China’s Personal Information Protection Act (PIPL) is now in force and sets the ground rules for how data is collected, used, and stored. It also describes the data processing requirements for companies based outside of China, including passing a security assessment conducted by state authorities.
Multinational corporations (MNEs) that transfer personal information out of the country will also need to obtain data protection certification from professional institutions, according to the PIPL.
The legislation was passed in August, having undergone a few revisions since it was first introduced in October last year. In force since November 1, the new law was necessary to combat the “chaos” that data had created, with online platforms collecting too much personal data, the Chinese government said at the time.
Personal information is defined as all types of data recorded in electronic or other forms, which relate to identified or identifiable persons. It does not include anonymized data.
The PIPL also applies to foreign organizations that process personal data abroad for the purpose, among other things, of providing products and services to Chinese consumers as well as analyzing Chinese consumer behavior. They will also need to establish designated agencies or appoint representatives based in China to take responsibility for matters related to the protection of personal data.
The new legislation includes a chapter that applies specifically to cross-border data transfers, stipulating that companies that need to transfer personal information outside of China must first conduct “personal information protection impact assessments”, according to Hong Kong Privacy Commissioner’s Office for Personal Data (PCPD).
They will also need to obtain individual consent for the transfer of their personal information and meet one of many requirements. These include accepting a “standard contract” issued by authorities responsible for overseeing cyberspace matters and fulfilling requirements set out in other laws and regulations established by authorities, the PCPD said.
These multinationals should also implement the necessary measures to ensure that other foreign parties involved in data processing comply with the data security standards stipulated by the PIPL.
It’s unclear what the security assessments entail
Leo Xin, senior partner at Pinsent Masons law firm, described the legislation as an “important step” in China’s legal data protection regime and urged multinationals to pay close attention to rules on cross-border data transfers .
Leo said in a post: “Some areas remain unclear and require detailed implementation rules, such as how the security assessment should be handled, what the model clauses for data transfer formulated by the Chinese Cyberspace Administration look like , what will be the approval procedure [if] there is a request for personal information by foreign judicial bodies or law enforcement agencies. “
The legislation further required that the processing of personal data be clear, reasonable and limited to the “minimum scope necessary” to achieve their information processing purposes.
The lawyer recommended that multinationals begin to assess the potential impact of PIPL on their IT infrastructure and data processing activities.
According to the PCPD, the new legislation also encompasses data processing ‘automated decision-making’, in which computer systems are used to analyze and automatically make decisions regarding consumers’ behaviors as well as their habits, interests, finances and their health.
Here, companies will need to ensure that these decision-making processes are transparent and fair. Consumers should also be able to opt out of receiving personalized content. Safety impact assessments must be carried out and these reports kept for at least three years.
Businesses that violate PIPL rules may receive a rectification order or warnings. Chinese authorities can also confiscate any “illegal income,” according to the PCPD.
Violators who fail to comply with rectification orders face fines of up to 1 million yuan ($ 150,000), while the compliance officer may be fined. fine of 10,000 yuan (1,500 dollars) to 100,000 yuan (15,000 dollars).
For “serious” cases, Chinese authorities also impose fines of up to 50 million yuan ($ 7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business activities may be suspended or business permits and licenses revoked.
Beijing administration last month told local media it would take “targeted action” to address issues it deemed to persist in the digital economy, such as poor data management. According to the South China Morning Post, the Ministry of Industry and Informatics was continuing its scrutiny of the internet sector as part of a six-month campaign that began in July.
The ministry recently asked 43 apps to make corrections after it was discovered they had illegally transferred user data.
The Cyberspace Administration of China (CAC) in July ordered the Chinese ridesharing platform Didi to remove its app from local app stores after violating regulations governing the collection and use of personal data. Did was tasked with rectifying “existing problems” and “effectively protecting” users’ personal data.
In May, the CAC called 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which included Baidu and Tencent Holdings, were also asked to fill in the gaps.
Tencent said last month, said it was forming a committee to assess its user data protection and privacy policies. The team would include technical, legal and media professionals as well as members of the public, the Chinese tech giant said. The committee would then make recommendations on improvements, if and where necessary, to better protect user privacy.