Upon a successful legislative review for the third time, the unified PRC legal framework for data protection (ie the PRC Personal Information Protection Law (PIPL)) was finally promulgated and took effect on 1 November 2021. We recently summarised the key highlights of the second legislative review draft; here, we consider how these highlights have changed in the final draft, as well as other issues that are highly relevant to international companies and worth taking immediate action over.
The previous draft of the PIPL surprised the business circle as it took a very harsh stance by imposing very high penalties. In general, the punishment at the corporate level is kept intact under the final draft, namely:
The final draft newly adds wording which allows the authorities to stop services provided by the respective APPs which violate the PIPL.
In terms of personal liabilities, the final draft keeps the existing provision that concerned individuals may be fined between RMB 100,000 to RMB 1 million, and further empowers the authorities to ban the respective individuals from taking up senior positions (eg directors, supervisors, senior management members) or DPO of a company within a specified duration.
As we explained before, criminal and civil liabilities may also be triggered separately, with the possibility the State (eg procuratorates), legally-established consumer protection organisations or other organisations as endorsed by Chinese governments to launch for class actions. That said, law enforcement agencies are not in a position to initiate class actions under the final draft.
One particular point to be stressed – which does not exist under the GDPR but is highly relevant to business in the Chinese context – is that the PIPL will link a company's compliance record to the so-called corporate social credit system (企业社会信用体系). Any violation of the PIPL will affect a company’s credit rating in the system which in return will affect the company’s access to business-related resources in China and might even result in loss of market (eg they could be disqualified from certain bidding projects, lose "fast track" treatment during customs clearance, or be subjected to more intense monitoring and checking by Chinese authorities).
Except for some finetuning of the wording, the "long arm" provisions remain unchanged under the final draft PIPL, which in general is similar to what is in the GDPR. Article 3 of the PIPL stipulates that all personal information processing activities conducted outside the PRC shall also be subject to the PIPL, as far as these activities:
This principle will have a considerable impact on international companies which deploy their IT infrastructures and functions globally. The impact of the "long arm" provisions may be felt less by European head offices when they conduct their GDPR compliance exercises where they can push down certain compliance requirements to their China subsidiaries. The PIPL turns this around, so European head offices will now also need to screen all their data activities from a Chinese perspective to ensure compliance under the PIPL, even if they are sitting outside China.
This legal principle is also adopted by other Chinese laws regulating other types of data, which means that – besides privacy topic – all data activities of foreign head offices or affiliates must respect Chinese laws. For example, Article 2 of the PRC Data Security Law, which took effect on 1 September 2021 and stipulates that legal liabilities shall be pursued if data processing activities conducted outside China harm the national security or public interest of the PRC. This legislative trend reflects China’s concern over the topic of so-called "data sovereignty" which has become a new regulatory challenge for international business.
The statutory requirements of the "long arm" provision remain unchanged under the final draft (Article 53): an offshore data processor shall appoint a special agency or representative within the PRC to take care of its data protection matters. Names and contact details of the onshore agency or representative shall be filed with the competent PRC authorities.
Data export control provisions in general remain unchanged under the final draft PIPL. Personal data are allowed to be transmitted out of China if such transmission qualifies one of the below:
Compared with the legislative ambiguity and vagueness in earlier years, the above are a big step forward which will greatly facilitate cross-border data flow of international companies. Although not all details are available, this development at least shows a practical direction for companies to follow. In particular, the inclusion of the fifth item concerning international treaties shows a very positive approach to solving the current dilemma faced by international companies when there has been a legislative trend in various jurisdictions to build up border control over data flow. Without the international cooperation among the concerned jurisdictions (including both the EU and China), cross-border data transmission compliance will be impossible for international business.
Points to note in this context under the final PIPL include:
The above will be something new to learn which may be not required under the GDPR. It can become a big challenge for international companies to manage (eg a compliance investigation case initiated in their home countries). Abiding by home country rules will likely result in violation of Chinese laws, which again has a very strong political flavour and may become another impossible hurdle for international companies.
There could be more to be elaborate upon when comparing the final draft PIPL with its previous drafts. However, if you're familiar with the GDPR, you'll find many similarities with what is outlined in the PIPL, such as the broad scope of personal information, the requirements on transparency and consent, and more stringent requirements on processing of sensitive personal information. This does not mean you can ignore the PIPL if you've already conducted a GDPR compliance exercise, but a pre-existing knowledge of the GDPR will be a great help when it comes to understanding and catching up with the PIPL requirements.
Considering the very short time remaining before the PIPL takes effect on 1 November 2021, we strongly recommend all international companies operating in China or dealing with China take below actions immediately:
The impact of the PIPL will become part of the future "new normal", and continuous effort will be required to manage it. An important feature of the PIPL which differentiates it from the GDPR is its stance towards administrative power. On the one hand, it does not bind public authorities in the same way as the GDPR. On the other hand, it allows these authorities to play a more active role when it comes to privacy protection (eg data export control). Therefore, actions under the PIPL (including other new laws as well) will become more than a purely legal exercise. Different functions like PR, GA, IT will all need to join forces to achieve the best results, particularly in the Chinese environment, to avoid potential risks not only at corporate level but also at personal level (ie management liabilities).