On 1st November 2021, the new ‘Personal Information Protection Law’ (PIPL) will take effect. PIPL is PRC’s (People’s Republic of China) new data protection law, and it can apply to organisations who are based outwith China in some instances. Similar to the GDPR, PIPL has the potential to bring significant sanctions to organisation who do not comply.
Could PIPL apply to your organisation? Extraterritorial Effect
If your organisation is based in PRC then you will of course need to comply with PIPL, but PIPL also has extraterritorial effect (similar to the GDPR) which means that it can apply to businesses located outwith the PRC in certain circumstances:
- when a non-PRC organisation’s processing activities are for the purpose of providing products or services to individuals within PRC; and/or
- when a non-PRC organisation’s processing activities are for the purpose of analysing and/or assessing the conduct of individual within PRC; and/or
- in any other situation as provided for by law or regulations.
If your organisation falls within any of the above tests then you may have to consider reworking your data processing procedures and/or IT infrastructures to comply with PIPL. For example, if your parent company is based in the UK but you have a global IT function which monitors the performance of employees on a worldwide basis, and you have offices in the PRC, then you may fall within test 2 and need to comply.
What does this mean for your organisation?
Those companies which are already familiar with UK and/or EU GDPR rules should find a transition to the PIPL easier, given the similarity of the PIPL to the GDPR. However, there are differences in the laws and updates to policies and procedures will be required.
Those companies which deal with personal data in China but are still operating outside of China will need to establish either a “dedicated office” or appoint a “designated representative” in China, who will ensure that all processing activities are compliant with the PIPL. This mirrors the GDPR’s “EU Representative” requirement, which stipulates that a Representative should be appointed to oversee the activities of offshore controllers when data is being transferred outside of the EEA. Now this requirement will be reciprocal; many EU/UK-based companies which offer services or products to consumers in China will now need to appoint representatives or establish offices in China to oversee their data compliance.
And if your organisation doesn’t comply? Sanctions and Damages
Failure to comply with the new PIPL could result in sanctions imposed by the Cyberspace Administration of China (CAC) and/or in damage claims from individual data subjects.
The CAC can issue correction orders, suspensions, and even cessation of business orders. For more serious breaches of the PIPL, CAC will be able to confiscate unlawful gains of up to RMB 50 million or 5 percent of business income in the preceding year. Moreover, the CAC has the ability to impose fines ranging from RMB 100,000 to RMB 1 million.
As for damages, not only does the PIPL allow for claims relating to unlawful financial gain, but it also allows claims where any benefits were obtained by the personal information handler through misuse of personal information. In these claims, the burden shifts to the personal information handler who must show that they have complied with the PIPL. It is also important to note that where the handlers jointly control and process personal information, all personal information handlers assume liability jointly and severally – regardless of what their contractual arrangements may stipulate.
There are still details to be clarified
Although the PIPL has been long-awaited, there are still a lot of things that must be clarified. There is a litany of clarifications which we are expecting from CAC, which might alter how we handle data even more, especially in relation to extra-territorial processing.
- The Threshold: the CAC has yet to clarify a ‘threshold’, which concerns a certain volume of personal information. This threshold is important because, if the amount of data being transferred out of China exceeds this threshold, then the processor must pass a security assessment organised by the CAC.
- The Personal Data Protection Certification: the aforementioned certification which would allow extraterritorial data transfers will be issued by an appropriate accreditation agency. However, the provisions which govern that accreditation have yet to be issued by the CAC.
- Contracts for Extraterritorial Data Transfers: as with the Standard Contractual Clauses given with the GDPR for extraterritorial data transfers (which have just been updated recently), the CAC plans to issue a model contract which will delineate the rights and obligations of each party in foreign transfers.
- More regulations: the PIPL indicates that the CAC will be making further laws and regulations in relation to data protection and extraterritorial transfers. As such, there could be more development – watch this space.