Recently, the National People’s Congress of the People’s Republic of China (“NPC”) passed a privacy law – The Personal Information Protection Law (“PIPL”), which falls in resemblance to European Union’s (“EU”) General Data Protection Regulation (“GDPR”) in terms of its provisions. A draft of the laws been issued on two separate occasions (after subsequent amendments), the first version was released at the end of 2020, and the second was released for public consultation in early 2021. The finalised version of the law shall fall into effect from 1st November 2021. At this point, the Chinese government has not released a full text version of the law – it shall be released in the public domain soon. However, in the meantime, it shall be wise to look at the provisions that shall come into force, alongside its potential implications.
The PIPL is being touted as one of the world’s toughest laws on personal data security, according to technology experts across the globe. One of its primary provisions involves making it significantly harder and more expensive for technology firms in China to access and use consumer information, with a far-reaching impact from the cross-border perspective. As the Chinese government is also passing the Data Security Act (which shall go into effect, next month), it is being speculated that the hold over technology companies in the country is going to be tightened. Although the PIPL is being compared with the GDPR in terms of its robustness and cross-border applicability, this law stands differently from the same in respect to the broad access of data the Chinese government will be allowed as per the law’s mandate. On the other hand, countries that abide by the GDPR have always been sensitive about the access, collection, and storage of data.
The PIPL makes a distinction between major internet platforms and smaller entities in terms of how they should handle personal data to be more transparent and fairer. It will require any organisation or individual handling Chinese citizens’ personal data to minimise data collection and to obtain prior consent. When generating push notifications and promotional content through an automated process, personal data handlers will have to provide non-personalised content or offer consumers the option to reject such content. It also states that companies need to obtain individual consent to obtain sensitive personal information such as biometrics, medical health, financial accounts, and location. The law will ban internet companies from using big data to set discriminatory prices for users. Further, the law speaks about the ban on “algorithmic discrimination” – a common practice among Chinese internet companies where a platform charges different prices to different users based on how much it thinks they are willing to pay. In terms of default, if a platform illegally collects personal information, regulators can suspend or terminate the provision of such services. In addition to activities within China, the PIPL exerts certain exterritorial jurisdiction over data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviours of individuals located in China. Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities. Foreign organizations or individuals may be put on a “blacklist” that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens or harm the national security or public interest of China.
Some important provisions that were included in the previous draft of the PIPL, that have found its way into the final version, are as follows:
- Data Subject Rights. The PIPL proposes various data subject rights. This includes a right to information and explanation on the data processing. Individuals will also have a right to access, right to correction, right to object processing, right to withdraw consent and a right to deletion.
- Localisation. Critical information infrastructure operators and entities who process personal information of a certain volume (the threshold is currently unspecified) are required to store the personal information collected and generated within the borders of China. If information needs to be transferred overseas, a company will have to pass a security assessment organized by the Cyberspace Administration of China.
- Cross-border Transfers. In addition to the security assessment for certain organisations, the law requires notice and consent for cross-border transfers. Companies must carry out an internal risk assessment prior to transferring data out of China and keep records of such transfers. A lawful transfer mechanism such as a standard transfer agreement, or a security assessment administered by the Cyberspace Administration of China is also required.
- Data Breach Notification. In the event of a data breach, the Draft PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. The text itself does not provide a time limit for notification (e.g., 72-hours).
- Penalties. Under the PIPL, an organization that unlawfully processes personal information or fails to take necessary security measures to protect personal information may be subject to a baseline fine up to 1 million RMB. If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organisation’s annual revenue for the prior financial year. The fine is similar to the one laid down under GDPR, which is €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
As China is pushing towards establishing a data governance framework that seeks to ensure the security of what it deems “important data”, it is putting limits on how businesses can collect and use sensitive personal information, while encouraging the circulation of less sensitive data to unleash its economic value. Of late, it has been cracking the whip on its technology giants and a variety of state and consumer organisations have kept coming up with rules and advisories to regulate their operations. In January this year, the China Consumers Association came out with a statement slamming tech firms for “bullying” consumers into making purchases and promotions. Further, China’s State Administration for Market Regulation (SAMR) has released draft rules to foster fair competition while its Ministry of Industry and Information Technology has issued a warning to 43 apps after finding they were illegally transferring user data. In such a case, it shall be interesting to see how the PIPL shall add onto the ongoing controversies, and how shall the government’s action pan out in the longer run.