On August 20, 2021, China passed a data privacy law to protect the personal data of people within China’s borders. The law is called the Personal Information Protection Law of the People's Republic of China, or PIPL, and is now fully in effect.
A brief overview of PIPL
According to the requirements of the law, companies will need to follow stricter procedures to protect user data. PIPL can apply to companies both inside and outside of China, depending on how those companies handle data of people within Chinese borders.
Similar to the European General Data Protection Regulation (GDPR), China’s PIPL requires special handling of data if it is transferred out of China. Companies also need to assign a person in charge of data protection.
The company’s assigned data handler must perform regular audits to ensure the company continues to follow all the guidelines in PIPL. The penalties for violations of PIPL can be severe, sometimes even leading up to prison time.
PIPL only regulates data of a personally identifiable nature, not anonymized data collection.
In addition to PIPL, China has also implemented the China Cybersecurity Law (CSL) and the Data Security Law (DSL). Together, these three laws require that companies control data throughout its entire life cycle.
Key points of PIPL
PIPL is extensive, but here are the most important points for your company to consider:
Personal Information Processor
Every company requires a Personal Information Processor. This is a person or organization that has the duty of determining the purpose of the data processing, and also how that data is processed.
When does PIPL apply?
As per Article 3 of the law, PIPL applies when one of the following three points is true:
- The purpose of the company and data collection is to provide products or services to people in China
- Whenever analyzing or assessing the activities of people in China
- Where specified or applicable in other laws or regulations
What constitutes personal information?
All types of info, whether recorded digitally or otherwise (such as paper) that relates to identifiable natural persons in China is deemed personal information.
The handling of the information includes:
- Collection of data
- Storage of data
- Use of data
- Data processing
- Data deletion
- Data disclosure
When can personal data be collected under PIPL?
As per Article 6 of the law, you must have a “clear and reasonable purpose” for handling personal data of people in China. The data handling must be done using a method that has the “smallest influence” on the person’s individual rights and interests.
Collecting more than the necessary data is forbidden.
More specifically, personal data can only be handled if at least one of the following seven conditions is met:
- When the user has given specific consent
- If the data is necessary to fulfill a contract where the person is an interested party; when required for HR management as per existing labor regulations
- If the data is required to perform statutory duties
- Under emergency conditions to protect someone’s property, or when required to deal with “sudden public health incidents” or to protect people’s health
- Activities in the “public interest” such as news reporting or supervising public opinion
- When the information is disclosed by the person themselves or “otherwise lawfully disclosed”
- As required by other laws or regulations.
Where are the points of major impact for companies needing to adhere to PIPL?
Data collection in apps
Apps and WeChat mini-programs already collect personal data, from email addresses to telephone numbers and birth dates, location, etc. These practices will need to be reevaluated.
Companies will need to check:
- If this data collection is strictly necessary
- If they have the user’s consent to collect this data, or if it is legal to collect it according to the 7 points discussed above under “When can personal data be collected under PIPL?”
Companies will need to perform a thorough analysis of how the data of Chinese persons is handled after it is collected, ensure it is securely stored, and that it is not transported to foreign governments unless as allowed for in PIPL, CSL, and DSL.
Large-scale platforms have additional obligations
If you collect personal data on a large scale, you will need to establish a compliance system, provide social-responsibility reports on data handling, and implement an external body to monitor personal information protection. The external body must be independent of your company.
If your company is a “critical information infrastructure operator” (CIIO), or it processes very large amounts of data, it must adhere to data localization requirements.
The PIPL requirements also apply to companies outside of China if they:
- Provide products and/or services to China, or
- Process vital data of people in China, or
- Analyze individual behavior of people in China.
If you wish to transfer data of China residents outside of China’s borders, you will need to obtain consent. To do this, you must either register the transfer with the Chinese government, or complete a data handling assessment that has been validated by an external, independent party.
You must also implement all necessary security measures to prevent access to the transferred data by foreign governments.
What are the technical implications of complying with PIPL?
A number of technical challenges present themselves when implementing PIPL compliance in your company. If you have previously built-in safeguards and compliance with Europe’s GDPR, much of the heavy lifting will already be done. But PIPL is not the GDPR, so you will need to evaluate each of your data processing points for China specifically to ensure that you are fully in compliance with China’s regulations.
Standalone infrastructure in China for foreign companies
If your company deals with personal data that has been generated as part of the critical information infrastructure, or if it deals in particularly large amounts of data, then that data must be stored inside of China (“Data Localization”). This means that companies must now consider investing in, or building, an infrastructure within China’s borders to remain compliant with PIPL.
It is possible to avoid this localization requirement if your company passes a security assessment by the Cyberspace Administration of China. There is currently no publicized guide to pass such an assessment, so we recommend going the route of investing in that localized infrastructure.
Article 24 of PIPL states that users have the right to refuse being automatically targeted in server-push mechanisms or commercial sales, based on their personal characteristics—in other words, there must be an “opt-out” for the collection of profiling data, which data is most often used for advertising purposes.
The law also stipulates that automated decision-making must be transparent and fair. Your company will need to implement technology to provide users with all the required information to show how automated decisions were made regarding them. And the extra effort will need to be applied to ensure that automated decision-making algorithms don’t act unjustly. That means that companies will need to invest more thoroughly in bug-testing and also provide a quick-response feedback mechanism for users to provide data to your company about any automated decision that they might disagree with.
Similar to Europe’s GDPR, users in China now have the right to request information from your company to know what data is stored about them. They also have the right to request the deletion of their data. Companies that have implemented GDPR features for this will be at an advantage, but it’s important to remember that these are not the same regimes. Your company will need to evaluate PIPL directly and then ensure that the necessary code and procedures exist to fully comply with PIPL data requests.
Data encryption and separation
To minimize the impact of any potential data breach, you should consider:
- Data encryption
- Data separation
It is rare that employees or departments need access to all the data for a particular person. Separating data into different databases or files will minimize the potential for large-scale breaches.
Highly sensitive data should always be encrypted, and your IT department should consider the best strategy to achieve this. Factors to consider for data encryption include:
- Read/write speed
- Cryptographic algorithm strength and speed
- Password policies
- Security certificate policies
Facial recognition and fingerprints
This is an extremely important aspect of China’s PIPL, going back to July 27, 2021, when the Supreme People’s Court published its understanding of facial recognition technology and the connection of that technology to processing personal information.
The key technical points that you must consider are:
- Maintaining a separate consent button or interface for facial recognition. Users should opt-in or out of facial recognition on its own and not bundled with other privacy settings.
- Privacy notices for facial recognition also need to be maintained separately.
- Your company must provide an alternative authentication option in addition to facial recognition. Users must be allowed to choose if they want to use facial recognition to authenticate themselves or some other technology.
The same rules apply to fingerprint detection.
How to start implementing PIPL compliance in your company?
The enormous technical burden of implementing PIPL in your company can be reduced by working with a China-based consulting firm that specializes in helping foreign and local businesses do business inside China.
The Chinese internet ecosystem is an intricate one. From the Great Firewall of China to choose the right CDN, there is a lot to know to ensure your website continues to operate successfully within China’s borders. GoClick China has extensive experience in helping foreign and local companies succeed in China. We offer a comprehensive suite of services to help companies operate without friction in China.