Protection of Personal Data in China

Introduction

In the fall of 2021, two new data privacy and security rules in China went into effect. These laws are anticipated to have an influence on many global corporations operating in China or whose operations touch China. Data localization, data export, and data protection rules that first emerged in the Chinese Cybersecurity Law in 2017 are further outlined in the Data Security Law and the Personal Information Protection Law.

China has recently passed several significant data protection laws, including the Personal Information Protection Law (PIPL), which will go into effect on November 1, 2021, and the Data Security Law (DSL), which will go into effect on September 1, 2021. These laws have also been accompanied by a number of implementation regulations and administrative rules. The PIPL, in particular, creates a brand-new, comprehensive regulatory framework for the protection of personal information in China, relying heavily on consent as the basis for data collection and handling, enacting provisions with extraterritorial effects, limiting cross-border data transfers, and enforcing stiff fines based on revenue for violations.

[Image Source: Shutterstock]

When conducting or responding to investigations in China, such as how they respond to a foreign government regulator’s investigation that touches on parts of their China-based businesses, or where they need to produce evidence in offshore judicial proceedings, these new laws, particularly in respect to requirements on the processing of personal information and cross-border data transfer, will present significant challenges for companies.

In a normal inquiry, data from employees, including HR files, email, mobile phone, and company device data, is routinely gathered, accessed, and analysed. Personal information as defined by the PIPL, such as the employee’s name, date of birth, address, phone number, email address, educational background, employment history, etc., may be present in such employee data. Under the PIPL, express and informed consent must generally be obtained from data subjects for processing of personal information.

On November 1st, 2021, China’s Personal Information Protection Law (PIPL) came into force. The PIPL is the third of three Chinese laws—along with the Cybersecurity Law and the Data Security Law—designed to give a comprehensive approach to cybersecurity, data security, and data privacy.

On June 1, 2017, the Cybersecurity Law (CSL) comes into force, effectively combining various cybersecurity-related laws and regulations under a single guise. The CSL aims to defend China’s security interests, fight online crime, and enhance data and network safety. A number of standards and directives, some of which are not enforceable by law, are added to it.

The CSL expanded the focus of cybersecurity law in China from focusing solely on ISPs (defined as operators or providers of websites) to include both ISPs and network operators. ‘Network operators’ are very broadly defined as any company owning or operating a computer network.

Some key concepts in the CSL:

• Critical information infrastructure operators (CII operators)
• Defined as an organization processing data which has the potential to seriously endanger Chinese national security, national welfare, peoples’ livelihood or public interest if destroyed, damaged or leaked, CII operators are subject to more stringent requirements and oversight due to the sensitivity of the information they handle
• Data localization
• Certain categories of data must be stored in China, rather than overseas
• Restrictions on cross-border transfers
• Increased the requirements for disclosure to and consent of individuals whose data is being collected

Data Security Law (DSL)

On September 1, 2021, the Data Security Law (DSL) went into force. It broadens the CSL’s coverage of certain topics by emphasising national security and classifying data according to how important it is to Chinese national security. This in turn has an impact on how the data may be transferred and stored.

The two main categories are important data, which is the level below core data, and core data, which can be broadly characterised as data involving Chinese national or economic security, Chinese citizens’ welfare, or substantial public interests. However, the DSL itself does not explicitly define what constitutes essential and important data. The DSL also adds various limitations on CII operators and increases the localization and cross-border transfer requirements for core and critical data. For instance, CII operators must make sure that data created in China is stored there and that it has undergone a security evaluation before being sent abroad.

A key provision of the DSL forbids CII operators and other types of network operators from providing any data stored in China to any foreign judicial or law enforcement body without first receiving approval from Chinese authorities. This has led to it being viewed in some circles as a response to the USA’s CLOUD act. The DSL also introduces guidelines for establishing and enhancing data security, as well as for notifying users and authorities of data breaches. Companies with operations in China that handle crucial or core data must appoint a person or group to be in charge of data security and submit recurring risk assessments to the authorities. Penalties run to approximately $100K CAD, as well as the potential for a business to lose its license to operate.

Personal Information Protection Law (PIPL)

The Personal Information Protection Law (PIPL), the most recent of the three laws, went into force on November 1, 2021, and it has many features with the EU GDPR. The PIPL was created to safeguard personal data, control how it is processed, and encourage its ethical usage. It also limits itself to data about natural persons, unlike the CSL and DSL.

The PIPL also has extraterritorial scope whenever businesses outside China process the personal information of Chinese residents for the purpose of:

• Providing products or services to domestic natural persons.
• Analysing and evaluating the activities of domestic natural persons.
• Other circumstances as provided by laws and administrative regulations.

In general, similar regulations like the GDPR or PIPEDA define personal information as data pertaining to identified or identifiable natural beings that has been recorded by electronic or other methods. Similar to the GDPR, the PIPL distinguishes between entrusted parties, which are similar to the GDPR data processor, and personal information processors, which are essentially analogous to a GDPR data controller.

Importantly, the PIPL also reserves the power for the national cyberspace agency to add businesses and people who violate PIPL rights to a restricted list and/or take countermeasures against any nation or territory that imposes prohibitive, restrictive, or discriminatory measures against China.

Conclusion

China’s regulations on data security and personal information are now considerably more in line with other international standards thanks to the implementation of the DSL and the PIPL in 2021. It is important to keep in mind that the PIPL is still awaiting replenishment from regulations that have not yet taken effect in many locations. Important areas that regulation may clarify include notice obligations, the amount of personal information needed to meet stricter requirements, and retention durations.

In general, GDPR compliance will benefit firms working with Chinese residents’ personal data, but businesses should study the DSL and PIPL standards to make sure they are compliant and in a good position to comply with the upcoming law. For those who work in the privacy sector and with that data, China’s efforts to better safeguard personal information and provide citizens more access to and control over their data are positive steps.

Author: Tanya Saraswat, in case of any queries please contact/write back to us at support@ipandlegalfilings.com or   IP & Legal Filing.