China’s Data Privacy Law Impacts US Companies

On August 20, 2021, China joined a growing list of nations seeking to standardize existing data protection laws and expand consumer privacy with the passage of the Personal Information Protection Law (PIPL). China’s data privacy law provides a comprehensive framework to regulate the storage, transference, and processing of personal information. The law goes into effect on November 1, 2021, providing companies with a brief window for ensuring compliance with the new law. 

While the law protects the data of Chinese citizens, it’s important to note that companies operating outside of China will still be affected. Privacy expert Christina Glabas (founder and Principal Consultant of Gazelle Consulting) contextualized the law in terms of other privacy laws such as the CCPA and GDPR for US companies, stating “The scope applies to data processed in China and data that belongs to Chinese citizens, even when they’re out of the country. As a result of this wording, many companies are worried that nearly any business that does business with China will have to comply with this law.”

In the coming years, China’s regulation and enforcement policies will provide additional clarity on which companies will be affected. In the meantime, here are some key takeaways from our review of the law as written.

KEY TAKEAWAYS
  • PIPL’s privacy safeguards restrictions apply to any business that processes the data of Chinese residents, including international companies.
  • PIPL shares many requirements with the GDPR, including a requirement on foreign businesses to establish a representative entity within China to handle matters related to the law.
  • Under PIPL, Chinese citizens have the rights to: 
    • Ask data handlers to explain personal information handling rules
    • Copy or review their personal information
    • Request correction of data which is incorrect or incomplete
    • Transfer their personal information to another data handler
  • Data handlers are required to obtain explicit, voluntary consent from the individual “under the precondition of full knowledge” prior to handling personal information. 
WHO IS COVERED BY CHINA’S DATA PRIVACY LAW?

According to a translation provided by Stanford University’s DigiChina Cyber Policy Center, China’s data privacy law places limitations on entities which “handle” personal information. Data handling includes the collection, storage, use, processing, transmission, provision, disclosure, or deletion of personal information. “Personal information” refers to any information, which is related to an identified or identifiable “natural [person] residing within China.” Anonymized data is not included in this category.

The law specifies that data handlers operating outside of China are covered by the law if the purpose of their data handling activities is to provide products or services to people inside of China, or to analyze or assess the activities of people inside of China. 

BUSINESS REQUIREMENTS UNDER CHINA’S DATA PRIVACY LAW

Similar to “controllers” under the EU’s GDPR, data handlers must have a “clear and reasonable purpose” for collecting personal information, and are required to limit the scope of collection to the smallest amount required to achieve that purpose. Additionally, data must be retained for the shortest period necessary to achieve the established purpose.

Data handlers are also required to take measures to ensure their compliance with the law and safeguard the personal information they handle, including:

  1. Developing internal management structures and operating rules;
  2. Categorizing and managing personal information;
  3. Adopting technical security measures such as encryption, and de-identification;
  4. Reasonably determining operational limits for personal information handling;
  5. Regularly conducting security education and training for employees;
  6. Developing personal information security incident response plans;
  7. Auditing their personal information handling and compliance.

Data handlers operating outside of China are also required to establish a representative within China which is responsible for matters relating to data handling. This is similar to the requirement in the GDPR for US companies to establish a representative in the EU to handle GDPR-related responsibilities.

CONSUMER RIGHTS UNDER CHINA’S DATA PRIVACY LAW

China’s data privacy law provides Chinese citizens with the right to be informed of and make decisions about the collection, processing, and retention of their personal information. Data handlers are required to obtain explicit, voluntary consent from the individual “under the precondition of full knowledge” prior to handling personal information. 

For the purposes of obtaining consent, individuals must be notified of the following information, both at the time of collection and any time the information changes:

  • The name and contact information of any person or entity which handles their personal information
  • The purpose and methods of the data handling
  • What categories of personal information are being handled
  • The retention period of the collected information
  • Methods and procedures for individuals to exercise their rights under the law

If the purpose or method of data handling changes, or if there is a change in the scope of the data which is collected, the individual’s consent must be obtained under the new conditions. Individuals also must be provided with “convenient” means to withdraw their consent.

Individuals additionally have the right to:

  • Ask data handlers to explain personal information handling rules
  • Copy or review their personal information
  • Request correction of data which is incorrect or incomplete
  • Transfer their personal information to another data handler

The law sets more stringent requirements on the handling of personal information which is classified as “sensitive.” Sensitive personal information includes biometric data, financial account data, information related to medical health or religious belief, and the personal information of minors under the age of 14.

WHAT’S NEXT UNDER CHINA’S DATA PRIVACY LAW

Businesses which operate within China or handle the data of Chinese residents should review their existing data protection strategies  and data collection procedures to ensure that they’re in compliance with the law. However, while the new law addresses broad requirements for businesses, the government will refine the application of the law through regulation, guidance, and enforcement practices in the future, so keep an eye out for future updates.

Are you wondering how China’s data privacy law will affect your business? Do you need guidance on your general data security practices? Contact us for a free consultation to see if Gazelle Consulting’s customized compliance services are right for you.

Nav close