
PIPL will help foreign companies operating in China without cross-border data transfers to develop privacy policies in compliance with the law. Before PIPL, the lack of a domestic PI protection law led to the broad adoption of the EU’s GDPR as a privacy policy among foreign companies. However, the GDPR’s decision-making is based on agreements among EU member states, which does not apply in the case of China. Since PIPL will come into effect in November 2021, foreign firms in China will need to revise their privacy policies to fit the requirements of the new law.
For companies in possession of large amounts of personal information or of data on critical information infrastructure, it will be more difficult to transfer data from China to other countries due to the mandatory security assessment by the Cyberspace Administration of China (CAC). Currently, it is unclear whether such a security assessment, if successfully completed, will grant the company one-time approval for a data transfer or a license for a given period.
Furthermore, the Standing Committee of the National People’s Congress, China’s top lawmaking body, recently opined that protections on PI transferred overseas should follow standards no less vigorous than the domestic standard. This means that if a firm has enrolled in regional voluntary agreements such as Cross-Border Privacy Rules (CBPR), it won’t be able to transfer personal information to any country with lower standards on PI protection because the CAC will not approve such a transfer.
Future Issues
While some firms will face mounting difficulties in overseas data transfer, others may benefit from PIPL. In the short term, the business community must observe the enforcement practices, potentially through engagement with stakeholders including the CAC on specifics of approved data transfers.
Following the release of PIPL, the business community should identify government agencies responsible for the enforcement of the new law and engage with them to observe regulatory constraints on cross-border PI transfer. Though PIPL establishes the CAC as the main authority overseeing PI protection, it is other government agencies – including the Ministry of Public Security – that were involved in the recent punitive actions against DiDi, a Chinese tech giant seeking an IPO in the United States. Engagement with government agencies can help companies better comply with legal requirements.
Countries across the globe are taking legislative and administrative actions to tighten up and defend data sovereignty. This trend is attested by China’s investigations into DiDi and Alibaba, the EU’s strike down on the EU-U.S. privacy shield, and U.S. executive orders targeting TikTok due to data concerns. Without trust, clear laws, or cooperative prosecutions, business will wither, and we will be looking at a real future of data localization and business segmentation around the globe.