China pushes through data protection law that applies cross-border

Effective from November 1, the Personal Information Protection Law details rules around data collection, use, and storage, including requirements for foreign companies operating in China to appoint a local entity or representative responsible for its compliance.
Written by Eileen Yu, Senior Contributing Editor

China has pushed through a new personal data protection law that details regulations around collection, use, and storage. It includes data processing by companies based outside of China and encompasses requirements for organisations, such as being required to appoint an individual within China that is responsible for ensuring compliance with the new law.

The Chinese government on Friday passed the Personal Information Protection Law (PIPL), outlining a set of rules on how personal data should be collected, used, and stored. Since the law was pitched last year, it went through a couple of revisions before being passed.

To come into effect from November 1, the Bill was approved to address the "chaos" data has created, with online platforms over-collecting personal data, according to a report by Xinhua News Agency. The state-run news outlet noted that some businesses have deployed facial recognition systems without authorisation, "secretly" capturing consumers' faces and other biometrics data. 

China is home to 989 million online users as of end-2020.

"China has always attached great importance to personal information security. The law on personal information protection clarifies rules on the processing and cross-border providing of personal information," Xinhua quoted Zang Tiewei, a spokesperson for the Legislative Affairs Commission of the NPC Standing Committee, which approved the Bill Friday. 

Zang noted that there has been increased scrutiny on technologies that carry out user profiling and run recommendation algorithms, which the government believes has led to issues such as data-powered price discrimination. The new laws aim to address such problems, he added.

According to Xinhua, the PIPL stipulates that brands must not deploy marketing tactics that target "personal characteristics" and must provide consumers with options to decline targeted marketing. 

Major online platforms that own personal data of a large customer base also must establish an independent body, comprising mainly of external parties, to oversee how the information was handled. 

In addition, these companies will have to lay out data protection policies based on "openness, fairness, and justice" as well as regularly publish reports on their data protection initiatives. 

With regards to facial recognition systems, the law requires signs to be prominently displayed at public locations where such equipment and images are implemented and captured. Furthermore, the collection and use of such data must be limited to "safeguarding public security". 

Companies dealing with Chinese consumers have to ensure compliance

Modelled broadly after Europe's General Data Protection Regulation (GDPR), the PIPL set a range of obligations, administrative guidelines, and enforcement actions regarding the processing of personal data, according to a blog post published Friday by Future of Privacy Forum (FPF). The report was jointly authored by FPF's Asia-Pacific director Clarisse Girot, global privacy director Gabriela Zanfir-Fortuna, and policy analyst for global privacy, Hunter Dorwart. 

They noted that the PIPL applied to personal data transferred outside of China by imposing obligations on handlers before such data is moved abroad, such as complying with a security assessment by relevant authorities. It also includes mandatory risk assessments for specific processes, such as automated decision-making that could have "a major influence" on consumers. 

Organisations must establish a dedicated entity or appoint a representative in China responsible for issues related to their data processing. The name and contact details of such representatives would have to be provided to the relevant authorities overseeing the implementation of the law.

The PIPL also extends to data processing by companies based outside of China when one of three conditions are met, such as instances where the data processing is carried out for the provision of products or services to consumers in China as well as when the data is used to analyse or assess the activities of consumers in China. 

The third condition, in particular, refers to "other circumstances provided in laws or administrative regulations", which the FPF said leaves a "margin of discretion" to Chinese authorities to "further extend the long-arm jurisdiction of the law in cross-border scenarios".

The FPF further noted a "distinct national security flavour" in the PIPL, which is most apparent in reference to provisions on data localisation and cross-border transfers. 

"The law incorporates provisions that affirm China's intention to defend its digital sovereignty," the authors wrote. "Overseas entities that infringe on the rights of Chinese citizens, or jeopardise the national security or public interests of China, will be placed on a blacklist and any transfers of personal information of Chinese citizens to these entities will be restricted or even barred."

"China will also reciprocate against countries or regions that take 'discriminatory, prohibitive, or restrictive measures against China in respect of the protection of personal information'."

According to the FPF report, the new Chinese law has a complex enforcement framework that includes financial penalties of up to 5% of an organisation's turnover as well as punitive actions, such as orders to stop processing data and confiscation of unlawfully attained profits. 

If a business refuses to correct the violation, it could be fined up to 1 million yuan ($150,000). Employees directly responsible for the data violation could also be slapped with a fine of 10,000 yuan ($1,500) to 100,000 yuan ($15,000). In more serious violations, financial penalties could go up to 50 million yuan ($7.5 million) or 5% of annual revenue in the company's previous fiscal year.

Omer Tene, vice president and chief knowledge officer at International Association of Privacy Professionals (IAPP), said the new law would require the submission of cross-data data transfers to Cyberspace Administration of China (CAC) for security assessment. In addition, organisations that handle large data volumes, which Tene noted would be defined by CAC, will also have store data locally in China. 

In a series of tweets posted a day before the PIPL was passed, he added that the law was "heavily based on consent", with no provision for data processing based on "legitimate interest" -- though, this did not include the need to fulfil contracts or compliance with a legal obligation. 

"If you're doing business in China, get legal advice. They're not playing around," he cautioned.

Didi Global has been removed from app stores in China following an order from the government to do so. The move comes just days after the popular Chinese ride-sharing app made its debut on the New York Stock Exchange. 

The CAC last month ordered Chinese ride-sharing platform Didi to remove its app from local app stores for breaching regulations governing the collection and use of personal data. Didi was further instructed to rectify "existing problems" and "effectively protect" users' personal data. 

Earlier in May, the CAC singled out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which included Baidu and Tencent Holdings, also were told to plug the gaps. Citing complaints from the public, the government agency said operators of the apps were found to have infringed the rules after authorities assessed several popular apps, including map navigation apps. 

Last week, the Ministry of Industry and Information Technology also said 43 apps were found to have illegally transferred user data, and ordered their parent companies to make rectifications.


Editorial standards