A Practical Take on China’s New Personal Information Protection Law
By Art Dicker, Leslie Kong, and Robin Tabbers
For over a decade, we have written client alerts on data privacy in China starting with the sentence: China does not have a comprehensive set of data privacy laws. Well that is finally no longer the case. There are now 3 foundational laws which make up a data regulatory framework – the 2017 Cybersecurity Law which primarily governs network security, the Data Security Law (see our earlier article) passed in June and effective 1 September focusing on national security and non-personal data, and the most recent Personal Information Protection Law (PIPL) passed 21 August and effective 1 November addressing personal information protection more akin to Europe’s GDPR (General Data Protection Regulation).
Practical Compliance Steps
You may be familiar with some of the key provisions of the PIPL already, which we summarize in the annex to this article. But what steps do you actually need to take now to get ready? To put your best compliance foot forward, we recommend to:
- Review and revise your current privacy policy with external users and your employment contract, handbook and other employment related policies.
- Transparency is the key principle that should be reflected across your policies.
- Even before the PIPL, this was the trend we saw with specific data privacy regulations, for example with mobile phone applications, requiring clear and detailed explanations at every step on how data was to be used.
- Incorporate specific, separate consents upon customer intake – done via separate pop-up windows or one interface with multiple check-the-box buttons.
- The latter option can be a more user friendly way to still obtain multiple separate consents on use, transfer to third party, or export, for example.
- Also remember that not all transfers to third parties may require consent – for example where the transfer is to an outsourced “entrusted party” processing the information on behalf of your company (as opposed to themselves) and there is a data processing agreement in place with them.
- In these cases, you may not need to list them for purposes of obtaining a separate consent of the user.
- Incorporate similar specific, separate consents for employee onboarding either online via check-the-box buttons or offline via one page stand-alone consent forms.
- Also mirror the same language in your employee handbook or other employee policy directly as an argument that processing the information is necessary and covered under employee work rules no matter what (for which consent is not required in the first place, so cannot be withdrawn!).
- Amending the employee handbook will require a consultation and de facto approval by employees, so best to do it in tandem with other changes you have been meaning to make anyway.
- Develop an internal management system with internal controls.
- Individual information that is easy to locate and remove for withdrawn consents, copies, or corrections,
- Where the system is robust to survive in cases of data removal or if automated decisions are unacceptable to users.
- Data access is limited to and data separated/masked in database fields from people without access privileges (e.g. someone providing routine technical support not needing to see all your personal payment/billing information for example)
- Retention policies that are necessary to perform the service.
- A system to secure (using encryption/de-identification, etc.) data and respond to data breaches.
- Adequate training of staff to properly identify and inventory different types of data on the front end and to be able to respond to data breaches.
- And where you have a central hub to implement all of this. Remember many policies are written by lawyers but breakdown when they get to IT implementation and business operations.
- Contracts incorporating PIPL necessary terms with data transferees (including internally with affiliates).
- We expect model or “standard” terms will be available from CAC on or around the time the new law takes effect on 1 November.
Realistically most (especially small and medium-sized) companies will not have everything in place on 1 November. Remember that the primary regulator here, the Cybersecurity Administration of China (CAC) is an overstretched regulatory agency at the moment and will not be knocking on your door during the first month after taking effect. The key here will be to make a good faith effort towards building a compliance system as soon as practicable, not as soon as possible.
As you are not likely to be randomly audited by government authorities, any inquiries into your compliance system will instead be as a result of a complaint by a disgruntled customer or employee with another agenda to settle – just as we see play out in so many other compliance domains.
Finally, bear in mind that as with all major pieces of legislation in China, a lot of the specific details for how to fully comply are yet to come in the form of implementing rules to be issued in the next year and beyond. We will continue to follow the rollout of these implementing rules and keep you informed with timely client alerts.
Art Dicker and Robin Tabbers, together with the Compliance Team of R&P China Lawyers, frequently advise international companies collecting or handling data with their data compliance risks in China. Feel free to contact the authors if you wish to assess or lower your company’s compliance risks.
Annex
PIPL Key Requirements
The key requirements of the PIPL are:
- Handling personal information generally
- You must obtain consent from the individual (and again if the purpose/use changes).
- Consent is not needed if handling the personal information is necessary to fulfill a contract with the individual.
- Human resource activities are permitted without additional consent so long as the activities are contemplated in the employee’s labor contract or other rules such as employee handbook.
- Consent not needed to fulfill certain statutory obligations.
- An individual can withdraw consent later for any further handling of their data.
- An individual can opt-out/reject the result of any automated decision-making process.
- An individual can request a copy and correct any of his or her personal information.
- You need a local company or representative who is responsible (as point of contact for handling complaints, etc.).
- Transfer of data to 3rd party
- A separate consent (e.g. a pop-up window) will be required from the individual for transfers of personal information to third parties.
- And the individual must first be informed as to who the third party recipient is, how and for what purpose they are handling the information, their contact information, and the rights of the individual vis-à-vis you and the third party.
- A contract between you and the third party (including between your China entity and your headquarters or other affiliated companies) will be required incorporating obligations of the PIPL.
- For outsourced companies which are entrusted to process data for your benefit (and not their own or someone else), you may not need consent for such third party transfers so long as you have a data processing agreement in place with them.
- Overseas transfer of data
- A separate consent (e.g. a pop-up window) will be required from the individual
- A contract between you and the third party with standard terms incorporated from a model contact to be published by the Cybersecurity Administration of China (CAC).
- Note there are options to permit overseas transfers, such as passing a security assessment or obtaining certification by CAC, but most companies will choose the first (contract) alternative.
- Storage in China in some circumstances
- Data must be stored in China if the company is a:
- Critical information infrastructure operator (CIIO, generally large entities in industries such as transportation, telecommunications, energy, finance, and other national security related industries) OR
- A company handling a certain “amount” of data (not yet defined under the law).
- At a minimum, this is not likely to apply to most small and medium sized enterprises engaged in non-data intensive businesses.
- Handling sensitive information
- A separate consent (e.g. a pop-up window) will be required from the individual for handling sensitive personal information:
- Biometric
- Religious/Ethnic
- Medical health
- Financial (such as bank/payment information)
- Location (tracking)
- Limited purpose, access, retention time
- Handling of personal data must be done for a limited purpose, and a
- User cannot be denied service for refusing to provide information which is not necessary to perform the service being offered.
- Access must be limited to those with a need to handle the information and access only given to the information they need to perform their task.
- Remote access also needs to be restricted to avoid any risk of the data being considered transferred out of the country without consent.
- Retention time must be the minimum necessary.
- A company must set up internal management procedures to comply with these and other PIPL requirements as well as implement security measures to secure information (such as encryption).