If you are in China, the State is lobbying to protect your personal information like it would it’s own!
The Standing Committee of the National People’s Congress of the People’s Republic of China ratified the long-awaited China Personal Information Protection Law (“PIPL”) with effect from November 1, 2021.
This law primarily will govern how corporations, operating in the People’s Republic of China, gather, utilize, handle, share, and transfer personal data. It establishes a strict legal actionable framework for the sharing and transfer of data outside of China and strengthens the local data protection regime under the China Cybersecurity Law (“CSL”) and national laws, previously.
China implements legal and technical measures for personal data protection and data security through a variety of laws, secondary regulations, and guidelines with enforcing compliance standards. CSL is China’s first dedicated law for data security combined with rules across numerous levels and at a macro level, PIPL comes as a bedrock to the country’s present data protection regime. As the law develops, PIPL may become the primary law required to be complied with for doing business in China and this will cause a ripple effect on the data laws in India. CSL only allows explicit agreement as legal justification for sharing of data outside of China as it is also responsible for national security embedded in personal data.
SCOPE AND JURISDICTION
PIPL is going to emerge as a comprehensive piece of legislation with international reach in data protection and acquisition, use, and dissemination of personal information about Chinese citizens. It is comparable to the EU’s General Data Protection Regulation (GDPR) and is made applicable to organisations that supply goods or services or even analyse or assess the activities of a person situated in China.
Even companies involved in processing personal data of Chinese residents for delivering products or services or conducting assessment/analysis activities on the behaviour of Chinese residents but have no presence in the country are subject to the provisions of the PIPL. Making its’ applicability extraterritorial, companies looking to leave China will not be immune to the application of the PIPL. These organisations will have to have a representative or a liaison office in China to carry out the processes linked to the companies’ personal data and communicate with the necessary organisations as outlined under PIPL.
On the other hand, a neighbouring country, like India is still “catching up” on data laws. With data security becoming central to businesses with balancing the control tech companies are beginning to have, India will have to come up with better implementation on data security.
FUNDAMENTALS
PIPL for Personal Information (“PI”) Processing, puts lawfulness, fairness, good faith, clarity, necessity, relevance, and transparency as fundamental requirements for processing. Personal Information Processors have to ensure completeness and accuracy and processing shall require-
- Unless exempt, consent of the user;
- No-discrimination against a user who refuses consent by processor refusing delivery of products or service;
- Internal security and compliance protocols and guidelines mandatory for the processor for maintaining security of PI;
- Sensitive Personal Information (SPI) have additional notification and security requirements, E.g., of SPI Biometrics, religious convictions, individual identities, medical health, bank accounts, and locations, as well as PI of minors under the age of 14, are all examples of sensitive personal information.
India too has detailed SPDI Rules, although the PIPL contains guidance and laws on collecting facial recognition data in public spaces, processing personal information of minors, and online platform duties.
Moving along similar lines, the JPC committee report on India’s data protection law has also made a similar recommendation on- personal and non-personal data to be included in a single legislation and the regulation of social media platforms.
- Data Breach under the PIPL has an additional obligation on the processor to intimate the authorities and take remedial actions for effective mitigation without informing the user whether the steps taken would amount to effective mitigation against the breach.
However, the PIPL is silent on what would be considered remedial action and effective mitigation under it.
CROSS BORDER TRANSFER
- Data portability has received preferential status in the PIPL. International commercial contracts (ended or consented) to by China are considered priority, for movement of data. “Overseers” under the PIPL is akin to “Regulator” under the EU GDPR. The Overseer is responsible for protecting even unknown users with the same level of security as extended to known users under PIPL.
- Other cross border transfer restrictions remain in the PIPL. PI Processors, trading individual data outside China, have to fulfil security evaluation equivalent to the level required by the Critical Information Infrastructure Operators (CIIOs).
- Personal information collected by CIIOs have to be stored in China.
PENALTY AND LIABILITY
For breach, the PIPL applies harsh penalties, including administrative fines of up to RMB 50 M (approx. USD 7.7 M) or 5% of the processor’s previous year’s revenue.
Seizure of unlawful proceeds, suspension of operations for rectification, or cancellation of operating permits or business licences can also be imposed. Person-in-charge or any immediately accountable person might face a fine of up to RMB 1 M (approx. USD154,000). Such persons can also be barred from functioning as a director, supervisor, or personal information protection officer.
For allocating liability, PIPL recognises infringement on the rights and interests of personal information as a tort liability. The burden of evidence is on the defendant personal information processor in a civil action. If the violation affects a substantial number of people, the processors might face civil or criminal complaints from consumer organisations, Cyberspace Administration of China (“CAC”) approved bodies, and/or the prosecutor, as well.
IMPLEMENTATION
The path to implementation first involves a
- full examination of Personal Information Processing activities through data mapping and gap analysis
- controls around the processing
- export of PI and identifying use of Automated Decision-Making (“ADM”)
- Map existing data security and breach notification protocols to PIPL and identify additions or changes
- evaluate current records and processes pertaining to individual consent and assess for additional consent to export PI overseas etc.; and
- maintain vigil over new regulatory actions and in cyber security and data protection.
The PIPL is a stringent piece of legislation which is specific to the requirements of China, while India’s proposed legislation, the Personal Data Protection (“PDP”) Bill, 2019 adopts a more liberal approach. Only monetary penalties apply to violations of the PDP Bill’s cross-border data transmission restrictions. On the other hand, legal liabilities in the PIPL are wide-ranging, which includes monetary penalties, suspension/termination of service provision and much more. The PDP has a contrasting view on one-time approval for data transfer on completion of the mandatory security assessment, whereas the PIPL provides no clarity whatsoever.
Although both legislations are based on the EU’s GDPR, there are subtle discrepancies between them that will affect global enterprises doing business in both countries.
Harmonisation of privacy policies and procedures, between jurisdictional requirements and matching global requirements, will still remain a challenge. The pandemic shrunk the world, data woes would like to isolate it and to a degree, hostile!
This is only for informational purposes. Nothing contained herein is, purports to be, or is intended as legal advice and you should seek legal advice before you act on any information or view expressed herein.
Endeavoured to accurately reflect the subject matter of this alert, without any representation or warranty, express or implied, in any manner whatsoever in connection with the contents of this. This isn’t an attempt to solicit business in any manner.