The Chinese Personal Information Protection Act (PIPL) is now in force and sets the ground rules for how data is collected, used and stored. It also describes the data processing requirements for companies based outside of China, including passing a security assessment conducted by state authorities.
Multinational corporations (MNEs) that transfer personal information out of the country will also need to obtain data protection certification from professional institutions, according to the PIPL.
The legislation was passed in August, having undergone a few revisions since it was first introduced in October last year. In force since November 1, the new law was necessary to combat the “chaos” created by data, with online platforms collecting too much personal data, the Chinese government said at the time.
Personal information is defined as all types of data recorded in electronic or other forms, which relate to identified or identifiable persons. It does not include anonymized data.
The PIPL also applies to foreign organizations that process personal data abroad for the purpose, among other things, of providing products and services to Chinese consumers as well as analyzing Chinese consumer behavior. They will also need to establish designated agencies or appoint representatives based in China to take responsibility for matters related to the protection of personal data.
The new legislation includes a chapter that applies specifically to cross-border data transfers, stipulating that companies that need to transfer personal information outside of China must first conduct “personal information protection impact assessments,” according to the Office of the Hong Kong Privacy Commissioner. Data (PCPD).
They will also need to obtain individual consent for the transfer of their personal information and meet one of many requirements. These include accepting a “standard contract” issued by authorities responsible for overseeing cyberspace matters and fulfilling requirements set out in other laws and regulations established by authorities, the PCPD said.
These multinationals should also implement the necessary measures to ensure that other foreign parties involved in data processing comply with the data security standards stipulated by the PIPL.
What the security assessments imply is unclear
Leo Xin, senior partner at Pinsent Masons law firm, described the legislation as a “milestone” in China’s legal data protection regime and urged multinationals to pay close attention to rules on cross-border data transfers .
Leo said in an article: “Some areas remain unclear and require detailed implementation rules, such as how the security assessment should be handled, what the standard clauses for data transfer formulated by the Chinese Cyberspace Administration, what does approval look like the procedure should be [if] there is a request for personal information by foreign judicial bodies or law enforcement agencies. “
The legislation further required that the processing of personal data be clear, reasonable and limited to the “minimum scope necessary” to achieve their information processing purposes.
The lawyer recommended that multinationals begin to assess the potential impact of PIPL on their IT infrastructure and data processing activities.
According to the PCPD, the new legislation also encompasses data processing ‘automated decision-making’, in which computer systems are used to analyze and automatically make decisions regarding consumers’ behaviors as well as their habits, interests, finances and their health.
Here, companies will need to ensure that these decision-making processes are transparent and fair. Consumers should also be able to opt out of receiving personalized content. Safety impact assessments must be carried out and these reports kept for at least three years.
Businesses that violate PIPL rules may receive a rectification order or warnings. Chinese authorities can also confiscate any “illegal income,” according to the PCPD.
Violators who fail to comply with rectification orders face fines of up to 1 million yuan ($ 150,000), while the person responsible for ensuring compliance can be fined. from 10,000 yuan ($ 1,500) to 100,000 yuan ($ 15,000).
For “serious” cases, Chinese authorities also impose fines of up to 50 million yuan ($ 7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business activities may be suspended or business permits and licenses revoked.
Last month, the Beijing administration told local media it would take “targeted action” to address issues it deemed to be persistent in the digital economy, such as poor data management. According to the South China Morning Post, the Ministry of Industry and Informatics was continuing its scrutiny of the internet sector as part of a six-month campaign that began in July.
The ministry recently asked 43 apps to make corrections after discovering they had illegally transferred user data.
The Cyberspace Administration of China (CAC) in July ordered the Chinese ridesharing platform Didi to remove its app from local app stores, after violating regulations governing the collection and use of personal data. Did was tasked with rectifying “existing problems” and “effectively protecting” users’ personal data.
In May, CAC called 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which included Baidu and Tencent Holdings, were also asked to fill in the gaps.
Tencent said last month it was forming a committee to review its user data protection and privacy policies. The team would include technical, legal and media professionals as well as members of the public, the Chinese tech giant said. The committee would then make recommendations on improvements, if and where necessary, to better protect user privacy.