Preparing for China’s new GDPR-like data privacy law

The Chinese regulation, the Personal Information Protection Law (PIPL), requires entities handling Chinese citizens’ personal data to minimize data collection and obtain prior consent. Although the final version of the law is still not published, the PIPL is set to take effect Nov. 1.

The new law states collection of personal information should be as minimal as necessary. The law allows for punishment of companies that exceed these fundamental minimization standards, even if consent is granted by the consumer.

“This is China. They are not playing around. And it’s not just U.S. Big Tech they are after here; it is Chinese tech companies as well.”

Omer Tene, Vice President and Chief Knowledge Officer, IAPP

The PIPL sets strict requirements for obtaining prior consent from consumers before personal data is collected. It applies to personal data on Chinese citizens that is processed outside of China, such as on computer servers located in foreign countries.

The short ramp-up time to enactment is only the first of many major differences between the GDPR and the PIPL, experts say. Most have to do with who is enforcing the law and how strictly it will be enforced. The GDPR passed European Parliament in 2016 and was enacted two years later. Businesses that collect and process the personal information of Chinese citizens will only have two months to prepare for the PIPL.

Under the GDPR, fines can reach as high as €20 million (U.S. $23.6 million) or 4 percent of a firm’s annual turnover. For the PIPL, the maximum fine is 50 million yuan (U.S. $7.7 million) or 5 percent of a firm’s annual turnover, according to the National Law Review.

The PIPL will be administered by the quasi-military Cyberspace Administration of China, though the Chinese Communist Party will also play a notable part in oversight. Unlike the GDPR, the PIPL allows the Chinese government to gain access to the personal information collected on Chinese citizens, which the government has shown it will use to monitor the activities of its people.

“The penalties are harsh and very serious,” says Omer Tene, vice president and chief knowledge officer for the International Association of Privacy Professionals (IAPP). “This is China. They are not playing around. And it’s not just U.S. Big Tech they are after here; it is Chinese tech companies as well.” Tene expects Chinese regulators to focus their attention on the data collection practices of Chinese companies first, then turn to those of foreign companies.

Tene adds the law allows Chinese citizens to sue companies in Chinese courts for violations, which “opens the possibility of big claims for damages.”

Preparing for PIPL

Paul McKenzie, managing partner of law firm Morrison & Foerster’s Beijing and Shanghai offices, suggests several key points foreign companies doing business in China should incorporate into their data collection strategies.

“Consent is king under PIPL,” he says. Consent underpins all legal authority for collecting personal data on Chinese citizens, according to the law.

“And consent is ‘informed consent,’ with PIPL giving individuals a right to be informed concerning issues like the identity of third parties who will have access to the individual’s information,” McKenzie says. The law contains none of the other legal basis for data collection included in the GDPR, although there is a chance some might be added into the PIPL later, he says.

Reporting of breaches is another major difference. Data controllers adhering to the GDPR “must notify the relevant government authority of a personal data breach within 72 hours, but with an out that a notification is not needed if the breach is unlikely to pose a risk to individual rights and freedoms,” he says. “PIPL offers no such out. All breaches must be reported to the authorities.”

The PIPL also has a lower standard for requiring notification of individuals affected by a breach than the GDPR—no harm to consumers for the PIPL, compared to high risk for the GDPR. And the PIPL requires more information be disseminated to individual affected consumers, McKenzie says.

Lastly, there are numerous security and compliance obligations that might be required by the PIPL, McKenzie says.

“Measures contemplated under PIPL include formulating an internal management system and operating rules, data classification, encryption and de-identification, limiting access, conducting regular security training, and formulating and implementing an emergency response plan,” he says. “The data security provisions of PIPL need to be read together with those of China’s new Data Security Law, which will take effect on Sept. 1, 2021, and includes data security obligations that are applicable to personal information as well as other types of data, as well as requirements of China’s Cybersecurity Law and its implementing regulations.”