A “Chinese GDPR”, is my company concerned?
On November 1st 2021, the Chinese Personal Information Protection Law (PIPL) came into force. This law forms a Chinese legislative trilogy which now consists of the PIPL, a cybercrime law and a data security law.
This legislative package has a double objective, namely the protection of citizens’ personal information and the regulation of the activities of Chinese digital giants.
How does the PIPL affect you?
Although it is a Chinese law, its territorial scope is rather broad. Therefore, its provisions may apply to you!
In which cases?
The PIPL applies to the processing of personal data carried out on Chinese territory.
The PIPL also applies to data processing involving individuals located in the territory of China, even if the entity processing the data is established outside the territory of China in 3 cases:
- The purpose of the processing is to provide a product or service to individuals located in the territory of China.
- The processing consists in the monitoring of the behaviour of individuals located on Chinese territory.
- In any other situation where a Chinese law provides for the application of the PIPL.
Therefore, if you process data of individuals located in China, regardless of their nationality, in order to track their behaviour or offer them goods or services, you will be subject to the Chinese Data Protection Law.
Please note, however, that when we refer to the Chinese territory, we mean the mainland of the People’s Republic of China. This does not include the areas of Hong Kong or Taiwan.
What are your obligations if the PIPL applies to you?
In addition to the other obligations imposed on any entity that processes personal data, a company that is not established in China but is nonetheless subject to the PIPL must appoint a data protection representative based in China. His or her contact details must be provided to the data protection authority.
PIPL and RGPD: the same thing?
The content of the Chinese data protection law is comparable in many ways to the GDPR.
The Chinese law provides for fundamental principles as does the GDPR (fairness, specific purposes, minimisation, transparency…).
The definitions of “personal data” and “processing” are comparable to the ones found in the GDPR. However, the Chinese definition of sensitive data does not correspond to our definition of specific categories of data (e.g. itinerary tracking, data of a minor under the age of 14 years old, accounts opened in financial institutions are listed as sensitive data in the PIPL).
Furthermore, the lawfulness of data processing is subject to the prior, informed, clear and explicit consent of the data subject. In certain circumstances, additional consent must even be obtained (change of processing modalities, processing of sensitive data, transfer of data outside the Chinese territory…).
In the absence of consent, processing can only take place if:
- it is necessary for the performance of a contract or for the management of human resources;
- it is necessary to comply with legal obligations;
- it is necessary to respond to public health or public safety incidents;
- it is necessary for carrying out reporting, public opinion monitoring and other such activities in the public interest;
- where the information has been made public by the person concerned himself or herself or by lawful means;
- in other circumstances defined by law.
Regarding the rights of data subjects, the PIPL includes the rights provided for in the GDPR, to which is added the right of relatives of a deceased to exercise, for their own interests, the rights that the deceased had over his or her data.
In addition, the PIPL also provides for a series of obligations for the data controller (security, information and transparency, reporting, appointment of a data protection officer, auditing, prior analysis of data, increased transparency and right to explanation in case of automated data processing) as well as additional obligations for platform providers holding a gatekeeper position.
Finally, the PIPL makes specific provision for state bodies that process personal information in order to fulfil their statutory duties and responsibilities. The PIPL provides that they must do so in accordance with their statutory powers and procedures and that they may not exceed what is necessary to fulfil their duties and responsibilities.
Furthermore, personal information processed by State organs must be stored on the mainland of China. If it is really necessary to transfer the data abroad, a security assessment should be undertaken.
What about data transfers between the EU and China?
According to the PIPL, you can transfer data outside China if one of the following conditions is met:
- the recipient has passed a security analysis set up by a competent authority;
- the recipient has received a data protection certification from a professional agency;
- the sender and the recipient of the data have entered into a standard contract issued by a competent authority which stipulates the rights and obligations of each party;
- a law provides for the transfer.
In this case, the person sending the data abroad must:
- take the necessary measures to ensure that the recipient’s processing of the data is as protective as the PIPL;
- fulfil an obligation to inform data subjects about the recipient and about the transfer;
- obtain the consent of the data subjects.
The PIPL also provides that companies and individuals may not provide personal information stored in China to foreign judicial bodies without the prior consent of the relevant authorities.
Finally, where foreign organisations or individuals process data in a manner that is inconsistent with the rights and interests of Chinese citizens or is detrimental to China’s national security or public interest, the Cybersecurity Department may restrict or prohibit the transfer of personal information to such organisations.
What are the risks if you do not comply with the PIPL?
The State Department of Cybersecurity and Computerization and certain departments of the State Council have jurisdiction over the protection of personal information.
In case of violation of the Chinese law, 3 types of sanctions can be deployed:
- An administrative fine of up to RMB 50 million (approximately EUR 6,800,000) or 5% of the company’s turnover.
- An order to pay compensation for the damage suffered by the data subject as a result of the data breach.
- Imposition of other criminal penalties under Chinese criminal law.
In practical terms, you are potentially subject to China’s new data protection legislation if:
Concrètement, vous êtes potentiellement soumis à la nouvelle législation chinoise sur la protection des données lorsque :
- You process data for a Chinese company
- You receive data from a Chinese company
- You process data about people located in China when you:
- monitor the behaviour of these individuals;
- offer services or goods to Chinese customers (for example if your e-commerce website is available in Chinese and accessible in China).
In these situations, you must comply with Chinese data protection laws.
If you are not subject to the PIPL but receive data from a company that is itself subject to the PIPL, the transfer is only legal if it fulfills Chinese law’s requirements. This may require you to obtain a certification or a positive assessment from a particular Chinese authority.
This article was written with Mr Jun YANG, Managing lawyer of Lexing China. Feel free to contact him (in French or in English).