Data assessment, user consent key to compliance with China law

International businesses that process data from China should obtain user consent and establish a data map--specifically looking at cross-border flow and residency--to ensure compliance, even as more clarity is needed on China's Personal Information Protection Law.
Written by Eileen Yu, Senior Contributing Editor

International businesses that process information from China should obtain user consent and establish a data map, so they do not run afoul of the country's Personal Information Protection Law (PIPL). Specifically, they should look closely at cross-border data flow and residency, even as more clarity still is needed on some components in the new legislation.

Organisations that already are set up to comply with Europe's General Data Protection Regulation (GDPR), though, have a good foundation on which to work towards PIPL adherence.

Passed in August, the Chinese legislation came into force last month, laying out ground rules around how data should be collected, used, and stored. It outlines data processing requirements for companies based outside of China, which included passing a security assessment conducted by state authorities.

Multinational corporations (MNCs) that move personal information of the country also will have to obtain certification on data protection from professional institutions. The Chinese government described the legislation as necessary to address the "chaos" created, in which online platforms had been excessively collecting personal data.  

Because it was modelled broadly after GDPR, enterprises that had readied themselves for the EU data protection legislation would be better placed to prepare for PIPL compliance.

For instance, both bills spell out the need to get user consent and rules around data sovereignty, according to Xin Leo, a Shanghai-based senior associate with law firm Pinsent Masons.

Similar to GDPR, companies would need to obtain consent before collecting and using data from customers under PIPL. The Chinese legislation also outlined standard clauses that should be included in service contracts or agreements between both parties--one that provided the data and the other that received it--that were similar to those detailed under GDPR.

This ensured organisations that collected and processed data would provide similar levels of protection under PIPL as they would with GDPR, Xin said in an interview with ZDNet.

Being GDPR-compliant put  enterprises on the right path towards PIPL adherence as well as other associated Chinese legislations, specifically, the country's 2017 cybersecurity and 2021 data security bills, said JoHannah Harrington, chief legal officer at Elements Global Services, which specialises in HR technology and compliance. The company works with local law firms in China, where it also has corporate secretariat partners. 

Harrington, too, pointed to the need for user consent before data could be processed or transferred out of China as a common component in PIPL and GDPR.

In addition, both laws required organisations to meet certain requirements, such as clear and reasonable purpose, for processing data they collected and to have processes in place to maintain data protection. These included deploying data security tools and conducting risk mitigation processes, such as firewall and online privacy notices.

Both legislations also outlined the need to ensure user opt-in and the reclassification of data, said Sovan Bin, CEO of Odaseva. The data management vendor offers tools touted to ensure data is compliant, including with GDPR and PIPL, as it moves across an organisation's global network.

In addition, consumers protected under the two legislations had the right to ask to be deleted or removed from an organisation's database, Bin told ZDNet.

Concerted efforts to define data ownership and return consent to consumers, regardless of where their data sat, began with GDPR, which was released in 2016. He noted that the EU legislation had put forward the concept of cross-border data transfers, so rules requiring organisations to obtain consent whenever they moved data outside the user's home country were not unique to PIPL.

Chinese regulators, though, had the benefit of time to assess the impact of such laws and adopt a modern approach, he said.

Data had become a key asset for every organisation over the years, while technologies also had evolved. Regulations established in the 1990s, for one, were no longer relevant with the emergence of cloud technologies, he said, adding that several countries were modernising their data regulations so these were more compatible with the cloud era.

Questions remain about user consent, conflict with international laws

But while PIPL shared several similarities with GDPR, there were some significant differences between both legislations that organisations should take note of.

According to Harrington, PIPL does not include legitimate interests or purposes as a condition for data processing, while GDPR does. This, for instance, enables organisations to process their employees' personal data, as it is deemed of legitimate reason.

The exclusion of legitimate purposes could mean that MNCs would have to seek the consent of all employees in China, if they had not already done so, before their HR departments were permitted to process the employee's personal information.

Uncertainties over the concept of user consent, which was not well defined yet in PIPL, was one likely reason major technology companies had opted to leave the Chinese market, Harrington said.

Clarity around consent was paramount because, under the Chinese legislation, it must be applied before data could be processed. She added that as the law was new and untested, clearer definitions in some areas still needed to be established.

According to Xin, the legislation outlined three areas organisations should address with regards to cross-border data transfers. These included the need for a government security assessment, to gain approval, if the processed data exceeded a threshold specified by the legislation.

Some requirements called for certain certifications to be established, under specific instances, between the data exporter and data receiver, but how such procedures should be carried out remained unclear, he said.

Both parties also would need to agree to a model, or template, contract to be stipulated by the regulator. These contract terms, however, had yet to be released.

There was further uncertainty over PIPL rules pertaining to data sovereignty, Xin said, under which personal data stored in China could not be provided to foreign jurisdictions or organisations without the Chinese government's consent.

While this policy is not new, as it already is stated in the country's data security and international corporate criminal laws, there are questions about how this will play out alongside international laws. The US CLOUD (Clarifying Lawful Overseas Use of Data) Act, in particular, gives US law enforcement power to demand access to data stored by cloud providers, including data held outside the US.

Doing so in China would be in breach of PIPL, Xin said, which could create a dilemma for MNCs operating in the country. He added that provisions, if any, and procedures organisations should follow under such circumstances currently were unclear.

Bin noted that organisations were spending more effort, in particular, on ensuring compliance with specifications related to cross-border data and data residency. PIPL outlined certain thresholds under which organisations would have to adhere to guidelines on how to process cross-border data, he said. Businesses handling personal data of more than 1 million users, for instance, or that had to transfer personal data of more than 100,000 users would have to abide by specific policies.

Additional policies regarding data residency also would apply to certain types of data, he said. For instance, companies processing data deemed to be more sensitive must pass a security assessment by Cyberspace Administration of China (CAC).

He advised businesses to exercise more care in handling such data across borders, to ensure compliance with PIPL.

He further noted that, unlike GDPR where there was a two-year grace period during which organisations could ready themselves before enforcement and fines were implemented, PIPL did not have a similar allowance. In addition, the Chinese legislation was passed and came into force within a shorter time interval, giving enterprises less time to prepare for compliance. 

Seek local representative, consent as first steps

While the legislation is new and some definitions remain unclear, there are some first steps organisations can take towards PIPL compliance. These include appointing a local representative and registering, where required, with the relevant authorities.

Asking for user consent for all forms of data would be a good baseline from which to start, as well as ensuring there was a clear purpose for collecting user data, said Harrington.

She also suggested that organisations appointed local representatives to handle data-related processes in China and carried out security assessment of their data management.

Xin advised companies to establish a data map, including determining the types of personal data they held, and perform a compliance review to identify gaps between their current data practices and PIPL requirements.

They then would need to enhance their data policies as well as IT infrastructure and organisational structure accordingly to plug any gaps, he said.

With different business units processing data differently, he stressed the need for organisations to ensure they had a comprehensive understanding of how all these departments collected and processed data.

He also underscored the importance of training employees and beefing up overall awareness of data management policies. Businesses could consider appointing a representative for each business unit who was focused on data protection and reported to the company's data privacy officer, he added.

With regards to handling employees' personal data, Xin also suggested organisations formulated their labour rules to incorporate data collection and protection practices. In accepting their employment with the organisation, employees then would have provided consent to the collection and management of personal data as stipulated under the company's employment contract or handbook.

This then would not require businesses to separately obtain employee consent for PIPL, he said. However, most MNCs that processed data of employees in China likely would need to do a separate privacy impact assessment, he noted.

Any organisation that wished to transfer data out of China also would be required to carry out such assessments, he said, adding that those providing sensitive personal data to a third party would need to do likewise.

According to PIPL, violators that fail to comply with orders to rectify the breach will face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000). 

For "serious" cases, Chinese authorities also dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company's annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked. 


Editorial standards