China’s National People’s Congress last week approved a new Personal Information Protection Law (PIPL), that has been compared to the EU’s GDPR. The new rules provide some clarity on how international businesses can use Chinese citizens’ data, experts say, but it remains to be seen how Chinese authorities will interpret and enforce them.
PIPL, which will come into effect in November, is the third pillar of a technology regulation regime that China has been developing over many years, explains Nicolas Bahmanyar, a Beijing-based data privacy consultant at law firm Leaf. In 2017, the Cyber Security Law laid the groundwork for the regime but left some areas unclear. Earlier this year, the Data Security Law defined a new security framework that companies handling data must implement. PIPL, which will come into effect in November, specifically covers the use of personal data. Between the three pillars, says Bahmanyar, “we finally have an almost-comprehensive law”.
PIPL has been compared to GDPR, and it certainly bears some resemblance. For example, it centres on consent as the primary legal justification for using personal data. And both regulations apply ‘extraterritorially’, meaning they apply to citizens’ data wherever it may be processed. “This means that almost every major corporation in the world will need a China PIPL compliance strategy,” wrote Alexa Lee of Stanford University’s DigiChina project earlier this year.
The similarities to GDPR are not a coincidence, Bahmanyar says, as Chinese lawmakers have drawn inspiration from both EU and US regulation in drafting PIPL. But this is motivated more by labour-saving than shared ideals, he adds. China’s impetus to regulate the use of personal data is less about protecting individuals’ right to privacy, as it is understood in the West, as it is preserving national security and social order.
And while PIPL technically applies to government bodies as well as private sector organisations, “questions remain about the extent to which state organs will in fact be required to comply,” according to DigiChina.
Almost every major corporation in the world will need a China PIPL compliance strategy.
Alexa Lee, DigiChina
Indeed, comparisons to GDPR are overstated, says Carolyn Bigg, partner at law firm DLA Piper. “It is true that some of the principles in the PIPL may appear similar to compliance obligations under GDPR and data laws elsewhere in Asia; and that the Chinese authorities certainly studied data protection laws from around the world when drafting the PIPL,” she says. “However, in practice the PIPL compliance obligations are likely to be interpreted and enforced differently to data protection principles elsewhere in the world.
Businesses must “understand not just what the PIPL (and other data laws and regulations in China) says, but also attitudes of the Chinese authorities, business and consumers to the use and protection of data and local enforcement priorities when assessing compliance risks and developing compliance programmes,” she advises.
The impact of China's PIPL on international businesses
One immediate impact that PIPL will have on international businesses handling Chinese citizens' data is that it requires them to establish a legal entity within the country to do so. This will increase compliance costs, says Bahmanyar, especially for SMEs.
PIPL also introduces new rules governing cross-border transfers of personal data. The law clarifies that citizens' data can be transferred across borders if certain conditions are met. But if the amount of data transferred is above a certain, as-yet undisclosed amount, stricter legal restrictions kick in.
"China's new PIPL contains some unique requirements for data exports out of China," says Peggy Chow, a lawyer specialising in data protection and cybersecurity laws in Asia at Herbert Smith Freehills. "There are volume-based restrictions on the export of personal data from China, and a privacy-impact assessment is required before such data transfers. Both requirements are unique globally, and compliance could be burdensome to affected companies."
In response to an earlier draft of the law, the DigiChina project identified three compliance risks that PIPL poses to international companies. The first is confusion around the responsibilities of the roles identified in the law. "The draft PIPL uses a different but overlapping vocabulary [to GDPR], referring to what earlier Chinese practice had called personal information 'controllers' as personal information 'chǔlǐzhě'. Not only has the term changed, but personal information chǔlǐzhě has been used elsewhere in Chinese to specifically mean 'processors' in the GDPR sense."
Secondly, unlike GDPR, PIPL does not establish an independent authority to enforce the rules. The Cyberspace Authority of China (CAC) "is the enforcer while also being a policymaker".
And thirdly, certain measures in PIPL open the door for "reciprocal measures against any country adopting discriminatory measures toward China, providing a legal basis to stifle competitors," DigiChina warned. International companies using Chinese citizens' data could therefore become "targets" in geopolitical tussles.
But it is not all bad news. PIPL provides useful guidance for international companies by clarifying the legal basis on which they can use personal data, Bahmanyar says. In most cases, companies must acquire the consent of the data subjects before using their data and notifying them how it will be used. There are some exceptions, such as emergencies or to fulfil contractual agreements with the data subject.
This clarification will help companies decide the extent to which they can reuse existing privacy notices, for example. "I think that is that is the main value of this law: to bring all the obligations together in one piece when it comes to personal information," Bahmanyar says.
Chow adds that PIPL also offers an opportunity for global companies to demonstrate their commitment to data protection. "Compliance will demonstrate to Chinese consumers that companies are accountable for the way in which they collect and use people's data, so it's a useful way to build customer trust and competitive advantage," she says.
How will China enforce PIPL?
It remains to be seen how quickly the CAC will enforce the new rules and what its priorities will be. "Is the administration going to check, as early as November, every website's privacy notice? Or are they going to inspect every contract that you have with overseas recipients when you're sending personal information? That's an open question and the answer will be given by enforcement," says Bahmanyar.
Chow does not expect all businesses to be fully compliant by the time the rules kick in on November 1. "I suspect that some companies won't be ready to comply by then," she says. "It remains unclear how some of the provisions might be enforced, given the lack of detail in some areas – such as what constitutes a 'large' amount of data. Companies should aim to comply with the law as soon as possible, and prepare to adjust as clarity around the legislation evolves."
However it may be enforced, DLA Piper's Bigg expects PIPL to be a significant influence on data protection practices across Asia. "While we don’t anticipate other jurisdictions in Asia rushing to update their data privacy laws to reflect the PIPL... we do foresee China playing a more vocal role on data issues across the Asia Pacific region," she says. "This is partly because the China data framework – and cultural attitudes to personal data in China – are more aligned to those across Asia. It is also because the PIPL does represent the high watermark of data privacy compliance obligations in the region, and we are increasingly seeing organisations adopt a regional approach to data compliance."