In August 2021, China passed a major piece of legislation called the Personal Information Protection Law (PIPL). It went into effect on November 1 and applies to all companies looking to conduct business in China, whether they are established in the country or not.
The PIPL has been a long time in the making. China has been talking about this sort of omnibus law on personal information since at least 2015. The current law stems from a non-compulsory 2017 standard called “Personal Information Security Specification,” which was enforced in 2018 and revised in 2020. The difference with the PIPL is that it is a bit more inclusive of all personal data and, more importantly, it is now going to be compulsory.
On the surface, PIPL echoes many of the same regulations brought forward by the EU’s General Data Protection Regulation (GDPR), which went into effect in May 2018. Essentially, it will enable individuals to decide how their personal data is used. This power ranges from opting in for marketing purposes to approving the use and processing of more sensitive data, such as biometrics, financial information, and location services. The PIPL includes the same principles and operating structure as GDPR, including controllers, processors, the legal basis for processing, security measures, organizational measures, notification of breaches and more.
The difference is that this is happening through a Chinese lens — and this means there will be no independent organizations for oversight. In the EU’s GDPR is the following clause: “Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.” A clause like this does not exist in China’s PIPL, defining the sharpest difference between the two. If the PIPL provides for supervisory authorities, these are not independent from the state. In that regard, the PIPL is consistent with previous laws, such as the China Cybersecurity Law.
Similar to GDPR, organizations that process over a certain threshold of personal data will be required to hire a data protection officer who supervises data protection and will be subject to more stringent obligations around certain activities, including cross-border transfers of personal information, among others. If China has yet to announce what the threshold amount will be for the mandatory hiring of a data protection officer, the draft Measures on Security Assessment of Cross-border Data published by the Cyberspace Administration of China (CAC) on October 29 give some insight. Indeed, these measures will, among other things, mandate any cross-border operator that cumulatively processes the personal information of more than 100,000 China residents, or sensitive personal information of more than 10,000 China residents, to submit to Chinese authorities a security self-assessment of such cross-border data transfer for approval. In other words, the threshold is quite low, so cross-border data transfers of personal information will be under high scrutiny.
While many companies have essentially managed to be GDPR-compliant to date, China is much less likely to tolerate businesses that skirt the rules or put in the bare minimum, and consequences could be quite dire. In addition to astronomically high fines, non-compliant organizations may find their business license suspended or their company shut down entirely. The impact in China, as well as worldwide, is going to be huge.
Chinese authorities will be stern in regard to enforcing this law, because we are seeing the strengthening of enforcement of every law relating to cybersecurity, data security, and data processing. The Chinese government wants to be seen as very protective of personal data.
Companies that are already compliant with the GDPR will feel less impact than others, but this will still have a significant impact on our increasingly global society. If any part of your business touches China at all, you must comply with this law. The government can cut off any access to its population. Additionally, any violation of the PIPL may lead to an administrative fine of up to RMB 50 million or 5% of the processor’s turnover in the previous year.
One specific provision in the law calls out foreign governments for special consideration: “If [foreign countries] adopt measures against China in the area of personal information, China may adopt retaliatory measures.” Such provisions may well be a direct response to Trump’s trade war with China. This is a catch-all provision that gives other countries little insight into, or control over, what China considers discriminatory. It could ultimately affect the flow of information, which is key in international business.
As a final note, here are a few Dos and Don’ts for successful compliance with the PIPL:
- Do conduct a compliance self-assessment. This is going to be key in China. You absolutely need to start examining your own situation, so you know where you stand and where you have gaps in terms of non-compliance.
- Do know the risks associated with every decision you make regarding the PIPL.
- Do continue to conduct regular compliance audits.
- Do not just ignore it.
- Do not think you’re going to fly under the radar.
- Do not attempt to use a VPN to get around compliance.
The PIPL is a long time in the making and certainly won’t be the last digital regulation that we see from China. It is extremely important for all organizations to get aligned with the rules of such new regulations.
Isabelle Hajjar is Cybersecurity & Privacy head of compliance for digital risks and security firm TekID.
Mathieu Gorge is author of the ForbesBooks title The Cyber-Elephant in the Boardroom, as well as CEO and founder of cybersecurity company VigiTrust.