The highly anticipated Personal Information Protection Law (“PIPL”) was passed on August 20 and will come into force on November 1 of this year, leaving companies less than three months to ensure compliance with the new law. Given the incredibly tight time frame, businesses need to move quickly. But what is the real impact of the new legislation for international brands – including the fashion and luxury brands that are so heavily dependent upon the Chinese market for revenue and growth – and what needs to be done?
The PIPL formalizes and strengthens existing requirements in relation to personal data, including the need for explicit or separate consent for collection and for data localization in China. Satisfying these requirements will likely require foreign companies to update their China business models, as well as their operating practices to ensure compliance. Consumer-facing businesses with apps and e-commerce websites operating in China are likely to be the most affected, along with tech companies offering digital solutions.
Enforcement of the Law is highly likely to be proactive and targeted – not only by government monitoring but also through market pressure from commercial partners (including “gate-keeping” digital platforms), and consumer and competitor reporting. This multifaceted approach means the risk is hard to quantify and manage. Punishments have the potential to be significant, ranging from suspension of business activities, to fines of up to RMB 50 million ($7.76 million) or 5 percent of the preceding year’s revenue. Alternatively, companies that fail to comply with the law may be banned from operating in China entirely, and enforcement can start from day one.
How different is the PIPL compared to its EU or US counterparts?
The European Union’s General Data Protection Regulations (“GDPR”) has inspired much of the PIPL, and thus, some measures – such as the requirement for consent when collecting personal data – and approaches to personal data collection in digital technologies, such as surveillance-based marketing, will be familiar.
However, the PIPL goes further than the GDPR by requiring additional and separate consent for specific activities. For example, if a company wishes to transfer personal data outside of China, a separate consent from all concerned individuals is required even if the data has already been collected. Using third parties to process personal data is another situation where separate consent in required. The new law also contains China-specific features, reflecting different regulation priorities, governance approaches and current geopolitical tensions. This means that whole rolling out GDPR processes in China would provide a solid basis for compliance, it is not wholly sufficient.
What are the key changes that will create the most significant burdens on businesses?
There are three areas where the impact of the PIPL is greatest:
1. Collection and use of data from Apps and mini programs within the WeChat App – the PIPL makes it illegal to collect excessive personal data, specifying that only necessary information can be collected, and setting out the requirements and criteria for obtaining explicit consent for collecting personal data. The more sensitive the data, the higher the requirements. For example, the collection or processing of facial images or data from minors aged 14 and under is subject to much stricter requirements than when the individuals are 15 or older. If a consumer refuses to provide consent to their data being collected, a company has no right to refuse access to their products or services unless they are dependent on the data which has not been provided, and this applies to any apps that are available to download in China, regardless of where they have been developed. Any e-commerce stores being used to connect with customers within China are also covered.
In terms of defining essential data, both pre-existing regulations and the new rules set out very specific guidelines. In some cases, interpretation is very strict, such as specifying that news or live streaming services cannot require the collection of personal data to enable users to access the basic functions in apps. These regulations now need to be followed closely as the new law establishes enforcement mechanisms for non-compliance.
Beyond government supervision, consumer complaints will play a role, particularly as authorities are legally obliged to investigate any registered grievances. This is likely to lead to the immediate emergence of a cottage industry of routine complaints from individuals seeking financial compensation settlements. A quick settlement may be preferable from companies, as when facing allegations, the burden is on the alleged violator to prove their compliance with the PIPL.
Beyond collection of essential data, the PIPL seeks to regulate the collection and use of consumer behavior data for automated decision making or algorithm recommendations. To track behavior, businesses need to detail to the consumer what information is being monitored, who it is being shared with, and how it is being used. Notification mechanisms and opt-out options should be built into apps.
Given the significance and complexity of issues in this field, more regulations and rules will likely come out very shortly to provide specific guidance and ensure implementation of the Law. At the time of writing, a draft of the Administrative Rules on Algorithmic Recommendation-based Internet Information Services has been released by the Cyberspace Administration of China for public consultation.
2. Enhanced requirements for large-scale consumer-facing platforms – These measures are directly aimed at Chinese tech giants operating online or social media marketplaces, such as Alibaba, TenCent, JD.com, and Baidu, which are referred within the PIPL as “key internet platform operators” (similar to “gate-keepers” in the European digital draft regulations). Given the scale of the data held by these companies, they are required to adhere to higher standards than others, and must pre-publish transparent and fair rules about how data will be collected and handled on their platforms, among other things.
Although these provisions are within the context of the wider regulation on Chinese tech companies, foreign companies will, nonetheless, be impacted. In order for the platforms to be compliant, sellers need to be compliant, meeting the higher standards even though they are not obliged to do so under the law. This could call for localizing data, for example. It is worth noting that there will be no exemptions, as the platforms are required to treat all sellers equally, and will face high penalties from the government for any non-compliance. Therefore, platforms are expected to regulate sellers closely. Third-party businesses must be prepared to strengthen their approach to data management if they wish to continue to sell products on e-commerce marketplace sites after November 1.
Furthermore, the PIPL specifies that any personal data controller must seek consent from individuals if they wish to publicly disclose any personal information. This could have a significant impact on networking platforms.
3. Requirements for data localization within China – The overarching Cyber Security Law, which was enacted in June 2017, already specifies that Critical Information Infrastructure Operators (“CIIO”) need to store personal data within China and any cross-border transfer is subject to government review. The PIPL sets out the same requirements but introduces a new term – “large personal data controller” – when identifying who must comply. Although the definition is yet to be announced, the collection of data from one million or more individuals will likely be the threshold, as this is the number which triggers scrutiny of Chinese companies wishing to publicly list in the US.
While foreign companies are rarely captured by the CIIO definition, the PIPL is expected to change the state of things, as such non-native companies may easily reach the one million threshold and therefore, be legally obliged to localize their data. Although cross-border transfer restrictions have existed previously, foreign businesses have generally been able to chart a path around these. This will become harder thanks to the PIPL, as it will no longer be sufficient to just anonymize the data, and government approval for cross-border transfer is likely to be difficult.
This will be particularly significant for large tech companies offering digital B2B solutions. In addition to potentially being directly liable under the PIPL, customers or business partners may demand localization to ensure they are compliant themselves. And to localize data, it is not sufficient to just store the data in China. A local entity needs to be designated as legally responsible with named individuals being directly liable. If a company does not already have a Chinese entity, creating a Wholly Foreign Owned Enterprise, Joint Venture or working with a third party will be critical. If a third party is chosen, they would need to play a significant role in the business as they would be the entity assuming the noncompliance liabilities in the first place.
If a CIIO or “large personal data controller” does gain authorization to transfer data overseas, consent is required each time data is transferred and very detailed information must be provided setting out what is being transferred, to whom and why. When data needs to be localized, it is harder to keep core technology outside of China. Therefore, any business model consideration must build in an assessment of intellectual property risk and the methods which can be deployed to protect core assets.
What do companies need to do now?
Unlike the GDPR, which allowed for a two-year preparation window with significant guidance for business, the PIPL relies heavily on businesses making their own judgments – within three months – about how to implement the principles set out in the law. As many of the regulations are still emerging, a deep understanding of the Chinese market will enable the best response. It is critical for international businesses dealing with China, especially consumer facing and digital solutions providers, to review their situation and conduct data audits. This will enable them to understand how they fit within the new law and any vulnerabilities.
Some of the key issues businesses will need to identify include at the outset: (1) the sensitivity of data being handled; (2) whether current policies, processes and business models are fit for purpose; and (3) if they meet the “entrusted processor” threshold.
The PIPL creates a new world for personal data management for all companies doing business in or with China. November 1, 2021 is approaching fast, and so, companies will need to act fast in order to get their China data management issues resolved before then.
Jin Ling is a Principal and the Director of Rouse’s Commercial Law Practice based in Shanghai. Sunny Su is a Senior Associate in Lusheng Law Firm Beijing Branch. Holly White is a senior consultant, whi supports clients to exploit new commercial and R&D opportunities in China.