China has passed the Personal Information Protection Law, referred to as the PIPL. Currently, the Cybersecurity law protecting cybersecurity, the Data security law protecting data security, and the now the PIPL law protecting personal information, consisting of the data protection framework of China.
The PIPL will be effective from 1st November 2021, as the first comprehensive law which will remain exclusive to protect personal information. Organizations dealing with personal data related to China will have to comply with the PIPL. Let us take a look at the highlights of the PIPL law:
PIPL Highlights : Important Definitions
- Personal Information Processor: Article 73 defines a Personal information processor as an organization or individual that independently determines the purposes and means for the processing of personal information. “Personal information processor” in PIPL is as “Data controller” is to GDPR.
- Entrusted Party: Article 21 defines “Entrusted Party” as the entity that processes personal information.
- Personal Information: Article 4 defines Personal information as any information related to identified or identifiable natural persons recorded by electronic or other means. It is to be noted that anonymized information is not considered personal information under the PIPL.
- Processing of personal information – It is defined as the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information.
Cross border transfers
International organizations with business operations in China or Chinese organizations with international operations will have to comply with the cross-border data transfer requirements. The PIPL allows cross-border transfers. The conditions prescribed for cross border transfer are as follows:
- Article 39 states that the personal information processor must notify individuals about the transfer and obtain separate consent for it.
- Article 38 states that the personal information processor must ensure data protection measures are provided by the foreign data importer.
- Article 55 states that the personal information processor must conduct an assessment for the impact of protection of personal information.
- Article 51 states that there are multiple factors to be considered while designing data protection measures, like defining the objective and framework for processing personal information, classifying the types of information, probability of risk, and infringement of an individual’s rights and interests.
Data protection measures prescribed by the PIPL are as follows:
- Preparation of operational procedures and internal management system
- Classifying the personal information with proper classification.
- Usage of data security tools like encryption.
- Allocating clearly defined authority to process personal information.
- Providing training for the employees at regular intervals.
- Staying prepared with an emergency plan of action for security incidents.
Although the PIPL SCC has not been released, organizations can still choose to obtain a personal information protection certification or to enter into an agreement with the foreign data importer. It is evident from the cross-border data transfer requirements prescribed by the PIPL, that data security is viewed as a matter of national security.
A short review of rights under the PIPL The PIPL law is majorly aligned to the requirements of the GDPR when it comes to personal information rights. Although the extent of implementation of the rights under the PIPL cannot be determined at present, the below rights of the PIPL can be compared to the rights of the GDPR :
- Right to information
- Right to access
- Right to correction or rectification
- Right to erasure
- Right to object to and restrict the processing of an individual’s data
- Right to data portability, complying with the requirements of the Cyberspace Administration of China.
- Right not to be subject to automated decision-making
- Right to withdraw consent
- Right to lodge a complaint with the regulator
A look at the penalties for non-compliance
Let us take a look at the scenario of non-compliance :
- Article 66 – A fine of up to 50 million RMB can be issued as per Article 66. Any illegal income will be confiscated and a fine of 5% of the organization’s annual revenue(previous financial year).
- Article 67 – Apart from the monetary fine, the violations will be recorded into “credit files” as per China’s national social credit system.
- Article 69 – In case of infringement of rights and interests of personal information, tort damages will be levied for the organization.
- Article 70 – In case of infringement of rights and interests of personal information of a large number of individuals, public interest lawsuits can be filed under the People’s Procuratorate.
PIPL vs GDPR
When discussing Data security laws, one more major name that arrives in the discussion is the GDPR law. Although it can be said that the PIPL has emerged drawing a few significant influences from the GDPR law, it is different from the GDPR in many ways. Let us look into a few notable differences between the PIPL and the GDPR law:
- Terminologies – There are many differences in terminologies used in both laws. A few inferences are – “data subjects” in GDPR and “individuals” in PIPL, “data controllers” in GDPR and “personal information handlers” in PIPL, “data processors” in GDPR, and “entrusted parties” in PIPL.
- Penalty – The penalty levied by the PIPL is up to 5% of annual revenue. The law does not mention if the penalty is on annual revenue in China or worldwide. The penalty levied by the GDPR is 2% and 4% of annual revenue worldwide.
- Data breach notification – In case of a data breach, the PIPL does not provide any deadline to issue a notification. The notification must be immediate whereas the GDPR specifies a deadline of 72 hours.
- Sensitive data –The definition of sensitive data differs between the PIPL and GDPR. There might be instances where the same data is classified as sensitive under the PIPL and not the GDPR law.
It is now evident that the time has arrived for companies dealing with personal information and data subjects, as China has an exclusive law for data protection. It would be the most appropriate decision to utilize this time and align the data and compliance policies of your organization in line with the PIPL. When implementing the requirements for PIPL, one must have a deep understanding of the existing requirements of the GDPR law implemented in the system.
As mentioned earlier, the PIPL has emerged drawing a few significant influences from the GDPR law. So it would be wise to go ahead with an analysis of the differences between the requirements of both these comprehensive data security laws to save time in transitioning the process differences and in avoiding penalties.