Authors

Michael Tan

Partner

Read More

Julian Sun

Associate

Read More

Chao Xuan

Associate

Read More
Authors

Michael Tan

Partner

Read More

Julian Sun

Associate

Read More

Chao Xuan

Associate

Read More

7 September 2021

Weaponized Chinese “GDPR” Now Launched

  • Briefing

Upon a successful legislative review for the third time, the unified PRC legal framework for data protection, i.e., the PRC Personal Information Protection Law (“PIPL”), was finally promulgated and will take effect as of November 1, 2021. We summarized the key highlights of the second legislative review draft. Below we are going to revisit where we stand regarding these highlights, as well as other issues that are highly relevant to international companies and worth immediate actions.

1. Severe legal penalties remain unchanged

The previous draft of the PIPL surprised the business circle as it took a very harsh stance by imposing very high penalties. In general, the punishment at the corporate level is kept intact under the final draft, namely

  • being ordered to correct, confiscation of illegal gains, and warning
  • in serious cases, a fine of up to RMB fifty million or 5% turnover of last year, plus suspension or even shutdown of business

The final draft newly adds wording which allows the authorities to stop services provided by the respective APPs which violate the PIPL.
In terms of personal liabilities, the final draft keeps the existing provision that concerned individuals may be imposed on a fine of from RMB 100,000 to RMB one million, and further empowers the authorities to ban the respective individuals from taking up senior positions (e.g. directors, supervisors, senior management members) or DPO of a company within a specified duration.

As explained before, criminal and civil liabilities may also be triggered separately with the possibility for class action to be launched by the State (e.g. procuratorates), legally-established consumer protection organizations or other organizations as endorsed by Chinese governments. Law enforcement agencies are not in a position to initiate such an action under the final draft.

One particular point to be stressed – which does not exist under the GDPR but is highly relevant to business in the Chinese context – is that the PIPL will link one’s compliance record with the so-called corporate social credit system (企业社会信用体系 in Chinese). Any violation of the PIPL will affect a company’s credit rating in the system which in return will affect the company’s access to business-related resources in China and might even result in loss of market (e.g. disqualified for certain bidding projects, loss of “fast track” treatment during customs clearance, or more intensified monitoring and check by Chinese authorities).

2. You are caught both within and outside China

Except for the fine-tuning of wording, the “long arm” provisions remain unchanged under the final draft PIPL which in general is similar to that under the GDPR. Article 3 of the PIPL stipulates that all personal information processing activities conducted outside the PRC shall also be subject to the PIPL, as far as such activities

  • are for the purpose of providing goods or services to natural persons within the PRC,
  • are to analyze or assess behaviors of natural persons within the PRC, or
  • fall into other circumstances as stipulated by laws and regulations.

Such a principle will have quite some impact on international companies which deploy their IT infrastructures and functions globally. Impact out of “long arm” may be less felt by European head offices when they conduct their GDPR compliance exercises where they can push down certain compliance requirements to their China subsidiaries. The PIPL turns this around which means the European head offices will now also need to screen all their data activities from a Chinese perspective to ensure compliance under the PIPL, even if they are sitting outside China. This legal principle is also adopted by other Chinese laws regulating other types of data, which means that – besides privacy topic - all data activities of foreign head offices or affiliates must respect Chinese laws. For example, Article 2 of the PRC Data Security Law which took effect as of September 1, 2021 stipulates that legal liabilities shall be pursued if data processing activities conducted outside China harm the national security or public interest of the PRC. This legislative trend reflects China’s concern over the topic of so-called “data sovereignty” which has become a new regulatory challenge for international business.

Resulting from the “long arm” provision of the PIPL, the statutory requirements remain unchanged under the final draft (Article 53) that an offshore data processor shall appoint a special agency or representative within the PRC to take care of its data protection matters. Names and contact details of the onshore agency or representative shall be filed with the competent PRC authorities.

3. Transmitting data out of China shall follow “due process”

Data export control provisions in general remain unchanged under the final draft PIPL. Personal data are allowed to be transmitted out of China if such transmission qualifies one of the below

  • successful security assessment as organized by regulators,
  • protection certification by a licensed agency,
  • having concluded standard sample clauses with the foreign recipient,
  • other legitimate basis under Chinese laws or as allowed by Chinese regulators, or
  • [newly added under final draft:] on the basis of international treaties concluded by China.


Compared with the legislative ambiguity and vagueness in earlier years, the above are a big step forward which will greatly facilitate cross-border data flow of international companies. Although not all details are available, at least such development shows a practical direction for companies to follow. Particularly, the new inclusion of above item (v) shows a very positive stance to solve the current dilemma faced by international companies when there has been a legislative trend in various jurisdictions to build up border control over data flow. Without the international cooperation among the concerned jurisdictions including both the EU and China, cross-border data transmission compliance will become a mission impossible for international business.

Particularities to be noted in this context under the final PIPL include

  • a separate consent from data subject based on detailed disclosure about the export and recipient is required before respective data may leave China (Article 39);
  • any provision of personal data to a foreign law enforcement agency or to a foreign court shall require prior approval of the competent Chinese authorities (Article 41).


The above will be something new to learn which may be not required under the GDPR. It can become a big challenge to international companies in managing e.g. a compliance investigation case initiated in their home countries. Abiding by home country rules will likely result in violation of Chinese laws, which again has a very strong political flavor and may become another “mission impossible” for international companies.

4. Immediate actions to consider

There could be more to be elaborate upon when comparing the final draft PIPL with its previous drafts. However, one who is familiar with the GDPR will find many similarities under the PIPL such as the broad scope of personal information, the requirements on transparency and consent, and more stringent requirements on processing of sensitive personal information. This does not mean one can save efforts if its GDPR compliance exercise has already been done, but certainly existing knowledge about the GDPR will be a great help to understand and catch up with the PIPL requirements.
Considering the very short time remaining before the PIPL takes effect on November 1, 2021, it is strongly recommendable for all international companies operating in China or dealing with China to take below actions immediately

  • get familiar with the new compliance requirements under the PIPL, but not limiting the exercise only to personal information since other new laws (e.g. the topic of important data under the PRC Data Security Law and other industry specific rules) shall also be covered. The exercise shall include mobilizing resources not only at China subsidiaries level, but also at the whole group level since foreign head offices and affiliates will also be caught by the long reach of the laws;
  • run a full data mapping within the organization including how data flows among different hands. Again, this covers not only personal information, but also other categories of data like important data and scientific data. An area no company can evade will be HR where the full process will need to be examined (i.e. not only existing employees, but also former and potential employees). If your business is structured on a B2C basis, no question the PIPL will be more relevant to you than others and data mapping needs to be run through the whole business process; and
  • impact of the PIPL on organizational set-up as well as on your supply chain management shall not be overlooked. The topic may need to be discussed at a much higher level since there could be strategical impact on how MNCs shall organize their China business in the future to better manage compliance challenges associated with personal information as well as other data of concern from a Chinese perspective.

Last but not least, impact of the PIPL will become part of the future “new normal” where continuous efforts will have to be in place to manage it. An important feature of the PIPL which differentiates it from the GDPR is its stance towards administrative power. On the one hand, it does not bind public authorities in the same way as under the GDPR, on the other hand, it allows such authorities to play a more active role in the field of privacy protection (e.g. data export control). Therefore, actions under the PIPL (including other new laws as well) shall not become a pure legal exercise. Different functions like PR, GA, IT will all need to join forces to achieve the best results, particularly in the Chinese environment to avoid potential risks not only at corporate level but also at personal level (i.e. management liabilities).

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

business-man-working
Data protection & cyber

China's GDPR – What you need to know about the Personal Information Protection Law

15 December 2020
Briefing

by Michael Tan

Click here to find out more
humanoid robot thinking
Technology, media & communications

China: facial recognition and its legal challenges

6 May 2020

by Michael Tan

Click here to find out more
Working data centre
Data protection & cyber

New guideline for APP privacy behaviour

7 January 2020

by Heather Jiang and Michael Tan

Click here to find out more