The highly anticipated Personal Information Protection Law ("PIPL") was finally passed on 20 August 2021. It will come into force on 1 November 2021, leaving companies less than three months to ensure compliance with the new Law. Given the incredibly tight time frame, businesses need to move quickly. But what is the real impact of the new legislation for international brands and what needs to be done?
The PIPL formalises and strengthens a number of requirements in relation to personal data including the need for explicit or separate consent for collection and for data localisation in China. Satisfying these requirements will likely require foreign companies to update their China business models as well as operating practices to ensure compliance. Consumer facing businesses with apps and e-stores operating in China as well as tech companies offering digital solutions are likely to be the most affected.
Enforcement of the Law is highly likely to be proactive and targeted. It will be delivered not only by Government monitoring but also through market pressure from commercial partners (including “gate-keeping” digital platforms), consumer and competitor reporting. This multifaceted approach means the risk is hard to quantify and manage. Punishments have the potential to be significant, ranging from suspension of business activities, to fines of up to RMB 50 million or 5% of the preceding year’s revenue, or to being banned from operating in China. Enforcement can start from day one.
The EU’s General Data Protection Regulations (“GDPR”) has inspired much of the PIPL. Therefore, some measures such as the requirement for consent when collecting personal data and approaches to personal data collection in digital technologies, such as surveillance-based marketing will be familiar. However, PIPL goes further than GDPR requiring additional and separate consent for specific activities. For example, if a company wishes to transfer personal data outside of China, a separate consent from all concerned individuals is required even if the data has already been collected. Using third parties to process personal data is another situation where separate consent in required. As illustrated above with the enforcement approach and localisation of data, the Law also contains a number of China-specific features, reflecting different regulation priorities, governance approaches and current geopolitical tensions. Therefore, whilst rolling out GDPR processes in China would provide a solid basis for compliance, it is not sufficient.
There are three areas where the impact of the PIPL is greatest:
1. Collection and use of data from Apps and mini programmes within the WeChat App
The Law makes it illegal to collect excessive personal data, specifying that only necessary information can be collected. It sets out the requirements and criteria for obtaining explicit consent for collecting personal data. The more sensitive the data, the higher the requirements, for example collection or processing of facial images or data from minors aged 14 and under are subject to much stricter requirements. If a consumer refuses to provide consent to their data being collected, a company has no right to refuse access to their products or services unless they are dependent on the data which has not been provided. This applies to any apps that are available to download in China, regardless of where they have been developed. Any e-stores being used to connect with customers within China are also covered.
In terms of defining necessary information, the pre-existing and forthcoming new regulations and rules set out very specific guidelines for what constitutes essential data. In some cases, interpretation is very strict, such as specifying that news or live streaming services cannot require the collection of personal data to enable users to access the basic functions in apps. These regulations now need to be followed closely as the new Law establishes enforcement mechanisms for non-compliance. Beyond Government supervision, consumer complaints will play a role. Authorities are legally obliged to investigate any registered grievances. We anticipate the immediate emergence of professional complainers seeking financial compensation settlements. When facing allegations, the burden is on the business to prove their compliance otherwise they are assumed to be in violation.
Beyond collection of essential data, the Law seeks to regulate the collection and use of consumer behaviour data for automated decision making or algorithm recommendations. To track behaviour, businesses need to detail to the consumer what information is being monitored, who it is being shared with and how it is being used. Notification mechanisms and opt-out options should be built into apps. Given the significance and complexity of issues in this field, we expect more regulations and rules will come out very shortly to provide specific guidance and ensure implementation of the Law. At the time of writing, a draft Administrative Rules on Algorithmic Recommendation-based Internet Information Services was just released by the Cyberspace Administration of China for public consultation.
2. Enhanced requirements for large scale consumer facing platforms
These measures are directly aimed at Chinese tech giants operating online or social media marketplaces, such as Alibaba, TenCent, JD and Baidu. Within the PIPL they are referred to as ‘key internet platform operators’ (similar to ‘gate-keeper’ in the European digital draft regulations). Given the scale of data held by these companies, they must adhere to higher standards than others. They must pre-publish transparent and fair rules about how data will be collected and handled on their platforms.
Although these provisions are within the context of the wider regulation on Chinese tech companies, foreign companies will be impacted. For the platforms to be compliant, sellers need to be compliant, meeting the higher standards even though they are not obliged to do so under the Law. This could extend to needing to localise data, the implications of which are explained in the following section. There will be no exemptions as the platforms are required to treat all sellers equally. Platforms also face high penalties from the Government for any non-compliance. Therefore, we expect them to regulate sellers closely. Businesses must be prepared to strengthen their approach to data management if they wish to sell products on e-commerce sites after 1 November.
Furthermore, the Law specifies that any personal data controller must seek consent from individuals if they wish to publicly disclose any personal information. This could impact on networking platforms.
3. Requirements for data localisation within China
The overarching Cyber Security Law specifies that Critical Information Infrastructure Operators (CIIOs) need to store personal data within China and any cross-border transfer is subject to Government review. The PIPL sets out the same requirements but introduces a new term, ‘large personal data controller’ when identifying who must comply. Although the definition is yet to be announced, we expect that the collection of data from one million or more individuals will be the threshold – this is the number which triggers scrutiny of Chinese companies wishing to publicly list in the US.
Whilst foreign companies are rarely captured by the CIIO definition, they may easily reach the one million threshold and be legally obliged to localise their data. Although cross-border transfer restrictions have existed previously, foreign businesses have generally been able to chart a path around these. This will become harder. It will no longer be sufficient to just anonymise the data. Government approval for cross-border transfer is likely to be difficult.
This will be particularly significant for large tech companies offering digital B2B solutions. As well as potentially being directly liable under the Law, customers or business partners may demand localisation to ensure they are compliant themselves.
To localise data, it is not sufficient to just store the data in China. A local entity needs to be designated as legally responsible with named individuals being directly liable. If a company does not already have a Chinese entity, creating a Wholly Foreign Owned Enterprise (WFOE), Joint Venture or working with a third party will be critical. If a third party is chosen, they would need to play a significant role in the business as they would be the entity assuming the noncompliance liabilities in the first place. Substantial fees would be expected as a result. Third parties would need to be highly trusted.
If a CIIO or large personal data controller does gain authorisation to transfer data overseas, consent is required each time data is transferred and very detailed information must be provided setting out what is being transferred, to whom and why.
When data needs to be localised, it is harder to keep core technology outside of China. Therefore, any business model consideration must build in an assessment of intellectual property risk and the methods which can be deployed to protect core assets.
Unlike GDPR which allowed for a two-year preparation window with significant guidance for business, the PIPL relies heavily on businesses making their own judgements, within three months, on how to implement the principles set out in the Law. As many of the regulations are still emerging, a deep understanding of the Chinese market will enable the best response.
It is critical for international businesses dealing with China, especially consumer facing and digital solutions providers, to review their situation and conduct data audits. This will enable them to understand how they fit within the new Law and any vulnerabilities.
Some of the key issues businesses will need to identify include:
The PIPL creates a new world for personal data management for all companies doing business in or with China. 1 November 2021 is approaching fast and companies must get their China data management issues resolved before then.
For any enquiries, please contact a member of the Rouse and Lusheng Digital Services Teams or the listed authors/experts below: