Navigating PIPL: Challenges and Best Practices for Multinational Corporations

Personal information has become a valuable commodity and with the increasing digitization of the economy and the proliferation of data-generating applications, individuals are supplying it in ever-growing amounts. Big data is a multi-billion dollar industry and consumers are the products.

In an attempt to protect the rights of individuals in relation to their personal data, more than 130 countries have put data privacy laws in place to regulate the collection, processing, storage, and sharing of personal data by organizations and governments. Some of the most well-known privacy regulations include the European Union's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

China is the latest to introduce this type of legislation in the form of the Personal Information Protection Law (PIPL). It is critical for any company doing business with Chinese nationals to be familiar and compliant with PIPL to avoid the heavy penalties and reputational damage that violations will incur.

So what do you need to know and do to be compliant?

Something Old, Something New - What is PIPL and How is it Different?

PIPL is a comprehensive privacy regulation that came into effect in China in August 2021. It aims to protect personal information by regulating its collection, use, processing, storage, and transmission. PIPL applies to all domestic and foreign businesses and organizations that process the personal information of Chinese citizens.

While data protection legislation is now commonplace, PIPL is unique in several ways compared to other privacy regulations such as the GDPR and CCPA.

One of the most significant differences is that PIPL is tailored to the Chinese legal and cultural context in that it accounts for factors such as China's unique political and economic system, the cultural importance of personal privacy, and the importance of protecting state security and social order.

As a result, PIPL includes provisions not found in other privacy regulations, such as requirements for obtaining explicit consent from individuals for certain types of data processing and restrictions on the cross-border transfer of particular types of data.

Compliance with other privacy regulations does not mean you will automatically be in line with PIPL. Foreign companies operating in China must get relevant local legal and IT input to understand the unique requirements of PIPL.

Being PIPL Compliant: There is Only Good News

While the temptation might be to hope that you are covered by compliance with your local legislation, PIPL compliance is crucial for businesses and organizations operating in China for several reasons.

The legal penalties for violating PIPL are onerous and can include hefty fines, the suspension of business activities, rectification orders, and criminal liability for both companies and individuals.

Non-compliance with PIPL can also damage your company's reputation. Authorities in China are permitted to publicize the names of companies that violate PIPL and stories about data breaches or privacy violations spread quickly on social media and other platforms and can be difficult to recover from.

Just as importantly, there are several benefits to businesses in becoming PIPL compliant including:

• Building trust with your customers through providing greater transparency and control over personal information and obtaining explicit consent.
• Implementing better data management practices, including data inventories, risk assessments, and data protection measures. This can lead to more efficient and effective data management, reducing the risk of data breaches, and improving overall data quality.
• Staying competitive by ensuring that you can continue operating in China and other regions with strong data protection regulations. PIPL compliance also demonstrates a commitment to privacy and data protection, which can be a key differentiator in the marketplace.

So What Do You Need To Do?

Becoming PIPL compliant can feel overwhelming, particularly given how complex and sensitive the Chinese business landscape is. There are a few basic steps that companies should take to ensure that they bring their business practices in-line with PIPL requirements. These steps include:

• Identify and inventory all personal information that your company collects, processes, and stores. This includes not only data related to customers but also employee data and data related to business partners.
• Update your policies and procedures to ensure that all data is collected and processed in line with PIPL. This includes making sure you obtain explicit consent from individuals before collecting or processing their personal information.
• Companies must implement appropriate data security measures to protect personal information from unauthorized access, theft, or loss. This includes measures such as access controls, encryption, and secure data storage.
• Appoint a data protection officer (DPO) who is responsible for overseeing compliance with the law. The DPO should be someone with expertise in data privacy and security.
• Companies need to ensure that third-party service providers comply with PIPL requirements. This can be achieved through contractual agreements, audits, or other appropriate measures.
• PIPL grants data subjects several rights, including the right to access, correct, delete, and transfer their personal data. Companies need to implement appropriate data security measures be prepared to handle these data subject requests.

There are some basic best practices for data management and protection under PIPL. Understanding and implementing these will go a long way to ensuring compliance. These include:

• Minimizing data collection by only collecting personal information that is necessary for business operations.
• Limiting access to personal information by restricting access to those who need it for business purposes.
• Implementing data retention policies that specify how long personal information is retained and when it should be deleted.
• Conducting regular risk assessments to identify potential vulnerabilities in their data security practices.

Food for Thought: Challenges on the Road To PIPL Compliance

Achieving compliance with PIPL can be a challenging task for businesses, especially those that operate in multiple regions with different privacy regulations. Some of the challenges that companies may face include:

• Understanding the requirements: PIPL has complex requirements that may be difficult to understand for companies unfamiliar with Chinese data protection regulations.
• Data localization requirements: PIPL requires companies to store data of Chinese citizens within China, which can be a challenge for companies with operations outside of China.
• Compliance costs: Implementing PIPL compliance measures can be costly, especially for small and medium-sized enterprises.
• Staff training: Employees need to be trained on PIPL compliance requirements, which can be time-consuming and expensive.

A Foot In Many Doors: Some Considerations for Multinationals

Multinational companies with operations in China and other regions with different privacy regulations have some unique considerations and challenges. Some of these include:

• Cross-border data transfers: Companies may need to transfer data between countries where they operate. PIPL requires companies to obtain approval from relevant authorities before transferring data out of China.
• Harmonization with other data protection regulations: Multinational companies need to ensure that their data protection practices in China comply with other data protection regulations in the countries where they operate.
• Monitoring and reporting: Multinational companies need to have effective monitoring and reporting mechanisms in place to ensure compliance with PIPL and other relevant regulations in all countries where they operate.

Complying with PIPL - a Priority for all Operations in China

While data privacy is nothing new and many companies have been working on compliance with different pieces of data protection legislation for several years, it is crucial for foreign companies operating in China to prioritize compliance with PIPL. PIPL has unique requirements and guidelines for collecting, processing, and storing personal data, and failure to comply can result in legal penalties and damage to reputation.

Given the complexity of both the Chinese legislative framework and the business landscape, it is critical that foreign companies operating in China partner with local teams to help access the relevant combination of IT and legal knowledge, skills, and expertise to implement PIPL requirements effectively.