The new Personal Information Protection Law (PIPL) has entered into force in China. The law imposes heightened compliance obligations for companies collecting and processing personal information within China, even for those already GDPR compliant.
China’s first specific personal information law, Personal Information Protection Law (PIPL) has entered into force on November 1st, 2021. The PIPL stands alongside The Cybersecurity Law (CSL) and the Data Security Law (DSL), the two major legal frameworks covering China’s cyberspace governance.
“The PIPL’s extraterritorial reach applies to processing personal information in order to provide products and/or services to natural persons in China, to analysing or evaluating the behaviour of natural persons in China, or other purposes to be specified by laws or administrative regulations. Companies are advised to pay attention to the PIPL requirements even when already GDPR compliant”, says Hannes Kankaanpää, Kolster’s Associate Partner, Legal Counsel.
Consent as one of the main foundations for processing personal information
Under the PIPL, consent is one of the major bases for processing personal data. As opposed to the GDPR, “legitimate interest” of the data controller is not among the list of grounds for collecting and processing personal data.
”The PIPL puts pressure on consent management proceedings. Under the GDPR, legitimate interest may entail situations such as a client or service relationship. The PIPL does not directly allow for this option, as you may not always have a contractual relationship with the data subject that is the basis for processing”, Kankaanpää says.
Another noteworthy difference is the separate consent required under the PIPL for activities such as sharing personal data with other processing entities, public disclosure of personal data, and transfer of personal data outside of China.
Data localisation required in certain cases
Critical Information Infrastructures (CIIO) and entities processing large amounts of personal information are required to process and store the data locally in China.
Industries such as financial, health and nuclear power, in addition to companies with a business need to transfer large amounts of data and information regularly, will likely undergo strict procedures, are required to make risk analysis, and must report periodically to the relevant authorities to understand the danger of cross-border transmission. Mandatory external compliance audit may also be required.
A regular personal information processor sending information cross-border may have to follow the same rules in risk analysis and reporting if the volume or importance of the data reaches a certain level.
“The specific threshold is yet to be laid down by the local state cyberspace administration. At one point, the threshold was stated to be 500 000 Chinese data subjects. Additionally, a limit in relation to the size of the processed data has been proposed”, Kankaanpää says.
Compliance requirements for data controllers
The PIPL requires designating a representative in China for personal information protection related matters and providing the relevant authorities with their names and contact details.
“As opposed to the GDPR, there doesn’t seem to be exceptions when processing is occasional, does not include specific categories of personal data and isn’t likely to cause a risk to the rights and freedoms of data subjects”, Kankaanpää says.
Under the PIPL, the requirements for personal information impact assessment differ from the GDPR. The assessment presents a list of high-risk scenarios and a layout of proportionate protective measures, i.e., how the data is protected in the risky scenarios.
Legal liabilities based on the annual revenue
Even though quite a lot is left up to application practice of the authorities in imposing the fines, the sanctions of violating the PIPL aren’t to be ignored.
“We’ve already witnessed quite high fines under the GDPR: the sanctions are of maximum 10 million euros or 2 percent of global turnover. Violating the PIPL can lead to 5 percent maximum of the annual turnover. It hasn’t yet been specified whether in China or globally”, Kankaanpää says.
Additionally, the PIPL provides a wide array of sanctions of different nature, ranging from the social credit system and related implications, evocation of business licences, and tort-based damages, i.e., compensating data breach damages to a third party.
”Time and application practice will tell us more about how the whole system will be applied and how the sanctions levels will look like.”
Associate Partner, Counsel Technology & IP Law
040 920 8702