On August 20, 2021, China joined a growing list of nations seeking to standardize existing data protection laws and expand consumer privacy with the passage of the Personal Information Protection Law (PIPL). China’s data privacy law provides a comprehensive framework to regulate the storage, transference, and processing of personal information. The law goes into effect on November 1, 2021, providing companies with a brief window for ensuring compliance with the new law.
While the law protects Chinese citizens’ data, it’s important to note that it will still affect companies operating outside of China. Privacy expert, Christina Glabas (founder and Principal Consultant of Gazelle Consulting), contextualized the law in terms of other privacy laws such as the CCPA and GDPR for US companies, stating “The scope applies to data processed in China and data that belongs to Chinese citizens, even when they’re out of the country. As a result of this wording, many companies are worried that nearly any business that does business with China will have to comply with this law.”
In the coming years, China’s regulation and enforcement policies will provide additional clarity on which companies the law affects. In the meantime, here are some key takeaways from our review of the law as written.
KEY TAKEAWAYS
- PIPL’s privacy safeguards restrictions apply to any business that processes the data of Chinese residents, including international companies.
- PIPL shares many requirements with the GDPR, including a requirement on foreign businesses to establish a representative entity within China to handle matters related to the law.
- Under PIPL, Chinese citizens have the rights to:
- Ask data handlers to explain personal information handling rules
- Copy or review their personal information
- Request correction of data which is incorrect or incomplete
- Transfer their personal information to another data handler
- The law requires data handlers to obtain explicit, voluntary consent from the individual “under the precondition of full knowledge” prior to handling personal information.
WHO IS COVERED BY CHINA’S DATA PRIVACY LAW?
According to a translation provided by Stanford University’s DigiChina Cyber Policy Center, China’s data privacy law places limitations on entities which “handle” personal information. Data handling includes the collection, storage, use, processing, transmission, provision, disclosure, or deletion of personal information. “Personal information” refers to any information, which is related to an identified or identifiable “natural [person] residing within China.” Anonymized data is not included in this category.
The law specifies that it covers data handlers operating outside of China if the purpose of their data handling activities is to provide products or services to people inside of China, or to analyze or assess the activities of people inside of China.
BUSINESS REQUIREMENTS UNDER CHINA’S DATA PRIVACY LAW
Similar to “controllers” under the EU’s GDPR, data handlers must have a “clear and reasonable purpose” for collecting personal information, and they must limit the scope of collection to the smallest amount necessary to achieve that purpose. Additionally, the law limits data retention periods to the shortest period necessary to achieve the established purpose.
Data handlers are must take measures to ensure their compliance with the law and safeguard the personal information they handle, including:
- Developing internal management structures and operating rules;
- Categorizing and managing personal information;
- Adopting technical security measures such as encryption, and de-identification;
- Reasonably determining operational limits for personal information handling;
- Regularly conducting security education and training for employees;
- Developing personal information security incident response plans;
- Auditing their personal information handling and compliance.
It is necessary for data handlers operating outside of China to establish a representative within China which is responsible for matters relating to data handling. This is similar to the requirement in the GDPR for US companies to establish a representative in the EU to handle GDPR-related responsibilities.
CONSUMER RIGHTS UNDER CHINA’S DATA PRIVACY LAW
China’s data privacy law provides Chinese citizens with the right to be informed of and make decisions about the collection, processing, and retention of their personal information. The law requires data handlers to obtain explicit, voluntary consent from the individual “under the precondition of full knowledge” prior to handling personal information.
For the purposes of obtaining consent, individuals must be notified of the following information, both at the time of collection and any time the information changes:
- The name and contact information of any person or entity which handles their personal information
- The purpose and methods of the data handling
- The categories of personal information being handled
- The retention period of the collected information
- Methods and procedures for individuals to exercise their rights under the law
If the purpose or method of data handling changes, or the scope of data collection changes, data handlers must obtain the individual’s consent under the new conditions. Additionally, data handlers must provide individuals with “convenient” means to withdraw their consent.
Individuals additionally have the right to:
- Ask data handlers to explain personal information handling rules
- Copy or review their personal information
- Request correction of data which is incorrect or incomplete
- Transfer their personal information to another data handler
The law sets more stringent requirements on the handling of personal information which is classified as “sensitive.” Sensitive personal information includes biometric data, financial account data, information related to medical health or religious belief, and the personal information of minors under the age of 14.
WHAT’S NEXT UNDER CHINA’S DATA PRIVACY LAW
Businesses operating in China or handling the data of Chinese residents should review their existing data protection strategies and data collection procedures in order to ensure they’re in compliance with the law. However, while the new law addresses broad requirements for businesses, the government will refine the application of the law. They will provide regulation, guidance, and enforcement practices in the future, so keep an eye out for future updates.
Are you wondering how China’s data privacy law will affect your business? Do you need guidance on your general data security practices? Contact us for a free consultation to see if Gazelle Consulting’s customized compliance services are right for you.
