1. China’s Data Protection History
China’s long anticipated (and dreaded) Personal Information Protection Law (PIPL) is now a reality.
Way back in 2018 we wrote about personal information protection legislation in China when the country’s Standardization Administration, authorized by the State Council, issued a document, GB/T 35273-2017 Information Technology – Personal Information Security Specification (信息安全技术 个人信息安全规范) (the “Specification”).
That personal information protection Specification was not a law or regulation that required mandatory compliance, but it paved the way for the Personal Information Protection Law (PIPL), which came into effect on November 1, 2021. The PIPL delineates the rights of individuals to access and control personal data held by companies and restricts what companies can do with data. The Chinese-language text of the PIPL is here and an unofficial English translation is here.
2. The Impact of China’s Personal Information Protection Law
On the day the PIPL came into effect, Yahoo! announced it would cease operating in China. Yahoo said it was leaving China because of its “increasingly challenging business and legal environment”. In October, Microsoft-owned LinkedIn announced that Linkedin would be shutting down in China due to China’s “significantly more challenging operating environment and greater compliance requirements.”
3. China’s Personal Information Protection Law Compared to California’s Consumer Privacy Act and the EU’s GDPR
In 2019, one of my law firm’s data privacy lawyers, Griffen Thorne, warned that Chinese authorities were in the process of building on the Specification to enact PIPL. In this same post, He also highlighted the similarities and differences between Chinese data privacy laws and the General Data Protection Regulation (“GDPR”), the EU’s data privacy laws. Griffen also noted that California has important data privacy legislation, the California Consumer Privacy Act (“CCPA”). [Bonus: in April my law firm’s lead lawyer in Brazil, Rodrigo Guedes Nunes wrote about Brazil’s version.]
Griffen highlighted an important difference between the China, the EU and California’s data privacy laws:
U.S. or E.U. companies doing business in China will not be able to rely on having entered into contracts with Chinese citizens to process their data. they will now need to painstakingly explain all of the ways in which they will use the data and get consent for using it, unless one of the other few very narrow exceptions applies. If you want to change how you process data after collecting it and getting consent, most of the time that will be just too bad—unless there’s another exception. You will need to go back and get fresh consent. In other words, and as so many of our clients keep wanting us to confirm, what you have done to comply with GDPR and US/California data privacy laws does not really help you much if at all for China. You will need to undertake wholly separate and different compliance work for China.
4. China’s “Trifecta” of Cyber Laws
The PIPL joins China’s Cybersecurity Law, implemented in June, 2017, and its Data Security Law, implemented in September 2021. China now has a trifecta of laws to make things difficult for foreign businesses. As my law firm’s lead China lawyer, Steve Dickinson, wrote in 2019:
Under the Cybersecurity Law, the Chinese government has the right to obtain from any person or entity in China any information the Chinese government deems has any impact on Chinese security. The Chinese government understands that foreign companies and individuals will be reluctant to simply turn over their information to the Chinese government when asked. For that reason, the Chinese Cybersecurity Bureau does not plan to politely make a formal request for the information. The fundamental premise of the new cybersecurity systems is that the government will use its control of communications to simply take the information without discussing the matter with the user. All data will be open to the Chinese government.
5. Complying with China’s Personal Information Protection Law
Foreign and domestic Chinese companies are scrambling to hire the tens of thousands of data protection/compliance officers needed to manage the interaction with customers and ensure compliance with government regulations.
Compliance is critical, because the PIPL empowers China’s regulators to issue warnings, order companies to take corrective actions, suspend services and/or levy fines. Fines can be up to RMB50 million (USD$7.8 million) or five percent of an organization’s annual revenue for the prior financial year. The PIPL does not specify whether fines will be based on a company’s China revenue or its revenue worldwide.
Some observers have suggested PIPL’s implementation should be seen as China escalating its “war on big tech”, but the law has been years in the making; the foundation was the Specification mentioned above, which was issued in 2018.
No, the PIPL is an extension of Beijing’s campaign to “command and control” every aspect of Chinese life. Though Chinese and foreign companies must now handle consumer information with care, the Chinese state has total access.
Our China lawyers have written often (especially during the past five years) on how foreign companies operating in China must comply with every China law and regulation. This holds true for the PIPL as well. If your company gets customer data from China, you need to make sure you stay on the right side of Chinese data privacy laws.