READ OTHER ARTICLES
As China's first super APP with more than 1 billion monthly active users worldwide,
On the 1st of November 2021, the Personal Information Protection Law (‘PIPL’) comes into force. It will set a new bar in China for privacy rights, obligations, security, and compliance.
Therefore, QPSOFTWARE has partnered up with TEKID to provide you with the following in-depth report which serves as an introduction to PIPL and its key concepts.
Indeed, TEKID’s legal and Compliance experts have been designing, deploying and managing local and international regulatory compliance programs such as the Chinese Cyber Security Law, European GDPR, cross-regional programs, as well as technical international standards such as ISO, SOC, SOX, PCI and more.
For further expertise on the matter, you can personally reach out to Maxime Oliva (Chief Executive Officer) at TEKID: https://www.linkedin.com/in/maximeoliva or contact them directly through their website: https://www.tek-id.com/
You can also register here to download their latest review about the Consumer Data Strategy under the new China Personal Information Protection Law done in collaboration with Fabernovel.
The PIPL is China’s new data protection law. It is the first China law focusing exclusively on personal data (omnibus law), setting ambitious goals, presenting many similarities with the European General Data Protection Regulation (‘GDPR’).
At its core, the PIPL’s goals are to increase individuals’ rights and enhance privacy, transparency, and accountability. It does this by determining how personal data of China residents must be handled, what permissions are needed, and how this data can be lawfully collected, processed, and protected. It also gives individuals more rights and control over what can and cannot be done with their data. The PIPL also gives regulators new powers to impose significant fines on organizations that breach the law.
Personal data is defined very broadly under the PIPL as any kind of data that relates to an identified or identifiable natural person, whether in electronic form or recorded otherwise. From classily understood personal data such as name, telephone number, address, ID number, etc., to less obvious personal data, such as data related to a person’s job, hair or eye color, style, opinions, comments, habits, likes and dislikes, cultural or social identity, itineraries, IP address, activity logs, etc.
Location tracking, being labelled ‘sensitive personal data’ will present particular challenges for organizations and brands, as it will drastically reduce the extent to which they can, for example, track offline and online store visits for remarketing and retagging purposes.
The PIPL applies broadly: to all organizations, of all sizes and all industries, which process personal data.
In legal terms, the PIPL applies to ‘Personal Data Handlers’ and ‘Personal Data Processors’.
More specifically, the PIPL applies to:
Put simply, the PIPL applies to any organization or business processing personal data of a China resident. This applies no matter where in the world your organization is based, or the size of your organization.
For the last few decades, Chinese laws have generally not included significant fines for breaches of privacy-related provision. That will change dramatically under the PIPL. The maximum fine for serious infringements will be the greater of CNY 50 million or 5% percent of an organization’s annual revenue for the previous year. In addition, an organization can face confiscation of illegal gains, suspension of related activities or even suspension or revocation of their business license and/or business permit.
A notable additional risk: any person in charge or directly liable for the breach may also be fined up to CNY 1 million and may also be barred from serving as director, supervisor, senior officer or data protection officer for a certain period.
In short, the PIPL shapes the responsibilities for the Personal Data Handlers and what they are accountable for. The Personal Data Handlers must demonstrate that personal data is:
The PIPL requires Personal Data Processors to adopt necessary measures to ensure the security of personal data in accordance with relevant laws and regulations, and to assist personal information handlers in fulfilling their obligations under this law.
Their personal data processing activities must be supervised by the Personal Data Handlers entrusting them with such processing.
It means that at least one of the following ‘legal basis’ must be valid or obtained:
‘Legitimate interests’, a legal basis available under the GDPR, does not exist under the PIPL.
In other words, you cannot process personal data simply because you want to. Instead, you must be able to point to a ‘legal basis’ for processing.
One of the core features of the PIPL: the bar for valid consent is significantly raised. Consent must be:
As to marketing communications: the PIPL marks a clear and significant shift from opt-out to opt-in: prior consent will be required. Unlike in Europe, organizations in China cannot invoke legitimate interests (i.e., not requiring consent) as a legal basis for collecting personal data for marketing purpose. Moreover, even where consent has been given, if push marketing or sales is based on automated decision-making, individuals must have the option to refuse it (opt-out). This will tremendously affect the creation and push of personalized content and ads, which individual will have the right to refuse.
Clearly, in line with a rebalancing of powers between organizations and individuals, these rights are significantly increased and expanded:
Organizations already compliant with the GDPR will have an advantage, as adaptation to the PIPL, as far as individuals’ rights are concerned, will be made much easier. For the others, the gap may present difficult and important challenges (whether organizational, operational or technical).
The PIPL strictly regulates transfers of personal data of China residents to destinations outside China. In line with the Cyber Security Law and the Data Security Law, the PIPL requires that Critical Infrastructure Information operators (‘CIIOs’), as well as any other Personal Data Handler who processes personal data that reaches a certain volume (which the PIPL does not specify, but will be later defined by the CAC), must:
Otherwise and in any case, Personal Data Handlers must as least one of the following conditions before transferring personal data out of China:
Cross-border transfer prerequisites for personal data may well prove to be a particular pain point for MNCs operating in China, as many still generally rely on such transfers for processing (and more particularly analysis) abroad. Organizations will need to work (i) either on localizing personal data processing, or (ii) toward compliance with the above requirements. Quickly.
No surprise there, requirements are at the same time those that have become classics under the CSL and more recently the Data Security Law, and what we already know under the GDPR with a China ‘twist’.
Personal Data Handlers and Personal Data Processors must implement technical and organizational measures to ensure the level of security commensurate to potential risks, purpose of processing, categories of personal data processed, etc., including:
As China's first super APP with more than 1 billion monthly active users worldwide,