China’s Personal Information Protection Law (PIPL) went into effect on 1st November 2021. With the Cybersecurity Law and the Data Security Law, the PIPL is the third of three Chinese laws designed to provide a comprehensive approach to cybersecurity, data security and data privacy.
The Cybersecurity Law
The Cybersecurity Law (CSL) went into effect on June 1, 2017, and effectively amalgamated a number of regulations and laws related to cybersecurity under one umbrella. The CSL is intended to protect China’s national security, combat online crime and improve information and network security.
It is supplemented by a number of standards and guidelines, some of which are not legally binding.
The CSL expanded the focus of cybersecurity law in China from focusing solely on ISPs (defined as operators or providers of websites) to include both ISPs and network operators. ‘Network operators’ are very broadly defined as any company owning or operating a computer network.
Some key concepts in the CSL:
- Critical information infrastructure operators (CII operators)
- Defined as an organization processing data which has the potential to seriously endanger Chinese national security, national welfare, peoples’ livelihood or public interest if destroyed, damaged or leaked, CII operators are subject to more stringent requirements and oversight due to the sensitivity of the information they handle
- Data localization
- Certain categories of data must be stored in China, rather than overseas
- Restrictions on cross-border transfers
- Increased the requirements for disclosure to and consent of individuals whose data is being collected
The Data Security Law
The Data Security Law (DSL) became effective September 1, 2021. It expands on areas of the CSL, focusing on national security as well as classifying data based on its import to Chinese national security. This in turn has a flow-through effect on how the data may be stored and transferred.
The two primary categories are core data, or data which can be broadly defined as data that involves Chinese national or economic security, Chinese citizens’ welfare or significant public interests and important data, which is the next level below core data. However, the precise definitions of core and important data are not made entirely clear in the DSL itself.
The DSL also expands on the data localization and cross-border transfer requirements for core and important data, as well as adding some restrictions on CII operators. CII operators must ensure, for example, that data generated in China is stored in China and that a security assessment is completed before China-generated data is transferred abroad.
A key point under the DSL, which has led to it being seen in some circles as a response to the USA’s CLOUD act, prohibits CII operators and other types of network operators from providing any data stored in China to any foreign judicial or law enforcement body without the approval of Chinese authorities.
The DSL also brings in rules around establishing and improving data security, as well as data breach notifications to users and authorities. Companies operating in China who handle important or core data are required to designate an individual or team responsible for data security and to submit periodic risk assessments to the authorities. Penalties run to approximately $100K CAD, as well as the potential for a business to lose its license to operate.
Like the PIPL, the DSL has extra-territorial scope, meaning that where companies outside China handle data covered by the DSL those companies are also required to comply with the requirements of the DSL.
The Personal Information Protection Law
The most recent of the three laws, the Personal Information Protection Law (PIPL), has a number of elements strongly reminiscent of the EU GDPR and went into effect on November 1, 2021. The PIPL is designed to protect personal information, regulate its processing and promote the reasonable use of personal information. Unlike the CSL and DSL, it also restricts itself to information about natural persons.
The PIPL also has extraterritorial scope whenever businesses outside China process the personal information of Chinese residents for the purpose of:
- Providing products or services to domestic natural persons
- Analyzing and evaluating the activities of domestic natural persons
- Other circumstances as provided by laws and administrative regulations
Personal information under PIPL is defined as information related to identified or identifiable natural persons recorded by electronic or other means, which is broadly similar to other comparable laws such as GDPR or PIPEDA.
As with the GDPR, PIPL differentiates between personal information processors, roughly equivalent to a GDPR data controller, and entrusted parties, which are close to the GDPR data processor.
A personal information processor decides:
- the purpose, period and means of processing
- the categories of personal information to be processed
- the necessary protection measures
- the rights and obligations of both parties
The entrusted party processes information in accordance with the agreement and may not process personal information beyond those parameters, or engage sub-processors without the consent of the personal information processor.
Cross-border transfers require either an assessment or certification, contractual terms in place or compliance with other measures set out by law and regulation. Separate disclosure to and consent from the individual is also required.
Crucially, the PIPL also reserves the right for the national cyberspace department to add companies and individuals infringing on the individuals’ rights in PIPL to a restricted list and / or take countermeasures against any country or region placing prohibitive, restrictive or discriminatory measures against China.
Similarly to GDPR, the PIPL provides for individuals’ rights in regards to their personal information:
- Individuals have the right to be informed, the right to make decisions on the processing of their information and to restrict or refuse processing unless otherwise provided by law and regulation
- Individuals may consult and duplicate their information unless an exception applies
- Processors must provide such information in a timely manner
- Individuals may request the transfer of their information to another processor
- Individuals may request the processor to update or correct their information
- Individuals may request deletion of their information
With the rollout in 2021 of the DSL and the PIPL, China’s laws on data security and personal information have aligned much more closely to other international benchmarks.
It is worth noting that in many areas the PIPL is pending supplementation from regulation as yet to go into effect. Crucial areas that regulation may clarify include notification requirements, the threshold for the amount of personal information that would qualify a personal information processor for more stringent requirements and retention periods.
By and large, compliance with GDPR will serve organizations working with the personal data of Chinese residents well, but companies should be reviewing the requirements of the DSL and PIPL to ensure that they are compliant and also well-placed to comply with the anticipated regulation. These moves on China’s part to better protect personal information and grant individuals more access to and rights over their data are welcome measures for those working in the privacy field and with that data.