China doesn’t have a single law governing data protection. The laws covering data protection are part of a larger regulatory framework that is complex in its nature and part of many other subjects. There are three key foundations that are integral parts of China’s personal information protection model. These are the Cybersecurity Law (CSL), the Personal Information Protection Law (PIPL), and the Data Security Law (DSL).
Two of those laws only recently came into play in the final quarter of 2021, and they could have ramifications for multinational companies that are operating out of China or have operations on the mainland. The laws are the Personal Information Protection Law (PIPL) and the Data Security Law (DSL). These laws essentially add to other regulations that were originally enforced back in 2017 in the Chinese Cybersecurity Law and largely cover data localization, and issues related to data export and data protection requirements.
We are going to delve into the new laws and what they mean for major foreign companies or multinational companies working out of China.
Understanding The Data Security Law (DSL)
The China Data Security, also known as DSL is part of a framework that is used to classify collected data that is stored in China that could have an impact on national security. The law governs the storage of said data and its transfer, which is defined by the level of classification. Although this has never been proven, it’s believed the law is a direct response to the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act). This is a law that gives enforcement agencies in the United States the authority to enforce compliance on failing companies that are under their jurisdiction to show data no matter where or what country it is stored in.
To define ‘core data’ in regards to the DSL, it’s roughly any data that is related to the Chinese economy and national security. The Chinese government likes to protect the ‘welfare and significant public interests’ of the Chinese people to give them the utmost regulatory protection.
The term ‘important data’ is defined in the DSL as the next most sensitive data after core data. But the actual scope of this data is more undefined. In the near future, it is expected that Chinese authorities will issue a list of things that are defined as important data, but until then, it is largely guesswork. However, it is implied that the DSL will say that important data is any data activity that takes place in China and extraterritorially if the data is deemed to impact national security or is against the public’s best interests.
Transfer of Data and Localization
Certain types of data localization and data transfer requirements can be listed as ‘core’ or ‘important’ by the DSL at their own discretion. And this is especially true for certain data handler types. If we are talking about Critical Information Infrastructure Operators (CIIOs) that are handling all kinds of data from info networks and natural resources and so forth, the data must be stored in China. It must undergo self-assessed security checks before the Chinese- orientated data is allowed to be sent overseas. Non-CIIOs might have to abide by additional rules and regulations set out and developed by the DSL.
Regardless of the data sensitivity and content, CIIOs and non-CIIOs are not allowed to provide data that is stored in China, even if it was or wasn’t originally collated in China, to any kind of law enforcement agency or foreign judicial systems unless it has been approved and confirmed by the Chinese government. If companies violate these rules, they are subject to heavy fines and penalties for breaking ‘core data’ laws. The fines can be anywhere up to RMB 10 million, which currently breaks down to US$1.56 million. The company can be forced to shut down and can even face stiff criminal liabilities. If companies violate laws on ‘important data’ breaches, the PRC could impose fines of up to RMB 5 million, which is approximately US$780,000 at the time of writing.
Downstream Data Handling
The DSL has a wider scope than you would think that goes beyond initial data collectors, but also effects offering downstream ‘intermediary services’ where data is sometimes used and collected for commercial reasons. Data providers need to be asked by downstream data handlers to reveal their data sources and where they got their info from. It’s the job of data handlers to ensure the verification and identities of those partaking in the data transaction and get access to the transaction records and retain the verification. If a data handler fails to follow these processes, they can be fined up to RMB 2 million, which is currently US$300,000. The company can be forced to shut down operations and any business licenses can be revoked.
Any company doing business in China is required by the DSL to have solid data security systems and to keep improving their efficiency and safety. They are expected to initiate remedial measures if any sort of data breach is noticed or flagged. In this scenario, the company is required to inform the relevant authorities of the issues.
If a company handles sensitive data that is at least at ‘important data’ levels, they need to designate either a staff member or an entire management department that can perform regular risk assessments and present that to the PRC. If a business doesn’t perform those assessments and fails to inform the authorities, it can be fined up to RMB 500,000 (US$77,700). If the company then doesn’t fix those issues or if a large-scale data leak ensues because of that issue, the company can be fined up to RMB 2 million (US$300,000). The company can also be forced to shut down operations and have its business license revoked.
Understanding The Personal Information Protection Law (PIPL)
The first Chinese legislation to offer comprehensive regulatory status to protecting personal information is known as the Personal Information Protection Law or more commonly by its PIPL acronym. It was sculptured to mimic the best aspects of the EU’s General Data Protection Regulations.
The definition of ‘personal information’ in regards to PIPL is any type of info that is “related to identified or identifiable natural persons stored in electronic or any other format.” Even if the data is not enough to be sufficiently linked to an identifiable person or a specific person, the PIPL regulations still apply. Any kind of personal info that is from a person who is most definitely anonymous, it will not be covered by PIPL.
The collection, usage, storage, disclosure, deletion, transmission, or organization of data generally falls under the PIPL regulatory framework if it involves data that is considered a China data subject. But it’s not limited to that. Activities, products, and services outside of China that are tailored to people in China or analyzing Chinese behavior will also fall under this ruling. If the PIPL regulations are violated by companies, penalties of up to RMB 50 million (US$7.78 million) can be administered, or 5% of the company’s yearly profits.
Here are some of the key obligations and rules that the PIPL places on data handlers:
Requirements of Consent
Data handlers can’t simply collect someone else’s personal data if they have not gained clear consent from the persons or companies in question. Handling ‘sensitive personal information’ or collecting it can include a wide range of categories of the data subject such as health, religious beliefs, biometrics, young children, and geographical locations, and if so, it must be handled in line with tough data protection regulations that are listed by the PIPL.
But there are some exceptions to this rule. For instance, exemptions are in place by law where data handlers don’t need consent if this is in regards to performance-related duties or statutory duties. Other exemptions include emergencies where life and property are involved or news reporting on subjects that concern the public and where you can already find the info out in the public domain.
Data Deletion and Data Localization Requirements
If a data handler is handling an amount of info that reaches a certain threshold, it will bring data localization regulations into place. In this instance, a data handler is required to hire or appoint a dedicated information protection officer who supervises and ensures that the handling of this vast amount of personal data collected is done with the utmost protection.
When the purpose of the personal information data handling has been reached, the data handler by law must delete the data. It must also be deleted if the collected information no longer serves the agreed purpose or if the service is not being provided any longer.
Restrictions on the Transfer of Personal Info Overseas or to Third Parties
Data handlers can’t just transfer personal data any way they like. If it’s going to third parties that are in or outside of China, the handlers must obtain informed consent from the data subjects. The handlers must also ensure that any data or methods for handling the data are in line with terms that are agreed to by the data subject.
If data handlers are dealing with cross-border transfers, they need to ensure that the foreign entity receiving the data also have secure data protection rules in place or rules that are no less stringent than those coming from the PIPL. There may be additional requirements for handling the data based on the classification. For instance, if companies or CIIOs have access to large volumes of personal data, they are required to complete a Cyberspace Administration of China mandatory security review. And that must be performed before any overseas data is transferred.
Following General Compliance Requirements
If you are a company handling personal data, the PIPL requires you to perform self-audits and checks that are designed to check any possible security risks that could result in data breaches. And if there are issues, the companies are expected to implement policies and safeguards that adhere to those requirements. There could be increased stringency in regards to the rules if the company in question is a ‘major internet service platform’ or if it has a massive number of users or if it engages in complex business activities. However, these are not really defined by the law.
If companies use algorithms or any kind of automated decision-making systems when they are analyzing data, they need to adhere to fairness and transparency rules that are stated by the PIPL. The PIPL prohibits discriminatory pricing and marketing strategies that use the data subject’s personal information to sell things to them.
What are the Implications?
Now you know more about the DSL and PIPL, what does it mean for multinational companies that have operations in China? Let’s take a look at that.
Reassessing Existing Storage Processes of Data Coming from China
If you are a multinational company operating in China, it is advised that you assess these DSL and PIPL requirements, because if you are not following the processes, you need to reconfigure your business or IT systems to comply with PRC data protection rules. If you are unsure, you could always liaise with the local PRC counsel before you choose to move any data in or out of China.
Sending Chinese Data to Foreign Courts or Foreign Law Agencies
It is important to pay attention to the law changes that regulate providing Chinese data to any kind of foreign regulator or a foreign agency and court. In the past, multinational companies that operated in China could simply respond to any foreign regulators or subpoenas that requested data. Companies could send the data without getting any approval from the Chinese government, even if the data was regarding Chinese multinational companies or individual Chinese persons. This is also true in regards to the foreign litigation process as multinational companies could collect documents in China without gaining approval from the PRC.
Times have now changed. Providing or sending data in and about China now has to be approved via the newly enacted PIPL and DSL laws. These laws and others were enforced by the PRC in 2018. A great example would be the Criminal Judicial Assistance Law and Article 177 of the Chinese Securities Law. Multinational companies that operate in China that also seek to comply with foreign and US regulations on information requests or for litigation reasons now need to be approved by the Chinese counsel before such data is transmitted overseas.
PIPL Restrictions on Marketing
Because these new PIPL laws are there to regulate companies, it also affects companies that use the personal information of prospective customers for their marketing. As mentioned above, any company that uses algorithms and automated systems that discriminate against certain sections of consumers are now heavily regulated by the PIPL. Consent is now required from the prospective customers, so multinational companies trying to court prospective Chinese customers using personal information from marketing algorithms for products or services might well convene the PIPL. You should get legal advice before using advanced algorithms and these types of marketing strategies or you could be in deep water.