New Chinese privacy law – PIPL

4 factors you need to be aware of when doing business in China.

China has enacted its long-awaited privacy law – Personal Information Protection Law (“PIPL”). Here are 4 key takeaways in respect to similarities and differences from the European General Data Protection Regulation (“GDPR”) and some possible impacts you need to be aware of when doing business in China.

In short: What is the PIPL?

  • The PIPL is China’s new privacy law which is the first comprehensive legislation on the processing of personal information regarding individuals in China.
  • The PIPL is expected to come into effect 1 November 2021 and will constitute a new legal framework for data security and privacy in China together with the Data Security Law (2021) and the Cybersecurity Law (2017).
  • The PIPL has many similarities to the GDPR and is expected to be strictly enforced by the authorities.

1. Extraterritorial scope: The PIPL may apply to you even if you’re located outside China

Similarities

Both the GDPR and the PIPL apply to processing of personal information regarding individuals within their respective territories. Both sets of rules may, however, also apply for personal information processors outside their respective territories, i.e. they have a so-called extraterritorial scope.

Differences

The PIPL may apply outside China if the purpose of the processing of personal information of individuals physically within China is: (i) to provide products or services to individuals in China, (ii) to analyze or assess the behavior of individuals in China or (iii) for other circumstances specified by laws or regulations.

What you need to be aware of

The PIPL may apply for you even if you are a company located in Norway, for example if you process personal information about individuals within China as a data controller (or 'personal information processor' in PIPL terms).

2. Legal basis: You cannot process personal data based on legitimate interests

Similarities

The GDPR and the PIPL require the controller or personal information processor, respectively, to establish a legal basis for its processing of personal information. Both sets of rules accept legal grounds such as consent, performance of a contract, vital interest, legal requirement and public interest. The consent must be voluntarily and explicitly provided by the individuals prior to the processing, and the individuals must have the ability to withdraw their consent at any time.

Differences

The PIPL emphasises consent as a legal basis for processing more strongly than the GDPR. For example, the individual’s prior consent is always required if you need to process sensitive data, such as medical or health data, financial information and personal location tracking.

The PIPL also allows for processing of personal information if it is disclosed by the individual or otherwise legally disclosed and for human resource management and for public interests etc.

Unlike the GDPR, the PIPL does not operate with the legitimate interests principle as a legal basis for the processing of personal information.

What you need to be aware of

Many European companies are used to process personal information on the basis of legitimate interests. However, since legitimate interests do not exist as a legal basis under the PIPL, you must assess and establish other legal basis in accordance with the PIPL, for example consent or conclusion or performance of contract required or human resource management or public interest or publicly available information etc. In particular, this is important if you process personal information about employees and/or business contacts in China (for example in your customer relations systems (CRS)).

3. The individuals’ rights: You may risk lawsuits if you deny requests from individuals related to their rights

Similarities

Similar to the GDPR, the PIPL grants the individuals several rights they may exercise towards you as the processor in charge of their data. These rights include, inter alia, the right to be informed, to restrict or deny, to access or make copies, to correct or complete and to request deletion etc.

Differences

Under the PIPL, the individuals may – in addition to the other rights – request that you explain the rules on the processing of personal information to them. Furthermore, the individuals have the right to bring a lawsuit against you if you deny them their request to exercise their rights.

What you need to be aware of

The PIPL requires you to establish an accessible mechanism to safeguard the individuals’ rights. As you may risk lawsuits from the individuals upon non-compliance, it is important to implement sufficient routines and systems in order to meet the requests from individuals. In addition, regulators may also mandate audits of companies based on complaints from individuals.

4. Cross-border transfers: You need to know where your personal data are stored (and may be accessed)

Similarities

Just like the GDPR, the PIPL has very strict requirements with regards to cross-border transfers of personal information originating in China. Transfers of personal information in this relation mean providing, making available or accessible personal information to parties outside China, via for example storage of data, incident management or remote access.

Differences

Transfers of personal data to entities outside China are subject to strict requirements: You must (i) obtain the consent from the individuals and inform them about the transfers, (ii) carry out a personal information protection impact assessment before the transfers (which is to be retained for at least three years), (iii) establish a special agency or appoint a representative located in China who is responsible for protection-related affairs; and (iv) obtain a valid transfer mechanism from public authorities (e.g. security assessment, certification or standard contract) and otherwise take necessary measures to comply with the protection standards under the PIPL.

What you need to be aware of

Transfers of personal information are subject to strict requirements under both the GDPR and PIPL: This means that you must pay attention to any personal information crossing borders of both the EU/EEA and China. You must ensure that you know where your personal information is located and where it may be accessible – also remotely. This is especially important if you use cloud services or IT suppliers in general. In some cases, state owned enterprises (SOEs) – which are broadly interpreted – in China are forced to keep data related to local customers and operations within China by migrating data from cloud services to a digital infrastructure controlled by the State-owned Assets Supervision and Administration Commission of the State Council (SASAC).

Sanctions

Breach of PIPL can be sanctioned wit fines up to RMB 50 million or 5% of the personal information processor’s (or controller in GDPR terms) turnover the last year. Other sanctions include the typical Chinese sanctions of revoking business licenses and permits, rectifications, confiscations of gains, as well as key personnel being liable.

Key takeaway

With the announcement of the PIPL, China takes yet another important step towards increased protection of personal information. Companies that are GDPR compliant and process personal information of individuals physically within China, will likely only need to make minor changes to its operations to become PIPL compliant. Companies should initiate assessments of whether existing practices and procedures need to be altered, as well as monitor legal development in China as further  details, guidelines and regulations are expected to be announced in the future.

Key terms
Terms in the PIPL (based on official translations) Similar or equivalent terms in the GDPR
Personal information Personal data
Sensitive personal information Special categories of personal data and/or personal data relating to criminal convictions and offences
Individual Data subject
Personal information processor Data controller
Contracted party Data processor

Wikborg Rein has been on the ground in China for many years, and we have both local expertise and EU/EEA expertise on data protection and privacy compliance. Please contact our Partners Line Coll and Gry Hvidsten, our Senior Lawyer Therese Trulsen, Senior Associate Sherry Qui or Wegard Kyoo Bergli if you need help in maneuvering in this complex international data protection landscape.

Read our latest articles on protection of privacy