Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up hereStart Now
Published on September 22, 2021 AUTHOR - PRIVACY RESEARCH TEAM
China has passed the Personal Information Protection Law (the “PIPL”) that is set to go into effect on November 1st, 2021. The PIPL is designed based on comprehensive data privacy laws from all over the world and currently stands at par with major regulations such as the CCPA and GDPR. The PIPL applies to organizations handling the personal information of individuals within the borders of China. It also has extraterritorial application scope.
This article will talk about the potential impact of China’s PIPL on the international market and what steps offshore organizations need to take to ensure compliance with the PIPL.
Just like the GDPR, the PIPL also has extraterritorial scope, and companies that are operating from outside of China and dealing with Chinese residents’ personal information may also be required to comply with the PIPL in case one of the following thresholds are met:
Please note that Point 3) suggests that PIPL has a broader scope of extraterritorial application than GDPR as it leaves a margin of discretion to China’s public authorities to further extend the applicability of the PIPL extraterritorially. Let’s understand the key impacts of PIPL on international organizations that are subject to PIPL compliance.
There are a number of requirements under the PIPL that organizations will need to fulfill if they fall under the extraterritorial scope of the PIPL. These can be on a global level. The requirements include:
If you are an international organization that is subject to PIPL, you are required to establish a legal entity in China or appoint a “representative” to be responsible for personal information protection in China.
International organizations subject to PIPL should oblige with the following:
The PIPL requires organizations to obtain clear, voluntary, and well-informed consent. Following are specific consent requirements for certain situations:
Under the PIPL, cross border data transfers are allowed if organizations:
If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, international organizations must file an application with the relevant competent authority for approval.
A personal information protection impact assessment is necessary before any data can be transferred cross-border or to third-parties. An international organization must conduct an impact assessment if they are conducting processing in one of the following scenarios:
Foreign organizations that are obligated to comply with the PIPL are required to appoint a DPO in specific situations, depending on the volume of personal information processed. Organizations are required to disclose the methods of contacting the DPO, the names of the officers, and contact methods to the departments fulfilling personal information protection duties and responsibilities.
Under the PIPL, individuals are given certain rights which they may exercise at any time by sending a request to the data handler. These rights can be exercised under certain situations and are as follows:
The PIPL requires that foreign organizations that are obligated to comply with the requirements of PIPL to offer individuals a mechanism for submitting their data requests. This mechanism must allow organizations to accept and process requests from individuals to exercise their rights.
In case of a security breach, the PIPL requires organizations complying with the law to take “immediate” remediation actions and notify the relevant agency and affected individuals. Organizations are required to adopt measures that can effectively avoid security breach risks and promptly notify affected individuals about the data breach.
Third parties trusted with individuals personal data are required to handle this data in accordance with the PIPL. Organizations are required to form an agreement with these third-parties to ensure that the necessary measures:
The PIPL is going into effect in a little over a month and at the moment there are only speculations on how the law will be enforced. Some experts believe that the CAC could inspect every website and every data transfer contract to see if it is in compliance with the PIPL. That being said, Peggy Chow, a lawyer specialising in data protection and cybersecurity laws in Asia at Herbert Smith Freehills believes that most organizations will not be ready to be in compliance with the PIPL when the enforcement date comes around. Chow says
"I suspect that some companies won't be ready to comply by then," she says. "It remains unclear how some of the provisions might be enforced, given the lack of detail in some areas – such as what constitutes a 'large' amount of data. Companies should aim to comply with the law as soon as possible, and prepare to adjust as clarity around the legislation evolves."
Under the PIPL and GDPR there are different penalties pertaining to non compliance.
Organizations need to start operationalizing their processes if they hope to get compliant with the Chinese PIPL. Securiti brings organizations an all-in-one solution that will allow them to comply with global privacy regulations such as the China PIPL with the help of robotic automation and artificial intelligence.
Visit our website and book a free demo today to learn more about the solution and how it can assist you on the road to compliance.
See how easy it is to manage privacy compliance with robotic automation.