Media Center

Another Day, Another Jurisdiction: China Is Most Recent to Enact Sweeping Privacy Regulation

November 16, 2021

Reprinted with permission from the November 15, 2021 edition of The Legal Intelligencer © 2021 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

by Devin Chwastyk and Christian Wolgemuth

The Personal Information Protection Law of the People’s Republic of China (PIPL) went into effect on Nov. 1 and brought with it a suite of new requirements and lingering questions.  Organizations already complying with the European Union’s General Data Protection Regulation (GDPR) will find familiar many requirements of the PIPL, but GDPR veterans and newcomers will both need to pay close attention to the unique privacy rules of the most populous country in the world. This article will touch upon a few of the points that organizations need to be aware of as they begin adapting their compliance programs according to the PIPL.

The PIPL uses its own terminology that is similar to words and phrases utilized heavily in the GDPR. For example, the PIPL refers to “personal information handlers” as organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling activities. Those familiar with GDPR will see the similarities between the PIPL’s “personal information handlers” and the GDPR’s “data controllers.”

Like the GDPR requires of data controllers, the PIPL requires that data handlers have a valid legal basis to collect personal information. Consent is key unless the data collection is necessary to fulfill a contract with the individual or certain other conditions are met. But limitations on data collection are only the beginning for PIPL compliance, as the law imposes a variety of additional burdens on businesses interested in the Chinese market.

Personal Information Protection Impact Assessment

Like the GDPR, the PIPL requires information handlers to conduct a personal information protection impact assessment (PIPIA) in advance of any of the following activities: handling sensitive personal information; using personal information to conduct automated decision-making; entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information; providing personal information abroad; or undertaking personal information handling activities with a major influence on individuals.

The PIPIA must consider whether the personal information handling purpose, handing method, etc., are lawful, legitimate, and necessary; the influence on individuals’ rights and interests, and security risks to those interests; and whether protective measures undertaken are legal, effective, and suitable to the degree of risk. Organizations must retain their PIPIA records for at least three years. Furthermore, when performing assessments, organizations must reflect on the principles outlined in Articles 5-9 of PIPL. Those articles state:

Article 5: The principles of legality, propriety, necessity, and sincerity shall be observed for personal information handling. It is prohibited to handle personal information in misleading, swindling, coercive, or other such ways.

Article 6: Personal information handling shall have a clear and reasonable purpose, and shall be directly related to the handling purpose, using a method with the smallest influence on individual rights and interests.

The collection of personal information shall be limited to the smallest scope for realizing the handling purpose, and excessive personal information collection is prohibited.

Article 7: The principles of openness and transparency shall be observed in the handling of personal information, disclosing the rules for handling personal information and clearly indicating the purpose, method, and scope of handling.

Article 8: The handling of personal information shall ensure the quality of personal information, and avoid adverse effects on individual rights and interests from inaccurate or incomplete personal information.

Article 9: Personal information handlers shall bear responsibility for their personal information handling activities, and adopt the necessary measures to safeguard the security of the personal information they handle.

Pre-Disclosure Requirements

Personal information handlers are not free to share or disclose personal information just because they have completed a PIPIA. Before disclosing data to a third party, the personal information handlers must also provide notice to the individuals and obtain separate consent from them. The notice must include the name of the recipient, their contact method, the handling purpose, the handling method, and the personal information categories being disclosed. Additionally, in order to legally disclose personal information to a party outside of China’s borders, the personal information handler must either pass a security assessment organized by the State cybersecurity and informatization department, undergo a personal information protection certification conducted by a specialized body according to the state cybersecurity and informatization department, enter into a contract with the foreign recipient of the personal information in accordance with a standard contract formulated by the State cybersecurity and informatization department, or satisfy “other conditions” provided for in laws or administrative regulations adopted by the state cybersecurity and informatization department. Again, those organizations used to standard contractual clauses to satisfy the GDPR will recognize the concept of prescribed contractual terms. To the understandable frustration of organizations doing business in China, none of the details or specifics of those four conditions have yet been published.

Territorial Representative

The PIPL applies to any organization physically present in China; but in a final comparison to the GDPR, the PIPL also requires information handlers located outside of China’s borders to appoint a dedicated entity or representative within China. The appointed entity will be responsible for matters arising from the personal information the organization handles. Furthermore, the organization must then provide the name of the appointed entity and the entity’s contact information to the relevant government agencies regulating personal information responsibilities.

This extraterritorial hook applies to data handlers located outside of China under the following circumstances:

  • Where the purpose is to provide products or services to natural persons inside China’s borders;
  • Where conducting analysis or assessment of activities of natural persons inside China’s borders;
  • Other circumstances provided in laws or administrative regulations.

Many “personal information handlers” located outside of China are likely to feel like they have more questions about the implementation of the PIPL than they do answers. Fortunately, many of the concepts mandated by the PIPL are similar enough to the GDPR to give organizations a jump-start with compliance. If nothing else, the quick onset of the PIPL highlights the need for organizations to be flexible with both their business and their data privacy practices to quickly adapt to new privacy laws.

Devin Chwastyk is a member of McNees Wallace & Nurick and the chair of the firm’s privacy and data security group. Christian Wolgemuth is an associate in the the firm’s privacy and data security group and previously worked as a cybersecurity consultant for an international accounting and consulting firm.