TLDR; In Nov. 2021, China put into law their version of the GDRP, called the Personal Informational Protection Law (PIPL). China’s PIPL impacts most foreign businesses to collect and handling personal information collected in China. This article reviews the differences and similarities between the GDPR vs. PIPL. And highlights the requirements to ensure your company stays compliant with China’s PIPL.
In October 2021, Yahoo Inc. announced that it was pulling out of China. This is the second well-known U.S. technology firm to downsize China operations in less than a month, following the closure of Microsoft’s LinkedIn social networking site.
LinkedIn said it had decided to shut down its operations in China after “facing a significantly more challenging operating environment and greater compliance requirements.”
Both Yahoo and LinkedIn’s departure from China coincides with China’s updated Personal Information Protection Law (PIPL), which went into effect on November 1, 2021.
This post will break down the PIPL, its data processing, and consent requirements, see how it stacks up to the GDPR, and discuss how your foreign company can ensure compliance.
What is the Personal Information Protection Law?
The Personal Information Protection Law, also known as the PIPL, is China’s first comprehensive data protection law.
The PIPL helps form the framework that gives China’s government a broad enforcement capability—resulting in a more regulated environment for international businesses operating in China.
Its framework is similar in size and scope to the European Union’s General Data Protection Regulation (GDPR). Both laws require:
- A lawful purpose for data collection and processing,
- require consumer consent to process data, and
- give consumers the right to access or delete their information.
However, a significant difference from the GDPR will impact how international companies handle cross-border data transfers.
Key Definitions
Personal information is all kinds of information and data recorded by electronic or other means and related to identified or identifiable individuals.
Personal information handling (or processing) includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.
Personal information handler refers to organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling methods.
What is the Purpose of the Personal Information Protection Law?
Article 1 of the law states that the purpose of the PIPL is to:
- Protect personal information rights and interests,
- standardize personal information handling activities,
- promote the rational use of personal information.
The purpose of the law as described in Article 2 is to provide legal protection to Chinese citizens’ personal information, stating that “No organization or individual may infringe on citizens personal information, rights and interests”.
Who does the PIPL apply to?
Article 3 outlines that the law applies to any organization or business that is “handling the personal information of individuals within the borders of the People’s Republic of China”.
What Consent is Required to Collect and Process Personal Information in China?
The consent required by the PIPL is very similar to the GDPR. Chapter 2 of the law stipulates that user consent is only considered valid if it is knowingly and explicitly granted. This means that your organization must provide individuals with the full extent of personal information processing methods and intended use in clear and straightforward terms.
Users also have the right to withdraw their consent at any time, and your organization must provide an easy option to do so.
For practical purposes, that means consent banners and opt-outs set up for GDPR compliance will likely fulfill the requirement under the PIPL.
Consent will also be required to conduct marketing to individuals through personal information processing. The PIPL also stipulates that businesses must offer consumers options that do not target personal data, or provide a way to decline the processing of their data.
If the processing method or intended use changes at any time, your organization must re-obtain permission from the individual to process the data.
What Requirements and Constraints Exist for Data Processing in China?
Once an organization has proven the legal basis for personal processing information, the PIPL sets forth a series of requirements and constraints to regulate the processing, including special rules for international organizations operating within China.
These rules include:
-
Organizations based in China must set up a specialized agency or appoint a representative for data compliance.
-
Cross-border data transfers must be submitted for approval by the Cyberspace Administration of China.
-
Foreign companies operating in China must appoint a local representative who will bear responsibility for PIPL compliance.
-
Data processing contracts are required between controllers and processors.
-
Organizations must conduct risk assessments before processing sensitive data, transferring data abroad, or using sensitive data for automated decision-making.
-
Data handlers must localize data within mainland China.
PIPL’s Impact on International Organizations Operating in China
China’s approach to how your international organization must handle cross-border data transfer is more restrictive than under the GDPR as described in Chapter III of the PIPL.
Article 40 states that your organization “shall store personal information collected and produced within the borders of China domestically”.
If your organization truly needs to provide personal information outside of China, Article 38 outlines the procedure required to export data, which includes one of the following:
- Passing a security assessment organized by the State cybersecurity and informatization department according to Article 40 of this Law;
- Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
- Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;
- Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.
Legal Liability
Chapter 7 describes the legal liability and penalties for organizations out of compliance.
A breach of this new law can significantly impact an international company’s ability to do business in China.
Imagine that your foreign company is evaluating the opportunity to expand into China. Suppose your website is accessing personal data in China and breaches any PIPL requirements. In that case, your company could be “blacklisted”, which would prevent it from entering the Chinese market. Thus, the PIPL compels any foreign company that accesses personal data in China to implement the necessary protective measures to ensure compliance.
Companies already operating in China face a different risk. A breach would put a company at risk of losing its business license and significant financial penalties of up to 50 million RMB or 5% of its yearly turnover.
How Can International Organizations Stay Compliant?
How Tesla is Staying Compliant with the PIPL
International organizations like the electric car behemoth Tesla have established their own data center to stay compliant with the law.
Tesla’s data generated within mainland China is localized on these servers. This move by Tesla avoids cross-border transfer of data and security assessments by Chinese cyber security officials.
How Can Your Company Stay Compliant with the China’s GDPR?
If it isn’t feasible to build your own data centers like Tesla, and your company plans to operate in China unlike Yahoo and LinkedIn, it’s okay. You have a couple of options to stay compliant:
Option 1: Traditional VPS (Virtual Private Server) websites Hosting approach
Hire an Agency or utilize in-house technical resources to store all of your organization’s sensitive data on local cloud providers like Alibaba Cloud, Tencent Cloud, AWS China, and Azure China. This option tends to give you more control over what you can do with the servers, but this is also a double edge sword because it introduces high costs on servers’ operations and maintenance costs.
Option 2: Utilize a Modern Jamstack in China with 21YunBox
Many agile startups and enterprises have widely adopted the Jamstack architecture. 21YunBox is the only provider that brings your Jamstack to live in China without breaking laws in China.
In addition, 21YunBox Analytics provides your marketing department with a fully compliant solution to fix Google Analytics and other 3rd-party analytics programs’ that don’t work in China. Since you do not need to install any tracking code or script on your website, 21YunBox Analytics gives your site full compliance and no downside on web analytics.
Option 3: No-code or Low-code Approach
If you need to move your data outside of China for legitimate business purposes, PIPL Chapter 3 provides you with an avenue, as mentioned above.
A security assessment is required to move personal data outside of China legally. You can think of a security assessment, like getting a business or ICP license. The security assessment should be straightforward if you are operating an honest business and the data is for legitimate business purposes.
We can support you through the security assessment from the technical end of the data transfer. Then once the security assessment’s paperwork is approved, Yammo’s optimized cross-border network will ensure that your site is working compliantly in China.