How the China Personal Information Protection Law Applies to Foreign Asset Managers
Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.
China’s Personal Information Protection Law (PIPL) applies widely to all companies and persons that process personal information. This includes personally identifiable information about Chinese nationals regardless of whether they are based in China or abroad. The law also regulates outbound transfers of personal information (including transfers from Mainland China to Hong Kong) and bans outbound transfers unless one of the following conditions is satisfied:
- a security review of the risks of the proposed transfer and adequacy of data protection measures, as vetted by the relevant Chinese regulatory authority, has been undertaken,
- a certification has been obtained from a prescribed professional institution authorized by the Cyberspace Administration of China (CAC),
- a written agreement with the offshore recipient governing their obligations to protect such personal information has been implemented, and
- other conditions as may be specified from time to time by laws and regulations.
The PIPL also imposes further stringent regulations regarding “sensitive” personal information such as “financial accounts”; and strictly bans disclosure of personal information stored on the Mainland to any foreign judicial or law enforcement agency without the approval of the relevant Mainland authority, namely China’s Ministry of Justice and/or Ministry of Foreign Affairs.
Under what circumstances will PIPL apply to entities outside Mainland China?
Entities outside Mainland China that process personal information concerning Chinese individuals are also potentially liable where personal information is processed:
a) inside China (e.g., by using local IT infrastructure in China),
b) for the purpose of providing products/services to individuals within Mainland China (i.e., Chinese investors), or
c) to assess or evaluate the behavior of individuals within Mainland China.
Next steps and key takeaways
Any entity that is based outside Mainland China and conducts in-scope activities is required to:
- establish a dedicated institution or appoint a representative in China and report the name and contact information of such institution/representative to Chinese authorities, namely CAC and/or its local counterpart, and
- comply with PIPL, which imposes a series of data processing rules and obligations similar to the European Union’s General Data Protection Regulation, including as to transparency and consent, data minimization, the conduct of a privacy impact assessment, data subject rights, security measures and breach notification, and restrictions concerning any cross-border transfer of data.
Foreign managers who maintain a presence/office in Mainland China may be subject to PIPL to the extent that they collect/process personal information (including, for example, the personal information of employees, individual investors, and business contacts). However, the parent company or affiliates of the China office located outside of Mainland China will not become subject to PIPL unless these entities also conduct in-scope activities.
Foreign managers that do not have a presence/office in Mainland China may also be subject to PIPL if they process the personal information of natural persons based or resident in China (i.e., individual Chinese investors) for the purpose of providing fund management services. However, the full ambit of this extraterritorial jurisdiction remains untested to date.