PIPL China: Is Your Business Ready?

On August 20th, 2021, China passed its new Personal Information Protection Law (PIPL) — the first of its kind to be seen in the East-Asian country. The law creates a new landscape around security and the protection of personal information.

This personal information protection law will have far-reaching effects on business operations in China, similar to what the European Union’s (EU’s) General Data Protection Regulations (GDPR) has had on the world. 

China’s PIPL provides a new set of rules on how businesses can use Chinese citizens’ data, and tech companies, in particular, will be affected; not just in China, but around the world. 

From November 1st, 2021, organizations handling Chinese citizens’ data must meet certain conditions laid out in the PIPL. If your SaaS business is already GDPR compliant, you should have an easier time reaching PIPL compliance levels. 

However, if you haven’t implemented GDPR practices, your business may have to spend extra time preparing for China’s PIPL. The law adds another layer of complexity to data security compliance for companies doing business in China.

What Is China’s PIPL?

What is PIPL?

China’s PIPL is a data privacy law that imposes new data-handling requirements. It’s perhaps the most stringent set of data laws in the world right now.

The personal information protection law puts into place protections and restrictions on data collection and transfer. In particular, the law focuses on apps that use personal information to target consumers and provide personalized advertising to them. 

The PIPL also aims to improve personal information protection by preventing data from being transferred to other countries with less stringent data protection or security policies.

Background to the PIPL

The PIPL is China’s third law aimed at the regulation of technology. In 2017, the Cyber Security Law was enacted, which was then followed in early 2021 by the Data Security Law. Now, the PIPL completes the framework, with a specific focus on personal information protection.

Territorial Scope

The PIPL has extraterritorial applications too. This term means that the regulations don’t only apply to activities within China; under certain conditions, they apply to handling citizens’ personal information outside of Chinese borders too.

So, it seems that even without any presence in China, SaaS businesses that process the personal information of Chinese citizens will be bound by this law. 

Effectively, this means that almost every major business in the world will need a PIPL compliance strategy. And if you sell software online and your business deals with the personal information of individuals located within China, you’ll need to ensure you’re consistently meeting the requirements of the PIPL.

What is Defined as ‘Personal Information’ and ‘Sensitive Personal Information’ in the PIPL?Under China’s PIPL, personal information is defined as any information such as video, voice, or image data relating to an identified or identifiable natural person, notwithstanding whether the information is captured via an electronic form or another type of form. This definition excludes any anonymized information.

Beyond this, the PIPL defines sensitive personal information. This term refers to the personal information of which the leakage or illegal use could easily violate the personal dignity of a natural person or harm personal or property safety. 

Examples of this kind of information include biometrics, religious information, medical information, home addresses, financial information, and personal information of those under 14 years of age.

Why is the distinction between these types of personal information relevant?

Well, the liability could be on SaaS businesses to keep sensitive personal information separate from other personal information to help mitigate the risk of full records of personal information being shared when consent hasn’t been given. 

Also, sensitive information must only be used when it is relevant for achieving a specific purpose, and it must be protected at all costs by the processor.

6 point Legal Basis for Processing Information

Obtaining consent from data subjects has always been one of the basics of data protection. But just like the GDPR, the PIPL has now officially broadened the notion of a legal basis of what it is to process personal information to the following:

• Where it’s necessary to conclude or perform a contract or carry out human resource management.

• Where it’s necessary to perform statutory responsibilities or statutory obligations.

• Where it’s necessary to respond to a public health emergency or protect an individual’s interest or safety in an emergency.

• Where it’s necessary to carry out activities in the public interest.
• Where the relevant personal information, which has either been disclosed by the relevant individual or otherwise been legally disclosed, is processed within a reasonable scope according to law.
• Other circumstances as provided by laws or administrative regulations.

At least one of these must be established for the processing of a data subject’s personal information to be lawful.

Individuals’ Rights (6 main points)

The PIPL provides individuals with various rights when it comes to their personal information protection. These include:

• The right to know and decide on matters relating to their personal information.

• The right to restrict or prevent the processing of their personal information.

• The right to consult and copy their personal information from the processors.

• The right to transfer their personal data from one organization to another (portability).
• The right to correct and delete their personal information.
• The right to request an explanation of the processing rules from processors.

China’s PIPL: 7 Processor Obligations

The PIPL places responsibilities and obligations on the processor of personal information. The processor is required to:

• Formulate internal management systems and operating procedures.

• Implement classified management of personal information protection.

  • Adopt technical security measures such as encryption and de-identification.
• Reasonably determine the operational authorizations for personal information and provide regular training and security education for operational staff.
• Formulate and carry out response plans when security incidents related to personal information occur.
• Carry out regular compliance audits.
• Adopt other security measures laid out in laws and regulations.

A Risk-Based Approach

The PIPL lays out a risk-based approach with stricter compliance obligations for situations considered high risk. For example, personal information processing entities who process volumes of the information above a certain threshold (still to be announced) must appoint a personal information protection officer. This person will monitor all processing of personal data for the specific organization. 

Another example is that those operating “internet platforms” with many users must employ an external, independent entity to monitor compliance. These businesses must also publish regular social responsibility reports, which cover the success of their personal information protection efforts.

As mentioned before, sensitive personal information is treated as “higher risk” than regular personal information and must be dealt with accordingly.

Is China’s PIPL enforceable

The short answer is yes. China can enact this kind of data protection and privacy legislation, and businesses dealing with processing personal information of Chinese citizens will be required to comply with the law once it becomes active on November 1st, 2021.

How China's PIPL compares to the EU's GDPR

Many are calling the PIPL “China’s GDPR” — with good reason. The PIPL does most closely resemble the GDPR when compared with other privacy laws around the world. 

However, it does have a few key differences. Let’s briefly unpack these similarities and differences:

Both are extra-territorial.

Both the GDPR and the PIPL focus strongly on consent as a primary legal justification for the collection of personal information. However, other legal grounds for processing are now also applicable, as mentioned before. Also, like the GDPR, the PIPL gives individuals the right to access, request, edit, delete, transfer, and restrict the collection and use of their personal data. 

Consent is similar across the GDPR and PIPL. The GDPR requires businesses and data processors to appoint an EU representative, while under certain conditions, the PIPL requires data processors to designate an in-country representative to monitor compliance. 

However, the PIPL requires separate consent for some processing activities. These activities include sharing personal information with other processing entities, publicly disclosing personal information, processing sensitive personal information, and transferring personal information overseas.

The PIPL is also similar to the GDPR in terms of personal information rights but doesn’t contain the same specificity around the rights as the GDPR. The two laws are similar in terms of cross-border transfer of personal information, but the PIPL includes some additional requirements. We’ll share more about this later. 

The GDPR and PIPL require data processing impact assessments, but the requirements to trigger these assessments are different. Lastly, the GDPR doesn’t focus on national security, while this is one of the key features of the PIPL.

How Could the PIPL Affect My SaaS Business?

PIPL Compliance Strategy

Every SaaS organization that processes the personal information of Chinese citizens will need to create a strategy for PIPL compliance. Creating this strategy will require engagement with all of the PIPL requirements to develop a comprehensive compliance framework.

Requirements for Cross-Border Transfers of Personal Information

There are strict requirements for the cross-border transfers of personal information. When a processing entity plans to transfer personal data to entities outside of China, they must give individuals specific information about the transfers. In addition, the processing entity must take the necessary steps to ensure the personal information will still be treated according to the requirements of the PIPL.

Lastly, the processing entity must carry out a personal information protection impact assessment.

Security Assessment

Entities processing large amounts of personal information should store the data locally. Alternatively, if the business can’t store the information locally and has to transfer it elsewhere, the Cyberspace Administration of China (CAC) has a right to conduct a supervisory security assessment.

Critical Information Infrastructure (CII) Operators

Critical Information Infrastructure (CII) is information that could result in severe damage to state security, the national economy, or people’s livelihoods if destroyed, changed, or leaked. 

Some examples of industries that are classified as critical information infrastructure operators are public communication and information services, as well as energy, transport, and finance sectors.

Operators of this kind of information will need to pass specific security assessments before sending any personal data out of China. If your company deals with this kind of personal information, you’ll need to make sure you pass the assessment to continue doing business in the country.

Personal Identifiable Information (PII) In-Country Representatives and Training

SaaS businesses that handle large amounts of personal, identifiable information (PII) must have designated in-country representatives to manage data handling and compliance. Also, everyone who deals with data protection must attend mandatory training...

IT System Compliance Considerations

The PIPL requires that personal data collected from CII operators (and operators that process personal information) reaching a specific amount as determined by the CAC must store this information in China. This rule means that many businesses will have to set up new infrastructure for their companies in the country.

It’s also important to note that, even if you store the data in China, it will still count as a cross-border transfer if a user outside of the country has access to it.

Penalties, Fines, and Blacklisting of Non-Compliant Businesses

If your SaaS business doesn’t comply with the specified PIPL regulations, China’s regulators may take action. For example, they could issue warnings, suspend your business’ license, give you a fine, or even stop you from doing business in their country entirely. The fine can be up to 50 million RMB or 5% of your organization’s annual revenue for the previous financial year. 

A business may also be liable for tort damages if they infringe on the rights of individuals concerning their personal information. In addition, if the infringement involves a large group, the business could face a public interest lawsuit.

First Steps Towards PIPL Compliance

After reading this article, you might have realized that your business will have to make some significant changes to comply with PIPL. Not sure where to start? 

The first step is to look at the data life cycle stages. Then, for each life cycle stage, evaluate your practices against the requirements of the PIPL and make adjustments where necessary to ensure that you’re compliant.