Upon a successful legislative review for the third time, the unified PRC legal framework for data protection (ie the PRC Personal Information Protection Law (PIPL)) was finally promulgated and took effect on 1 November 2021. We recently summarised the key highlights of the second legislative review draft; here, we consider how these highlights have changed in the final draft, as well as other issues that are highly relevant to international companies and worth taking immediate action over.
Severe legal penalties remain unchanged
The previous draft of the PIPL surprised the business circle as it took a very harsh stance by imposing very high penalties. In general, the punishment at the corporate level is kept intact under the final draft, namely:
- being ordered to correct, confiscation of illegal gains, and warning
- in serious cases, a fine of up to RMB fifty million or 5% turnover of last year, plus suspension or even shutdown of business.
The final draft newly adds wording which allows the authorities to stop services provided by the respective APPs which violate the PIPL.
In terms of personal liabilities, the final draft keeps the existing provision that concerned individuals may be fined between RMB 100,000 to RMB 1 million, and further empowers the authorities to ban the respective individuals from taking up senior positions (eg directors, supervisors, senior management members) or DPO of a company within a specified duration.
As we explained before, criminal and civil liabilities may also be triggered separately, with the possibility the State (eg procuratorates), legally-established consumer protection organisations or other organisations as endorsed by Chinese governments to launch for class actions. That said, law enforcement agencies are not in a position to initiate class actions under the final draft.
One particular point to be stressed – which does not exist under the GDPR but is highly relevant to business in the Chinese context – is that the PIPL will link a company's compliance record to the so-called corporate social credit system (企业社会信用体系). Any violation of the PIPL will affect a company’s credit rating in the system which in return will affect the company’s access to business-related resources in China and might even result in loss of market (eg they could be disqualified from certain bidding projects, lose "fast track" treatment during customs clearance, or be subjected to more intense monitoring and checking by Chinese authorities).
You are caught both within and outside China
Except for some finetuning of the wording, the "long arm" provisions remain unchanged under the final draft PIPL, which in general is similar to what is in the GDPR. Article 3 of the PIPL stipulates that all personal information processing activities conducted outside the PRC shall also be subject to the PIPL, as far as these activities:
- are for the purpose of providing goods or services to natural persons within the PRC
- are to analyse or assess behaviours of natural persons within the PRC, or
- fall into other circumstances as stipulated by laws and regulations.
This principle will have a considerable impact on international companies which deploy their IT infrastructures and functions globally. The impact of the "long arm" provisions may be felt less by European head offices when they conduct their GDPR compliance exercises where they can push down certain compliance requirements to their China subsidiaries. The PIPL turns this around, so European head offices will now also need to screen all their data activities from a Chinese perspective to ensure compliance under the PIPL, even if they are sitting outside China.
This legal principle is also adopted by other Chinese laws regulating other types of data, which means that – besides privacy topic – all data activities of foreign head offices or affiliates must respect Chinese laws. For example, Article 2 of the PRC Data Security Law, which took effect on 1 September 2021 and stipulates that legal liabilities shall be pursued if data processing activities conducted outside China harm the national security or public interest of the PRC. This legislative trend reflects China’s concern over the topic of so-called "data sovereignty" which has become a new regulatory challenge for international business.
The statutory requirements of the "long arm" provision remain unchanged under the final draft (Article 53): an offshore data processor shall appoint a special agency or representative within the PRC to take care of its data protection matters. Names and contact details of the onshore agency or representative shall be filed with the competent PRC authorities.
Transmitting data out of China shall follow "due process"
Data export control provisions in general remain unchanged under the final draft PIPL. Personal data are allowed to be transmitted out of China if such transmission qualifies one of the below:
- successful security assessment as organised by regulators
- protection certification by a licensed agency
- having concluded standard sample clauses with the foreign recipient
- other legitimate basis under Chinese laws or as allowed by Chinese regulators, or
- on the basis of international treaties concluded by China (this was added in final draft).
Compared with the legislative ambiguity and vagueness in earlier years, the above are a big step forward which will greatly facilitate cross-border data flow of international companies. Although not all details are available, this development at least shows a practical direction for companies to follow. In particular, the inclusion of the fifth item concerning international treaties shows a very positive approach to solving the current dilemma faced by international companies when there has been a legislative trend in various jurisdictions to build up border control over data flow. Without the international cooperation among the concerned jurisdictions (including both the EU and China), cross-border data transmission compliance will be impossible for international business.
Points to note in this context under the final PIPL include:
- a separate consent from data subject based on detailed disclosure about the export and recipient is required before respective data may leave China (Article 39)
- any provision of personal data to a foreign law enforcement agency or to a foreign court shall require prior approval of the competent Chinese authorities (Article 41).
The above will be something new to learn which may be not required under the GDPR. It can become a big challenge for international companies to manage (eg a compliance investigation case initiated in their home countries). Abiding by home country rules will likely result in violation of Chinese laws, which again has a very strong political flavour and may become another impossible hurdle for international companies.
Immediate actions to consider
There could be more to be elaborate upon when comparing the final draft PIPL with its previous drafts. However, if you're familiar with the GDPR, you'll find many similarities with what is outlined in the PIPL, such as the broad scope of personal information, the requirements on transparency and consent, and more stringent requirements on processing of sensitive personal information. This does not mean you can ignore the PIPL if you've already conducted a GDPR compliance exercise, but a pre-existing knowledge of the GDPR will be a great help when it comes to understanding and catching up with the PIPL requirements.
Considering the very short time remaining before the PIPL takes effect on 1 November 2021, we strongly recommend all international companies operating in China or dealing with China take below actions immediately:
- Get familiar with the new compliance requirements under the PIPL, and ensure you don't limit this exercise to only personal information; other new laws (eg the topic of important data under the PRC Data Security Law and other industry specific rules) should also be covered. The exercise should include mobilising resources not only at China subsidiaries level, but also at the whole group level, since foreign head offices and affiliates will also be caught by the long reach of the laws.
- Run a full data mapping exercise within your organisation, including how data flows between different hands. Again, this covers not only personal information, but also other categories of data like important data and scientific data. An area no company can ignore is HR, as the full process will need to be examined (ie not only existing employees, but also former and potential employees). If your business is structured on a B2C basis, the PIPL will be more relevant to you than others, and data mapping needs to be applied to your whole business process.
- Consider the impact of the PIPL on your organisational set-up, as well as on your supply chain management. You may need to discuss this at a much higher level, since there could be a strategic impact on how MNCs organise their China business in the future to better manage compliance challenges associated with personal information, as well as other data of concern from a Chinese perspective.
The impact of the PIPL will become part of the future "new normal", and continuous effort will be required to manage it. An important feature of the PIPL which differentiates it from the GDPR is its stance towards administrative power. On the one hand, it does not bind public authorities in the same way as the GDPR. On the other hand, it allows these authorities to play a more active role when it comes to privacy protection (eg data export control). Therefore, actions under the PIPL (including other new laws as well) will become more than a purely legal exercise. Different functions like PR, GA, IT will all need to join forces to achieve the best results, particularly in the Chinese environment, to avoid potential risks not only at corporate level but also at personal level (ie management liabilities).