7 September 2021
Upon a successful legislative review for the third time, the unified PRC legal framework for data protection, i.e., the PRC Personal Information Protection Law (“PIPL”), was finally promulgated and will take effect as of November 1, 2021. We summarized the key highlights of the second legislative review draft. Below we are going to revisit where we stand regarding these highlights, as well as other issues that are highly relevant to international companies and worth immediate actions.
The previous draft of the PIPL surprised the business circle as it took a very harsh stance by imposing very high penalties. In general, the punishment at the corporate level is kept intact under the final draft, namely
The final draft newly adds wording which allows the authorities to stop services provided by the respective APPs which violate the PIPL.
In terms of personal liabilities, the final draft keeps the existing provision that concerned individuals may be imposed on a fine of from RMB 100,000 to RMB one million, and further empowers the authorities to ban the respective individuals from taking up senior positions (e.g. directors, supervisors, senior management members) or DPO of a company within a specified duration.
As explained before, criminal and civil liabilities may also be triggered separately with the possibility for class action to be launched by the State (e.g. procuratorates), legally-established consumer protection organizations or other organizations as endorsed by Chinese governments. Law enforcement agencies are not in a position to initiate such an action under the final draft.
One particular point to be stressed – which does not exist under the GDPR but is highly relevant to business in the Chinese context – is that the PIPL will link one’s compliance record with the so-called corporate social credit system (企业社会信用体系 in Chinese). Any violation of the PIPL will affect a company’s credit rating in the system which in return will affect the company’s access to business-related resources in China and might even result in loss of market (e.g. disqualified for certain bidding projects, loss of “fast track” treatment during customs clearance, or more intensified monitoring and check by Chinese authorities).
Except for the fine-tuning of wording, the “long arm” provisions remain unchanged under the final draft PIPL which in general is similar to that under the GDPR. Article 3 of the PIPL stipulates that all personal information processing activities conducted outside the PRC shall also be subject to the PIPL, as far as such activities
Such a principle will have quite some impact on international companies which deploy their IT infrastructures and functions globally. Impact out of “long arm” may be less felt by European head offices when they conduct their GDPR compliance exercises where they can push down certain compliance requirements to their China subsidiaries. The PIPL turns this around which means the European head offices will now also need to screen all their data activities from a Chinese perspective to ensure compliance under the PIPL, even if they are sitting outside China. This legal principle is also adopted by other Chinese laws regulating other types of data, which means that – besides privacy topic - all data activities of foreign head offices or affiliates must respect Chinese laws. For example, Article 2 of the PRC Data Security Law which took effect as of September 1, 2021 stipulates that legal liabilities shall be pursued if data processing activities conducted outside China harm the national security or public interest of the PRC. This legislative trend reflects China’s concern over the topic of so-called “data sovereignty” which has become a new regulatory challenge for international business.
Resulting from the “long arm” provision of the PIPL, the statutory requirements remain unchanged under the final draft (Article 53) that an offshore data processor shall appoint a special agency or representative within the PRC to take care of its data protection matters. Names and contact details of the onshore agency or representative shall be filed with the competent PRC authorities.
Data export control provisions in general remain unchanged under the final draft PIPL. Personal data are allowed to be transmitted out of China if such transmission qualifies one of the below
Compared with the legislative ambiguity and vagueness in earlier years, the above are a big step forward which will greatly facilitate cross-border data flow of international companies. Although not all details are available, at least such development shows a practical direction for companies to follow. Particularly, the new inclusion of above item (v) shows a very positive stance to solve the current dilemma faced by international companies when there has been a legislative trend in various jurisdictions to build up border control over data flow. Without the international cooperation among the concerned jurisdictions including both the EU and China, cross-border data transmission compliance will become a mission impossible for international business.
Particularities to be noted in this context under the final PIPL include
The above will be something new to learn which may be not required under the GDPR. It can become a big challenge to international companies in managing e.g. a compliance investigation case initiated in their home countries. Abiding by home country rules will likely result in violation of Chinese laws, which again has a very strong political flavor and may become another “mission impossible” for international companies.
There could be more to be elaborate upon when comparing the final draft PIPL with its previous drafts. However, one who is familiar with the GDPR will find many similarities under the PIPL such as the broad scope of personal information, the requirements on transparency and consent, and more stringent requirements on processing of sensitive personal information. This does not mean one can save efforts if its GDPR compliance exercise has already been done, but certainly existing knowledge about the GDPR will be a great help to understand and catch up with the PIPL requirements.
Considering the very short time remaining before the PIPL takes effect on November 1, 2021, it is strongly recommendable for all international companies operating in China or dealing with China to take below actions immediately
Last but not least, impact of the PIPL will become part of the future “new normal” where continuous efforts will have to be in place to manage it. An important feature of the PIPL which differentiates it from the GDPR is its stance towards administrative power. On the one hand, it does not bind public authorities in the same way as under the GDPR, on the other hand, it allows such authorities to play a more active role in the field of privacy protection (e.g. data export control). Therefore, actions under the PIPL (including other new laws as well) shall not become a pure legal exercise. Different functions like PR, GA, IT will all need to join forces to achieve the best results, particularly in the Chinese environment to avoid potential risks not only at corporate level but also at personal level (i.e. management liabilities).