Despite China’s Personal Information Protection Law (PIPL) still being in the drafting phases, it has already caught the attention of international companies doing business in China. And rightly so, this historic change in China’s approach to regulating individuals’ data and privacy is something that companies should prepare for accordingly.
To this end, on February 25th we held a webinar with some experts on-the-ground, who answered some FAQs, outlined the law’s key features, and shared their recommendations.
- Zach Lichtblau, partner at Shanghai’s Bonnard-Lawson law firm and partner at Equasia
- Lawrence Federman, founder and CEO at Asia Advisers
Here are some of their insights:
What is considered “personal information”?
As defined by the PIPL’s second draft, personal information is information recorded electronically or by other means that identifies or can identify an individual. This does not include anonymized data that cannot be traced back to the user.
Under what conditions is it possible to collect information?
6 core principles summarize the essence of this law:
- Legality – data processing has to be done in a lawful manner
- Explicit purpose –information can only be collected for a legitimate and specific purpose
- Minimum necessity – collection of information can be done to the minimum extent necessary according to the purpose
- Transparency – the data handler must notify the data subject that information about them has been collected
- Accountability – the data handler is accountable to the data subject
- Data security – the data handler needs to ensure data is handled in a secure way and prevent data leakages or misuse
To sum up, companies can collect data about any relevant third party, bearing in mind that the means by which the information was collected must be in line with the purpose it was gathered for in the first place. Naturally, the more information a company collects, the higher the risks. The most important condition to remember is that information can be collected and stored only with the consent of the individual and in full transparency, just as required by the European General Data Protection Regulation (GDPR).
When will the law take effect?
Because the law is a draft, it is still uncertain when it will be enacted officially, with local experts speculating it to be in early 2022. At this point, with Chinese interpretations of the law still remaining ambiguous, it is advisable to keep up-to-date with local experts’ predictions and seek out China business support where needed.
How long can companies store and retain company data?
When the company itself collects information, it shouldn’t keep the data longer than needed, except with consent. For any recruitment in China for example, after filling the position and when there is no longer a need to keep the leftover CVs, simply get rid of them.
For the same reason, when cooperating with a third party who holds some of the company’s information, it should be agreed and documented in the contract how the information is handled after the employment relationship ends.
What are the implications regarding cross-border data transfers?
Exporting data from China is an important issue for the Chinese authorities, with some experts stating that Beijing could go as far as lamenting any breaches as a threat to national security. So when transferring information outside of China there are additional requirements that must be met. The Chinese law stipulates explicitly that under certain circumstances the law also applies to companies based outside of China who hold information about Chinese citizens residing in China.
What are the sanctions imposed for non-compliance with the law?
Failure to comply with the law is considered a criminal offense that may result in arrest. Due to the similarity between Chinese law and its European counterpart (GDPR), it is estimated that many of the penalties in China will be similar to those in Europe. For example, such fines can amount to 50 million RMB (over 7.5 million USD), or up to 5% of the company’s annual turnover.
5 tips to take away
- Remember to notify all your data subjects about your intention to collect their data and perhaps transfer it. Remember to get their prior consent!
- When transferring information out of China, try as much as possible to de-identify / anonymize the data.
- If you work with local agencies, job advertising sites, etc. – ensure that your partners also meet the requirements of the law and that they also get the consent of their end-users.
- Define your course of action by assessing your risk tolerance, and your exposure to the law.
Thanks to our speakers, participants, and everyone who took part! As always, we at PTL Group will be happy to assist you at every stage of your China journey.