You thought GDPR was hard to navigate? Try the Chinese version

Our parents were wrong - sharing is not always caring, and the proliferation of data protection laws emerging globally are clear proof of that. The wave of updated privacy legislation started with the General Data Protection Regulation (GDPR) adopted by the European Union in 2016, which rapidly became the gold standard for this type of law internationally.

As one of the largest emerging economies, China has been quick to adopt legislation of its own aimed at “protecting the rights and interests of individuals”. China’s Personal Information Protection Law (PIPL) was adopted in 2021 when it became their first national law to comprehensively regulate the use of personal information of Chinese citizens globally.

Navigating China’s privacy landscape is not as simple as focusing on this one law, however. PIPL has to be understood in relation to two other pieces of legislation that all operate together to govern data processing and cybersecurity activities in and relating to China - the Data Security Law (DSL) which establishes a data security system applying to all on and offline data processing activities, and the Cyber Security Law (CSL) which stipulates cybersecurity obligations for network and information infrastructure operators in China.

Getting a thorough overview of PIPL is a great place to start understanding what legal and IT resources multinational companies setting up in China need to ensure proper compliance.

So What are the Highlights?

Similar in size and scope to the GDPR, PIPL imposes serious restrictions on how personal data can be collected, processed, and managed.

Collection of Data

Under PIPL, any organization that processes personal information must have a clear and reasonable purpose for collecting any personal information about Chinese citizens, and data collection must be limited to the smallest scope possible to fulfill that purpose.

Even when such a purpose exists and the scope is tight, the collection of personal data can only be done with the explicit consent of the individual, consent which is only valid if it was given with a full understanding of exactly what is being collected and why. Users are allowed to withdraw their consent at any time, and this must be made easy for them to do.

Processing and Management of Data

PIPL sets out a number of requirements and restrictions regarding the processing and management of personal data, including special rules for international organizations operating in China or targeting Chinese citizens. These include rules such as: 

• Global companies with operations in China are required to appoint a local representative responsible for PIPL compliance.
• Cross-border data transfers must be submitted to the Cyberspace Administration for approval.
• Large data handlers must localize data within mainland China.

Penalties for Non-Compliance

So what happens if your company violates any of the PIPL regulations? Businesses will incur fines ranging between $7.7 million up to 5% of the previous year’s revenue, and they will be required to compensate individuals for any harm caused by their violations. Penalties can also include non-monetary consequences such as suspending access to specific IT systems, impacting the company’s capacity to run its operations as usual.

But it doesn't stop there - PIPL may punish not only the company but also the person appointed to be responsible for data protection for the company. With such serious penalties, international companies operating in China must ensure that they are in compliance with all data security regulations in the country. This requires having the right local resources and partnerships.

We are GDPR Compliant, so Aren’t We Good to Go In China?

While being GDPR compliant will give your company a good jumping-off point given the overlap between the two sets of legislation, there are some important differences between the GDPR and PIPL. Some examples of significant differences include:

• PIPL’s scope: Both the GDPR and the PIPL are extraterritorial in scope, but while the GDPR focuses on where the business is located, PIPL focuses on where the data processing happens - if the processing occurs within the territory of China, whether there is an office in China or not, PIPL is applicable.
• Definition of personal information: PIPL has a wider definition of what is considered sensitive or special personal information than the GDPR.
• Risk assessment: While both the GDPR and PIPL set out circumstances where companies are required to assess potential risks to individuals before processing data, PIPL defines these scenarios much more specifically.
•  Cross-border data transfer: Both sets of regulations stipulate that receivers of cross-border data must provide adequate protection for the information they receive, but PIPL’s cross-border transfer rules are impacted by the CSL and the DSL as well.
• Supervisory authorities: Both the GDPR and the PIPL define a supervisory authority that is responsible for regulating data processing and enforcing the rules. The GDPR requires one independent authority with a clearly defined scope. In China, however, there are multiple supervisory authorities all with interrelated responsibilities.

As can be seen from just these few examples, being GDPR compliant will not be enough to protect international companies operating in China. The unique regulatory environment in China can create huge challenges for these companies, and they will need to be strongly guided by local partners to ensure they are in line with the regulations.

So What Does This All Mean for International Companies in China?

In order to comply with PIPL and other related laws, international companies will need the right combination of both legal and IT expertise. A local legal expert will be needed to help navigate the complex regulatory framework and identify requirements for compliance, and they would need to work closely with skilled IT professionals with a deep knowledge of and experience in implementing PIPL regulations. 

Having the right partners and resources to ensure they stay compliant and avoid the hefty repercussions of being in violation of the law is critical. 

Where to From Here?

There are essentially seven steps that an international business in China must take in order to become PIPL compliant:

• Establish a lawful basis for processing personal data
• Implement the required consent processes
• Review and update IT systems where data is stored
• Create the systems and procedures to manage cross-border data transfers
• Conduct a formal data protection impact assessment
• Create a system to manage requests from data subjects for their information
• Appoint a Data Protection Officer and China representative

Each of these steps requires the right legal and IT expertise. QTS is not only familiar with the relevant laws but also has IT professionals experienced in the implementation of PIPL and other regulations. We can be an invaluable resource in helping you navigate this rocky terrain and help ensure your company is fully compliant. Contact us for any questions or to find out more about our services.