As part of the country's growing scrutiny over the tech sector, China enacted on August 21 a sprawling and comprehensive data privacy law, the Personal Information Protection Law (PIPL), which goes into effect on November 1, 2021. In combination with China's newly enacted and still little-understood Data Protection Law, which goes into effect on September 1, 2021, this law promises to impose a host of new data privacy, security, and protective obligations on all US and global companies doing business in China.
These significant laws fit into China's broad "informatisation policy," which Chinese President Xi Jinping has described as the modern equivalent of industrialisation. However, the data protection law comes closer to serving more as a cybersecurity law than the PIPL. In his efforts to boost China to" cyber superpower" status, President Xi has famously said that "cybersecurity and informatisation are two wings of one body, and two wheels of one engine."
Both national security and the public interest come into play
Modeled in part on the EU's stringent and pace-setting General Data Protection Regulation (GPDR), PIPL creates a legal regime for all data from both the perspectives of national security and the public interest. It aims to achieve four objectives:
- Protect the rights and interests of individuals
- Regulate personal information processing activities
- Safeguard the lawful and "orderly flow" of data
- Facilitate reasonable use of personal information
Its focus on national security departs from Western privacy frameworks such as the GDPR and California's Consumer Privacy Act (CCPA). The PIPL further differs from these two forms of data privacy by containing provisions addressing China's digital sovereignty. These provisions aim to limit the ability of overseas entities to infringe on Chinese citizens' rights and constrain the danger to the country's national security.
Organisations handling Chinese citizens' data must meet conditions
The PIPL states that "personal information processors," namely any organisation handling the personal data of Chinese citizens, may handle that information only if the processor meets one of the following conditions:
- The processor obtains personal consent
- The information is necessary for the conclusion and performance of a contract in which the individual is a party or necessary for the implementation of human resource management by following the labor rules and regulations established under the law and the collective contract signed per the law.
- The information is necessary to perform statutory duties or statutory obligations.
- The information is necessary to respond to public health emergencies or to protect the life, health, and property safety of natural persons in an emergency.
- The information is necessary to carry out news reports, public opinion supervision, and other acts for the public interest, and handle personal information within a reasonable range.
- Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope is conducted by following the provisions of this law.
- The information is processed under other circumstances stipulated by laws and administrative regulations.
The law emphasises that users must consent to allow their data to be processed, and users must be fully informed. Individuals are granted the right to withdraw their consent at any time. Moreover, information processors cannot withhold goods or services from individuals who refuse to allow their information to be processed or used.
How organisations can comply with PIPL is still unclear
How organisations doing business in China can comply with the PIPL's complex provisions is unclear because many regulatory proceedings that flesh out how compliance would work have yet to occur. "This is a very new law and quite complex, so US companies that have operations in China are only just now beginning to focus on this law and are trying to figure out how it will affect their operations," Judith Alison Lee, partner at Gibson Dunn and co-chair of the firm's International Trade Practice Group, tells CSO.
Moreover, although PIPL might go into effect in November, the fine print on how the law operates won't emerge until later when various Chinese ministries issue regulations, Rogier Creemers, China Digital Economy Fellow at New America and a postdoctoral scholar in Law and Governance of China at the University of Leiden's Van Vollenhoven Institute, tells CSO. "Many laws in China, such as the Personal Information Protection Law, work as framework laws," Creemers tells CSO.
"For instance, the new law creates a mandate for there to be a security review for the export of personal data. But the Cyberspace Administration of China, the regulator in this specific sector, is empowered to make those rules. So, until those specific rules come out, we don't know what's going to happen."
Cross-border flow of information and avoiding sanctions are top priorities
However, organisations that deal with any form of personal data in China can start prioritising the critical aspects of the law ahead of any further regulatory clarity. "The single most important provisions are going to be those that deal with the cross-border flow of personal information. Those are going to be crucial," Creemers says.
"My practice is focused on OFAC [the Treasury Department's Office of Foreign Assets Control] sanctions, so one particular area of concern is whether this new law will impede the efforts of companies to ensure that they are in compliance with OFAC sanctions," Gibson Dunn's Lee says. "This usually involves 'screening' the personal information of customers, suppliers, employees, and business partners against a number of prohibited party lists.
"Sometimes, this screening function is performed outside of China. If companies violate OFAC sanctions, there can be really significant civil monetary penalties, so US companies are worried about being caught in the crossfire of the laws of the US and China, which can be conflicting."
Whatever shape the final law takes, it is clear that many international organisations may have to staff up to handle at least some of the law's provisions. For example, the law requires data handlers outside of China that process the personal information of Chinese citizens to establish a dedicated entity or appoint a representative within China to be responsible for matters related to their information processing.