PIPL: Data protection made in China
China has not been known for stringent data protection, but that could now change: On 20 August 2021 the National People’s Congress of the People’s Republic of China adopted the Personal Information Protection Law (PIPL) (Mandarin version, unofficial English translation), a national law to protect personal data. It will come into force on 1 November 2021 and then for the first time, along with the Cybersecurity Law (CSL) and Data Security Law (DSL) comprehensively regulate data privacy in China. The implementation period for PIPL of just over two months is extremely short and companies cannot draw on traditional principles and interpretations of existing data protection regulations when implementing the new requirements.
Relevant regulations – A Chinese GDPR?
Despite differences, PIPL is similar in many respects to the European General Data Protection Regulation (“GDPR”), partly because it deems data processing inadmissible in principle and establishes a list of legal bases. Some key points are presented below.
Territorial scope: Extraterritorial effect
PIPL applies in principle to the processing of personal data of natural persons within the borders of the People’s Republic of China (Article 3 PIPL). In addition, like the GDPR (also Article 3), it also has extraterritorial effect through its applicability to the processing of personal data outside China if
- the purpose of data processing is to provide products or services to natural persons located in China,
- activities of natural persons located in China are analysed or evaluated, or
- other laws or administrative regulations require it.
Principles of data processing and other similarities
Article 4 PIPL contains legal definitions of personal data and data processing which correspond to those set out in Article 4 GDPR. Moreover, PIPL sets out familiar principles of data processing from Article 5 of the GDPR. Data processing must be carried out in a lawful and transparent manner and must comply with the principles of purpose limitation and data minimisation (Articles 5-7 PIPL). In addition, the processor must take steps to ensure the accuracy and security of the personal data (Articles 8 and 9 PIPL).
Legal bases
Similarly to Article 6 of the GDPR, PIPL lists a number of legal bases permitting data processing (Article 13 PIPL). According to this, data processing is lawful if
- the data subject has consented (no. 1),
- it is necessary for the performance of a contract (no. 2),
- it is necessary for compliance with a legal obligation (no. 3),
- it is necessary to respond to a public health emergency (no. 4),
- it is carried out to an appropriate extent in the context of media coverage (no. 5),
- the information has already been disclosed and the processing takes place to an appropriate extent (no. 6), or
- it is otherwise permitted by law (no. 7).
Unlike point (f) of Article 6(1) GDPR, a legitimate interest in the data processing which outweighs the interests, basic freedoms and fundamental rights of the data subject is not a legal bases.
There is also virtually no guidance from the competent authorities for interpreting the legal bases yet. It remains to be seen whether the GDPR-like standards of PIPL are also interpreted similarly to those in the GDPR.
Special regulations for international data transfer
Despite the many similarities, in some cases PIPL imposes even higher requirements on the legality of international data transfers than the GDPR. If personal data is transferred to entities outside China, the data subjects must be informed of the transfer, their explicit consent to the transfer must be obtained and it must be ensured that the recipients of the data comply with similar data protection standards (Article 39 PIPL).
Similarly to the GDPR, there will be standard contractual clauses that allow for international data transfer. However, these standard contractual clauses have not yet been published by the competent authority, the Cyberspace Administration of China.
Unclear rules on data localisation
Operators of critical information infrastructure and data handlers whose data processes reaches a certain threshold (as yet undefined) are required to store the personal data within the People’s Republic of China (Article 40 PIPL). Insofar as these operators and data handlers have to transfer the data to other countries, transfer is only allowed if they have undergone an official security assessment. The term “critical information infrastructure” is not defined within PIPL itself but is understood broadly in fairly recent Chinese legislation (such as the Regulations on the Security and Protection of Critical Information Infrastructure of 1 September 2021). Note that other Chinese laws, especially the CSL, require a security check, for example, on data gathered in China and transferred internationally or even prohibit transfer entirely.
Severe penalties for breaches
Like the GDPR, PIPL lays down substantial penalties for breaches (Article 66 PIPL). For instance, the supervisory authorities can order remedial action, impose fines or even order the shutdown of operations. The fine can be up to RMB 50 million or 5% of the organisation’s turnover in the previous year, thus even exceeding the maximum fees under the GDPR.
PIPL’s impact on European companies
German and European companies have to take PIPL seriously, not least because due to its extraterritorial effect, it may also apply to data processing outside China, and breaches may result in considerable consequences. Therefore, companies should analyse their implementation status and the steps needed for full compliance with the statutory requirements. Moreover, they should adapt their processes accordingly, introduce suitable data protection guidelines and processes, and compile the related documentation. Ultimately, compliance with the legal requirements will be even more complicated for (multinational) companies.
Will there be an adequacy decision by the EU Commission?
It also remains to be seen whether PIPL will have consequences on the legality of transferring data to China under the GDPR. Given the new rules, presumably there is now an adequate level of protection and the European Commission could issue an adequacy decision (Article 45 GDPR). However, against this speaks not only the current geopolitical climate, but also the very extensive data processing by Chinese authorities, which is not effectively held in check by PIPL. Therefore an adequacy decision for China would very likely be doomed to fail, as it was for the US (CJEU overturns EU-U.S. Privacy Shield - Noerr).
Outlook
Companies operating in China or other companies that process the personal data of Chinese citizens should review their processes, adapt them if necessary and keep an eye on developments. In particular, companies should check whether PIPL imposes specific duties on them such as refraining from certain international data transfers, data localisation in China or reporting to the Chinese supervisory authorities. The fast-evolving legal situation in China should continue to be observed, especially with regard to other possible laws and administrative regulations expanding the scope of PIPL and specifications of PIPL by administrative and court practice. The latter applies all the more since it is still unclear how a large number of individual provisions are to be interpreted and implemented.
While in many ways PIPL is a step towards more globally harmonised data protection laws, it also requires (multinational) companies to overcome further obstacles in global data transfers.