Here’s What ‘China’s GDPR’ Means For International Businesses

How China’s PIPL applies to international businesses?

Just like the GDPR, the PIPL also has extraterritorial scope, and companies that are operating from outside of China and dealing with Chinese residents’ personal information may also be required to comply with the PIPL in case one of the following thresholds are met:

1. Providing products or services to natural persons inside China’s borders.
2. Conducting analysis of activities of natural persons inside China’s borders.
3. Other circumstances are provided in laws or administrative regulations.

Please note that Point 3) suggests that PIPL has a broader scope of extraterritorial application than GDPR as it leaves a margin of discretion to China’s public authorities to further extend the applicability of the PIPL extraterritorially. Let’s understand the key impacts of PIPL on international organizations that are subject to PIPL compliance.

Impact of PIPL on International Businesses

There are a number of requirements under the PIPL that organizations will need to fulfill if they fall under the extraterritorial scope of the PIPL. These can be on a global level. The requirements include:

1. Appoint a representative or have a dedicated entity in China:

If you are an international organization that is subject to PIPL, you are required to establish a legal entity in China or appoint a “representative” to be responsible for personal information protection in China.

2. Fulfill processing requirements:

International organizations subject to PIPL should oblige with the following:

• Oblige with personal information processing principles (lawfulness, collection and purpose limitation, transparency, accountability, and security).
• Identify a lawful basis of processing to process personal information and sensitive personal information.
• Inform individuals how their personal information would be processed (notice should be concise, easily accessible, easy to understand, and in clear and plain language).

3. Fulfill consent related requirements:

The PIPL requires organizations to obtain clear, voluntary, and well-informed consent. Following are specific consent requirements for certain situations:

• Specific opt-in consent is required for sensitive data.
• Specific consent for the disclosure of data.
• Organizations handling already disclosed personal information, where there is a major impact on individual rights and interests, shall obtain consent.
• Collected personal distinguishing identity characteristic information can only be used for the purpose of public security.
• Parental consent is required for the data of children below the age of 14.

4. Honor cross border data transfer requirements:

Under the PIPL, cross border data transfers are allowed if organizations:

• Provide notices to individuals, and obtain their specific consent for transfer;
• Conduct Personal Information Impact Assessment; and
• Meet at least one of the following conditions:
  • Contract with the foreign organization (Standard contractual clauses).
  • Security assessment (mandatory requirement for CIIOs or organizations that process large volume of information).
  • Personal information protection certificate.
  • Other conditions provided in laws or administrative regulations or by CAC.

If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, international organizations must file an application with the relevant competent authority for approval.

5. Conduct personal information impact assessment:

A personal information protection impact assessment is necessary before any data can be transferred cross-border or to third-parties. An international organization must conduct an impact assessment if they are conducting processing in one of the following scenarios:

• Processing sensitive information.
• Conducting automated decision-making.
• Entrusting personal information processing to other data controllers, or disclosing personal information.
• Providing personal information abroad.
• Other personal information processing activities.

6. Appoint a Data Protection Officer (DPO):

Foreign organizations that are obligated to comply with the PIPL are required to appoint a DPO in specific situations, depending on the volume of personal information processed. Organizations are required to disclose the methods of contacting the DPO, the names of the officers, and contact methods to the departments fulfilling personal information protection duties and responsibilities.

7. Have a Data Subject Rights Requests Mechanism:

Under the PIPL, individuals are given certain rights which they may exercise at any time by sending a request to the data handler. These rights can be exercised under certain situations and are as follows:

• Right to be know the data collected.
• Right to decide, refuse, and limit the handling of their personal data unless legally required.
• Right to request explanation of how organization is handling their data.
• Right to access personal information.
• Right to correct inaccurate data stored.
• Right to erasure of their data.
• Right to transfer their personal data to another organization.

The PIPL requires that foreign organizations that are obligated to comply with the requirements of PIPL to offer individuals a mechanism for submitting their data requests. This mechanism must allow organizations to accept and process requests from individuals to exercise their rights.

8. Have a Data Breach Response Framework:

In case of a security breach, the PIPL requires organizations complying with the law to take “immediate” remediation actions and notify the relevant agency and affected individuals. Organizations are required to adopt measures that can effectively avoid security breach risks and promptly notify affected individuals about the data breach.

9. Agreements with third party processors:

Third parties trusted with individuals personal data are required to handle this data in accordance with the PIPL. Organizations are required to form an agreement with these third-parties to ensure that the necessary measures:

1. To safeguard the security of the personal information they handle and the ability.
2. To assist organizations in fulfilling the obligations provided in the PIPL are in place.

How will the PIPL be Enforced?

The PIPL is going into effect in a little over a month and at the moment there are only speculations on how the law will be enforced. Some experts believe that the CAC could inspect every website and every data transfer contract to see if it is in compliance with the PIPL. That being said, Peggy Chow, a lawyer specialising in data protection and cybersecurity laws in Asia at Herbert Smith Freehills believes that most organizations will not be ready to be in compliance with the PIPL when the enforcement date comes around. Chow says

"I suspect that some companies won't be ready to comply by then," she says. "It remains unclear how some of the provisions might be enforced, given the lack of detail in some areas – such as what constitutes a 'large' amount of data. Companies should aim to comply with the law as soon as possible, and prepare to adjust as clarity around the legislation evolves."

PIPL Non Compliance Penalties

Under the PIPL and GDPR there are different penalties pertaining to non compliance.

• Under article 66 and 71 of the PIPL, the PIPL prescribes the following penalties for violations and non-compliance:
  • An organization that refuses to correct the violations may be subject to baseline fines of up to 1 million RMB.
  • If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organization’s annual revenue for the prior fiscal year.
  • The personnel who are directly responsible for the personal information processing may be fined up to RMB 1 million.
  • The PIPL also provides a private right of action to individuals.
• Under Articles: 83 and 84, recitals: 158 and 149, the GDPR has an upper cap on its monetary penalties, either: 2% of global annual turnover or €10 million, whichever is higher, or 4% of global annual turnover or €20 million, whichever is higher. This depends on the circumstances of each individual case, the type of infringement, and the severity of the violation.

How Securiti Can Help?

Organizations need to start operationalizing their processes if they hope to get compliant with the Chinese PIPL. Securiti brings organizations an all-in-one solution that will allow them to comply with global privacy regulations such as the China PIPL with the help of robotic automation and artificial intelligence.

Visit our website and book a free demo today to learn more about the solution and how it can assist you on the road to compliance.