On August 20, 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL), which will become effective starting November 1, 2021. As an overarching law in China with respect to data privacy, PIPL shares many similarities with the EU General Data Protection Regulation (GDPR). If a company has already been GDPR compliant, its data privacy compliance system can basically work in China, while certain localizations are necessary in response to unique requirements under PIPL. In particular, a company should pay attention to the following differences between PIPL and GDPR:
- Data localization. PIPL requires a controller1 of large-scale personal data2 or a critical information infrastructure operator (CIIO)3 to store personal data within China, and cross-border transfer thereof shall be subject to a security assessment by Cyberspace Administration of China (CAC). Other data controllers may do the cross-border transfer in reliance on one of legitimate approaches recognized under PIPL, including entering into a standard contract (following a template to be issued by CAC) with overseas data recipients. Further, a controller shall obtain standalone consent of data subjects (to the extent that the consent is the lawful basis for the data processing) and conduct the data protection impact assessment (DPIA, as defined below) prior to the cross-border transfer.
- Standalone consent of data subjects. Standalone consent is a unique concept under PIPL. The law requires a controller to obtain standalone consent of data subjects under certain circumstances, for example, processing sensitive personal data and cross-border transfer of personal data. Although PIPL does not define the “standalone consent,” it is commonly believed that such consent shall be obtained through a separate affirmative action by data subjects (e.g., a separate signature or clicking of a separate checkbox).
- Rights of data subjects. Rights of data subjects under PIPL are similar to those under GDPR except that the “right to be forgotten” under GDPR is not provided under PIPL.
- DPIA. Both GDPR and PIPL require the DPIA under certain circumstances, for example, automated decision-making and processing sensitive personal data. However, PIPL further requires a controller to conduct the DPIA in the following cases (which are not required under GDPR): cross-border transfer of personal data, contracting a third-party data processor, providing personal data to another controller, and making personal data publicly available.
- Data breach notification. Unlike GDPR, PIPL does not set forth a specific timeline (e.g., within 72 hours) for a controller to notify a data breach to a government authority.
If a company needs to set up its PIPL compliance system from scratch, it may consider taking the following actions:
- Policy drafting. The company shall formulate data privacy policies and procedures, which shall cover issues such as general rules about data processing, responding to requests from data subjects, technical measures to protect personal data, employee communication and training, compliance audit, DPIA, protocol for data breach response and notification, or data cross-border transfer.
- Document readiness. The company shall prepare or review the following documents to ensure they will be PIPL compliant: (i) notice and consent form for obtaining consent of data subjects (particularly for standalone consent), (ii) service contract with third-party data processors (if applicable), and (iii) standard contract with overseas data recipients for data cross-border transfer (if applicable).
- Technical measures. The company shall take technical measures to protect personal data, for instance, data classification, encryption, and deidentification.
- Communication and training. The company shall communicate with employees about data privacy compliance policies and provide trainings on a regular basis.
- Audit. The company shall regularly conduct audits on its data processing activities to ensure their compliance with PIPL.
- DPIA. The company shall conduct the DPIA in circumstances required under PIPL.
- Data breach notification. The company shall notify data breach to government authorities and data subjects following PIPL.
- Data cross-border transfer. Unless it is a CIIO or a controller of large-scale personal data, the company may do the cross-border transfer by (i) obtaining stand-alone consent of data subjects (to the extent that the consent is the lawful basis for the data processing), (ii) conducting the DPIA of the cross-border transfer, and (iii) signing a standard contract with overseas data recipients.
- Data Protection Officer (DPO). The company shall designate a DPO, if it is a large-scale personal data controller, while the threshold for such “large-scale” is to be further clarified by CAC.
1Note that the term “controller” is defined as “个人信息处理者” in Chinese under PIPL.
2The threshold for such “large scale” will be determined by the government authority separately.
3The CIIO is required by relevant laws to perform enhanced obligations in terms of cybersecurity and data security protection. Generally speaking, a company will not be regulated as a CIIO if the company does not receive a notice from the competent authority that the authority identifies the company as a CIIO.