China’s much anticipated Personal Information Protection Law (PIPL) is very likely to pass this month after the conclusion of the 30th meeting of the Standing Committee of the National People’s Congress, which is to be held in Beijing on 17-20 August. This follows the enactment earlier this year of the Data Security Law (DSL), which will take effect on 1 September 2021.
The PIPL – which will add another layer of compliance obligations on processors of personal information – will supplement and further strengthen the developing regulatory regime, which consists of the 2017 Cyber Security Law (CSL) and the DSL once enacted.
The PIPL will be China’s primary privacy and data protection law, despite the common misconception that the DSL is China’s privacy law. Nonetheless, the DSL and the CSL may affect how multinational companies in China conduct business operations in China, including how they may or may not process personal information. Please click here to register if you would like to attend our webinar on China’s new Data Security Law to be held on 18 August 2021 (at 15:00-16:00 Hong Kong time).
Key things to note about the PIPL
The second draft of the PIPL was released for public comment this past April. The final version of the PIPL will likely incorporate most provisions of that draft, including, among others:
(i) Consent collection rules
Data subjects have various rights under the draft PIPL, and data processors must notify individuals of specific ways in which they may exercise those rights. Sensitive personal information may only be collected if it is necessary to achieve legitimate purposes, and data subjects must be apprised of any consequences associated with the provision of such information. Separate and specific consents must also be obtained for certain processing activities (e.g., sharing data with third parties, etc.).
(ii) Cross-border transfer rules
Data processors may only transfer personal information outside of China if at least one of the following conditions is satisfied:
(a) a security review organized by the Cyberspace Administration of China has been passed;
(b) a personal information protection certification from a professional agency has been obtained;
(c) a standard data transfer agreement has been entered into between the data processor and the overseas recipient; or
(d) other conditions as prescribed by law.
(iii) Presumption of fault
Pursuant to the draft PIPL, the data processor is presumed to be at fault if an individual is harmed by the data processor’s processing activities. The data processor bears the burden to prove that its processing activities are lawful and that it is not at fault. This raises the bar for data compliance and internal risk controls of data processors.
(iv) Extraterritorial impact
The PIPL is set to have an extraterritorial effect like the GDPR. Activities of foreign companies may be caught by the PIPL, in cases where personal information is processed outside of China for the purpose of analyzing the behavior of individuals within China. There is no definition as to what constitutes “analyzing behavior” so the application of this provision could be wide reaching.
Impact of the new laws
As China’s data and privacy laws continue to evolve, the new regime will mean that organizations inside and outside of China will need to revisit their data management and transfer strategies, as well as the policies and procedures in place for the collection and processing of personal data.