How China’s Information Protection Law Affects BusinessesExperts Deconstruct New Law for Global Firms Operating in China
On Nov. 1, the People’s Republic of China’s first-ever personal information protection law, or PIPL, will come into effect. The PIPL, in conjunction with the Cybersecurity Law 2017 and the recently passed Data Security Law 2021, will define the overall cybersecurity and data protection posture of the country and govern the way global organizations operating in China collect, process and share Chinese citizen data.
See Also: 2022 Unit 42 Incident Response Report
PIPL is a comprehensive set of regulations that changes the way global companies do business with China. Experts say that CIOs, CISOs and DPOs of organizations should prepare their IT systems, make necessary changes in governance mechanisms and assess compliance costs, and design an achievable planned approach to meet the new compliance requirements by Nov. 1.
What Are the Mandates?
PIPL mandates that information processors - any entity collecting and processing information of Chinese citizens - conduct personal information protection impact assessments and retain the records for at least three years.
An organization, it says, can process personal information of Chinese citizens only under the following circumstances:
- The individual being processed has consented to it;
- There exists a prior contract involving the individual, which warrants the processing of his/her information or for purposes of human resource management;
- Information processing is necessary for statutory obligations;
- For public health emergencies or threat to life and property;
- For purposes of news reporting or public interest;
- Information is processed within a reasonable scope as defined by the law.
The primary difference between the existing Chinese Cybersecurity Law 2017 and PIPL is that the former only takes consent as the legal basis for information processing, while the latter includes all the above circumstances.
Do note that personal data in Chinese law has a broader definition, compared to Europe's General Data Protection Regulation. While PIPL identifies an individual’s biometric data, religious beliefs, medical health, financial accounts and location data as personal information, the GDPR only includes identifiable information such as full name, address, email, identification number and location data.
Guidelines for Cross-Border Data Transfer
According to Article 38 of the PIPL, organizations transferring personal information of Chinese citizens outside the territory of the People’s Republic of China should meet at least one of four conditions:
- A prior security assessment has been carried out by China's cyberspace administration;
- A personal information protection certificate has been issued by a specialized institution as defined by the national cyberspace administration;
- A contract formulated by the national cyberspace administration around rights and obligations has been signed by the overseas recipient;
- The administrative regulations have been defined by the national cyberspace administration.
The PIPL will impede cross-border data transfers, including those made to corporate parents and affiliates, Lester Ross, partner-in-charge of the Beijing office at U.S. law firm WilmerHale, tells Information Security Media Group.
Furthermore, global organizations will likely face additional pressure to procure domestic products and services, instead of buying foreign ones, particularly in industries designated as critical information infrastructure, he says.
Additionally, multinational companies will most likely have to start from scratch and establish an internal program to manage cross-border data transfers, Yan Luo, partner at Washington-based law firm Covington & Burling, says in a roundtable at the International Association of Privacy Professionals.
This could prove to be a challenge for not just global companies, but for Chinese firms as well, she adds.
Data localization and IT investments may also increase compliance costs, Jay Cline, principal at London-based accounting giant PwC and former chief privacy officer at hospitality and investment major Carlson, tells ISMG.
“Depending upon how the final PIPL rules are written and enforced, the implementation is likely to increase the break-even amount for when it makes sense for multinationals to invest in regional operations, compliance staff and infrastructure,” he says.
Ross’ prediction concurs with Cline’s statement.
“There will be pressure to store personal information within China, which will raise costs. This may include the need to establish a separate PI storage operation or otherwise handle PI-related matters within China,” he explains.
In addition to compliance costs, PIPL prescribes hefty penalties for companies and personnel violating the law.
Organizations that violate personal information processing guidelines or fail to take necessary security measures will face fines of up to RMB 1 million, or $154,781 as per current exchange rates.
For serious violations, the penalty increases to RMB 50 million - or $7,739,099 - or 5% business revenue during the previous year - whichever is higher - in addition to a suspension of the business.
Cline says that while the European Union’s GDPR and China’s PIPL impose similar penalties for serious violations, what really matters to boards is the likelihood of organizations facing the heaviest fines.
PIPL not only penalizes companies flouting data protection regulations, it also pulls up individuals that fail to protect the data.
According to Article 66 of the PIPL, the supervisor or other personnel responsible for safeguarding data may face a fine of RMB 10,000-100,000, or $1547-$15,478.
"If the fining structure embedded in PIPL doesn't get the board's attention, its personal liability for their executive teams should. While criminal liability for privacy violations isn't unique worldwide, they've been rare," says Cline.
PIPL's first year of enforcement will set the tone going forward, he notes.
The data localization requirement of the PIPL will affect the IT infrastructure of an organization, especially when it involves cross-border data transfers, Kevin Song, head of security and privacy compliance at Xiaomi, says at the IAPP roundtable.
Article 40 of the PIPL mandates that all personal information of Chinese nationals must be stored in the country. According to Song, that data being stored and transferred by multinational companies on Chinese soil - be it public cloud or on-premises data center - will still be considered as a cross-border data transfer.
“Companies need to know exactly what data is being collected, particularly data from mobile apps. The company’s compliance officer must also define policies for data retention and backup and recovery,” he says.
Meeting compliance guidelines for software development kits will be tricky, Jacobo Esquenazi Franco, global privacy strategist and DPO for European Union at technology company HP, tells ISMG.
“This is because there is data being collected and in some cases transferred where you don't have control. The application might be collecting and transferring data for another controller without consent nor a legal basis, and that can lead to violations,” he says.
Song recommends that companies conduct careful inspection of third-party SDKs and design a privacy interface. This, he explains, will protect user rights and make the data life cycle transparent to them.
Road Map to PIPL Compliance
Outlining immediate steps that multinationals must take, Luo of Covington & Burling says at the IAPP roundtable that companies should begin the process by updating their internal and external policies, and determine a mechanism to get consent for data processing.
The next steps, she says, would include updating vendor management policies, setting up a mechanism to respond to data subject requests, and ensuring that data retention policies are compliant with the PIPL.
From a technical standpoint, organizations must first focus on data localization and migrating Chinese citizens’ data back to China, Song adds. Additionally, publishing a transparency report to reassure consumers that their data resides in China and is stored in accordance with PIPL regulations would help, he says.
The three most important principles that IT leaders of multinationals need to bear in mind, according to Ross, are: seeking consent from individuals to collect and process personal information, anonymizing before exporting, and drawing contracts to govern relationships with PI custodians and processors, security consultants and overseas transferees.
“A risk evaluation would therefore be required for processing personal sensitive information, PI-enabled automated decision-making, third-party data sharing, and cross-border data transfers,” he adds.