DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


China’s PIPL: What we know & what we don’t know

China’s Personal Information Protection Law

 

China’s Personal Information Protection Law is coming, and it is no joke.

The Personal Information Protection Law (PIPL) [China] burst onto the data privacy scene recently.  Whereas the EU provided over 2 years worth of notice before the General Data Protection Regulation became effective and the various state data privacy laws in the United States have all provided at least 18 months from the passage of the law until its effective date, the PIPL has a mere 74 day period between the law being passed and it going into effect.  It goes into effect on November 1, 2021.

As a result of its rapid arrival and even more rapid phasing in, there is a significant information gap between what companies need to know about the law and what they actually do know about the law.  The information gap is not necessarily due to negligence or sluggishness.  In its current form, the law doesn’t provide all of the information that companies will need to know to ensure compliance on November 1, 2021.

 

What We Know

The PIPL includes data subject requests, restrictions on cross-border transfers, and personal data protection impact assessments.

Included in the PIPL are the right to know and to decide (access), the right limit or refuse (restriction), the right to consult and copy (data portability), the right to correct or complete (rectification), and the right to delete (erasure).  The words and phrase in parentheses are not explicitly in the PIPL, but appear to be the analogs of the rights in the Chinese law.

The PIPL, similarly to the GDPR, includes restrictions on transfers of personal information outside of China’s borders.  In order to transfer data out of the country, the Personal Information Handler (controller) must “truly need” to provide personal information outside of China and must also either: (1) pass a security assessment organized by the State cybersecurity and informatization [as translated] department; (2) undergo personal information protection certification; (3) conclude a contract with the foreign receiving side in accordance with a standard contract; or (4) have other applicable conditions allowing for the transfer.

Personal Information Protection Impact Assessments (PIPIAs) are also required by the law.  They come into play when a personal information handler wants to handle sensitive personal information, use personal information in automated decision-making, assign personal information handling activities to an entrusted person or entity (processor), transferring personal information outside of China’s borders, or potentially other reasons.  In each instance, the PIPIA needs to be completed prior to the activity.  PIPIAs need to include consideration of whether or not the handling purpose and method are lawful, legitimate, and necessary, whether the planned protective measures are legal, effective, and suitable to the risk, and the impact on individuals’ rights and interests.

 

What We Don’t Know

The details.  The law has been translated from Chinese to English, but consistent in the translations are a lack of some extremely relevant details.  We don’t know enough about data subject requests, what constitutes “important Internet platform services”, and what will be the quantities foreshadowed in several provisions of the law.

Data subject requests are the pop quizzes of data privacy laws.  They are a way that your compliance can be tested in a quick, small-scale manner.  Similar to pop quizzes, they can happen at any time, without any fanfare.  It’s a good idea to be ready for a pop quiz even on day 1 (11/1/2021.)  Unfortunately, we don’t know enough about how much time we have to complete these pop quizzes or necessarily the exact subject matter of the pop quizzes.  The guidance on the former is that they need to be completed “in a timely manner”.  Regarding the latter, rights to correct and complete, rights to delete, and rights to refuse or limit are pretty straightforward.  The right to consult and copy seems a lot like data portability, and the right to know and decide related to their personal information seems like the right to access.  Only time will tell how similar these rights end up being to their GDPR counterparts.

The law includes four definitions in Article 73, but notably doesn’t define the term from Article 58, “important Internet platform services”.  It clearly would seem to include Twitter, Weibo, Facebook, but without further guidance, it’s hard to say how big of a net the term casts.

Similarly, the law mentions quantities provided by the State cybersecurity and informatization department in both Article 40 and Article 52, and Article 52 has the potential to apply to lots of foreign companies depending on the quantity arrived at.  If the quantity ends up being small, lots of companies will need to have personal information protection officers.  If the quantity ends up being very large, very few companies will need personal information protection officers.  Until that quantity becomes public, a lot of companies will be in limbo.

 

What We Think

The PIPL looks like it will be a bigger compliance obligation than even the GDPR.  The PIPL includes even stiffer penalties than the GDPR.  When an entity violates the PIPL egregiously, they can be fined up to 5% of their annual revenue (a 25% greater fine than is available in the GDPR.)  Further, the individuals responsible, such as the personal information protection officer, can be held personally liable and fined up to 1 million yuan or in the case of a less serious violation, up to 100,000 yuan.  Egregious violations can also lead to additional sanctions against the individuals responsible, such as prohibition against holding high level positions such as director, supervisor, high-level manager, or personal information protection officer.  Some violations can even lead to criminal charges.  There also appears to be some strict liability operating in the law in Article 69.  Where the handling of personal information infringes rights and results in harm AND the personal information handlers cannot prove that they are not at fault, they shall bear compensation for the infringement.

 

Eyes Towards the Future

There isn’t a whole lot of time between now and November 1.  There will be a great deal of privacy planning ahead of the effective date.  Luckily, Clarip has an automated process for fulfilling data subject requests.  We can fulfill requests to delete, correct, access, restrict, and to deliver data portably.  Clarip’s automated data mapping can identify data sources that send data outside of China, in order to comply with the cross-border transfers provisions of the law.  Clarip has a module for complete PIPIAs.  Clarip is keeping up to date with the developments of the PIPL, in order to provide the best data privacy solutions to its clients.  If your organization needs help complying with the PIPL, contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.