Personal data: New law will impact foreign firms - PwC China Compass

China’s long-awaited Personal Information Protection Law (PIPL) entered into force on November 1. The PIPL is China’s means of protecting personal data, similar to the safeguards found in the EU’s General Data Protection Regulation (GDPR) and the upcoming revised Federal Act on Data Protection (FADP) in Switzerland. 

Accordingly, the PIPL establishes a comprehensive set of rules for how businesses can collect, use, process, share and transfer personally identifiable information (PII) if they operate in China. While the GDPR and FADP apply to citizens, companies and public authorities, the PIPL especially targets domestic companies, foreign companies doing business inside and outside of China (if they collect PII of natural persons within the borders of China) and foreign authorities interacting with Chinese citizens.

How does the PIPL compare to its European counterparts?

Chinese law defines PII as all manner of personal information relating to natural persons. The information can be recorded by electronic or other means, but PII does not include information that has been anonymized. In terms of PII, the law further differentiates between critical information infrastructure (CII) and sensitive personal information (SPI). SPI refers to information that may lead to personal discrimination or material harm to personal or property security and thus potentially require tighter restriction on collection and processing to prevent leakage or illegal use. SPI includes race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts and individual location tracking, among other aspects. In this regard, SPI as specified in the new law resembles definitions used in the Swiss and EU regulations, but in some cases goes further than its Swiss and European counterparts. Unlike the FADP, for example, the Chinese law covers information on financial accounts and location tracking.

The PIPL uses the term “personal information processing entity” to refer to an organization or an individual that determines the purpose of and the means for processing personal data. This is China’s legal equivalent of the “data controller” concept. Furthermore, the PIPL uses “entrusted party” to refer to a data processor.

The fundamental principles of the PIPL are not all that different from the Swiss and EU regulations. The collection and processing of personal data must be limited to the minimum level necessary. To guarantee these principles, companies must adhere to the concepts of “privacy by design” and “privacy by default”. Additionally, companies will need to conduct compliance audits on a regular basis and assess the risk level for sensitive information. Regulators are also authorized to mandate audits of companies if there are relatively high risks in personal information processing activities or if security incidents relating to personal information have occurred.

Like the GDPR and FADP, the PIPL requires companies to carry out a personal information protection impact assessment under certain circumstances. Moreover, impact assessment reports and handling status records must be preserved for at least three years.

The PIPL provides the same rights to data subjects as the FADP and GDPR. Yet the PIPL only requires processing entities to respond to requests in a timely fashion, rather than by a specific deadline as required by the GDPR (e.g., 72 hours). Moreover, a processor is required to obtain separate consent for various aspects of the processing. Consent must thus be given for the relevant purpose, and not be bundled with other activities. In addition, certain information must be disclosed to the data subject. This approach is comparable to what is mandated by the Swiss and EU regulations.

The territorial scope is also comparable: The law primarily applies to companies processing personal data within the territory of China. Furthermore, cross-border processing activities are defined as taking place if products or services are provided to people residing in China, if the activities of those people are evaluated or if other circumstances apply as defined by the relevant laws or administrative regulations. Like the FADP and the GDPR, the PIPL requires foreign companies to establish a dedicated office or appoint a designated representative in China.

Furthermore, if a company processes a large amount of personal information that exceeds a limit set by the Cyberspace Administration of China (CAC), the data must be stored within the territory of mainland China. The term “large amount of personal information” and the threshold value have not yet been defined in the PIPL. 

If a transfer of personal information to entities outside of China is required, the affected company must provide the relevant individuals with specific information about the transfers and obtain separate consent. In addition, it must adopt the necessary measures to ensure that the overseas recipients provide the same level of protection as required under the PIPL, and must carry out a personal information protection impact assessment. Moreover, the transfer must meet at least one of the following requirements:

• It must pass a security assessment administered by the CAC. 
• It must be verified by a specialist in accordance with the provisions of the CAC.
• A standard contract formulated by the CAC must exist, specifying the rights and obligations of both parties. 
• Other conditions must be met that are prescribed by laws, regulations or the CAC. 

One similarity shared by the GDPR and PIPL is the concept of the lawful basis for processing personal data. However, whereas the GDPR also offers the legal basis of legitimate interest, this basis does not exist under the PIPL. Consequently, processing activities justified by a legitimate interest under the GDPR should be re-evaluated under the PIPL. 

Processing entities will be held liable if they infringe the regulation. Regulators may order corrective actions, issue warnings, confiscate illegal income, restrict processing services or impose a fine. Fines will be levied on the company as is the case under the GDPR, and not on the individual as under the FADP. The method for determining fines differs slightly from that used in the EU and Swiss regulations. In China, the maximum fine is CNY 50 million (approx. EUR 6.6 million) or 5% of the annual revenue of the prior financial year. The PIPL does not set a minimum penalty and thus provides leeway for other measures. Additionally, if many individuals are affected, the offending party may be subject to public lawsuits.

Felix Sutter
Tel.: +41 79 4052785
Email

Philipp Rosenauer
Tel.: +41 58 792 18 56
Email

What steps should I take to ensure compliance with China’s PIPL?

• You should review and classify the data you process to get a better understanding of which data are most affected.
• Following the review, you should adapt your guidelines and processes as needed.
• An internal risk assessment model should be established and run so that you know the status of your data processing and the requirements for a security impact assessment.
• You should adopt the technical practices made necessary by the above steps and develop organizational guidelines to guarantee protection of personal information.
• Regular training sessions and workshops should be carried out so that your employees are ready to face the challenges resulting from the PIPL.