Landmark Legislation for Cybersecurity in China
The Personal Information Protection Law (PIPL), finalized by China’s National People’s Congress (NPC) in August of 2021, came into effect in November of 2021. It is the first piece of comprehensive legislation to address the responsibilities of companies in handling the personal data of Chinese citizens and sets serious penalties for non-compliance. As a data privacy legislation with a wide-reaching scope, PIPL has drawn comparisons to the EU’s General Data Protection Regulation (GDPR).
With harsh consequences for non-compliance and an extraterritorial scope, the PIPL has already began impacting how Chinese companies and multinational companies (MNCs) alike approach data storage and management. For MNCs especially, understanding key requirements of PIPL will be crucial in instituting cybersecurity infrastructure and practises in their China operations that can be both PIPL compliant and globally interoperable.
Key Definitions
Consent: Individual consent is required for data handlers to handle personal information except in specific circumstances (Article 13). Consent is defined as voluntary and informed (Article 14). Consent must be obtained each time the purpose and method of data handling changes (Article 15) and consent may be withdrawn by the individual (Article 16).
Personal Information: Refers to various kinds of information, recorded by electronic means, that can be used to identify a natural person. This is contrasted with anonymous information, which cannot be used to identify a natural person (Article 4).
Personal Information Handling: Includes collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. (Article 4).
Sensitive Personal Information: Refers to information on biometrics, religious beliefs, specific identities, medical information, financial accounts, location tracking, and any personal information of minors under 14 years old. Data handlers can only handle sensitive personal information if there is a specific purpose and need to fulfil and only under strict protection measures (Article 28).
Key Principles
Legitimate Purpose: Personal information handling should have a clear and reasonable purpose (Article 6).
Minimizing Data: Personal information handling should be minimized to the smallest scope possible for realizing the handling purpose. Excessive personal information collection is prohibited (Article 6).
Openness and Transparency: Provide notices on why and how personal information is handled (Article 7).
Securing Data: Data handlers are responsible for the data they handle and must take steps in ensuring data security (Article 50).
Extraterritorial Scope:
Like the GDPR, China’s PIPL is extraterritorial in scope; the PIPL implicates not only cybersecurity in China but also international cybersecurity practises. Whereas the GDPR only regulates companies set up in the EU, the PIPL applies to any company, even outside of China, that handles personal information of natural persons within the territory of the People’s Republic of China (Article 3) for the purpose of providing products to and analyzing or evaluating the activities of said persons.
Cross-Border Data Transfer (CBDT):
The CBDT provisions present the PIPL’s most severe impact on MNC operations. Currently, to conduct CBDT, companies must either pass a CAC security assessment, obtain personal information protection certification from the CAC, or conclude a CAC formulated standard contract with the foreign receiver of personal information data (Article 38).
The 2023 Draft Provisions on Regulating and Promoting Cross Border Data Flow, already adopted in China’s free trade zones, promises to ease some CBDT requirements if passed. Provisions include a negatives list for data not requiring regulatory scrutiny by the PIPL CBDT requirements and an exemption for data handlers exporting less than 10,000 individuals’ personal information in one year.
Consequences:
What really separates PIPL consequences from those found in the GDPR and other Western privacy laws is that PIPL penalties not only target the data handling company, but also the specific individual responsible for the data handling.
The PIPL promises grave penalties for noncompliance. Penalties are not limited to monetary fines; PIPL enforcement extends to shutting down businesses, taking down servers, and even imprisonment of responsible individuals.
In terms of monetary penalties, fines depend on the severity of infraction and can reach CNY 50 million or 5% of a company’s annual revenue for severe infractions and illegal gains may be confiscated. Outside of monetary penalties, businesses may lose their license, and individuals responsible may be barred from holding similar positions (Article 66) or even imprisoned.
Enforcement Bodies:
There are three main bodies that enforce PIPL’s cybersecurity regulations in China:
- The Cyberspace Administration of China (CAC) sits at the apex of the regulatory framework, coordinating between different regulatory bodies and is the main enforcer of the personal information laws.
- The Ministry of Industry and Information Technology (MIIT) is mainly responsible for enacting non-monetary penalties, such as shutting down IT systems, delisting mobile apps, and blocking websites. The MIIT is the issuing body for telecommunications permits, such as ICP filings and licenses.
- The Ministry of Public Security (MPS), in the field of cybersecurity, is responsible for handling cybersecurity breaches and the enforcement of the Multiple Layer Protection Scheme (MLPS) cybersecurity scheme.
Compliance Considerations
Considering the severity of PIPL non-compliance, it is imperative for MNCs to begin instituting the following suggested actions to ensure their cybersecurity infrastructure and practises in China comply with the PIPL:
- Data Localization: With stringent CBDT provisions, PIPL encourages data localization of personal information within China’s borders. To set up data localization, choose a reputable cloud service provider (CSP) that has data centers in China.
- PIPL Compliant Contracts: When entering into agreements with third party data handling providers, ensure there are provisions for compliance with PIPL. For example, explicitly state in the contract with your CSP that your data be stored in Chinese data centers and regularly audit your CSP to ensure compliance.
- Personal Information Protection Officer: The PIPL outlines the need for companies to appoint a personal information protection officer (Article 52), responsible for ensuring their company’s data cybersecurity within the borders of the People’s Republic of China. This officer would be the company’s main point of contact for PIPL regulatory bodies.
- Cybersecurity Oriented Design: Companies should integrate the core tenets of PIPL into their business model: collecting only necessary personal information, transparently disclosing to users of what is collected, and implementing robust cybersecurity measures. MNC cybersecurity practises in China should include regular independent audits of CSPs, measures to monitor and control the flow of data out of China, and secure data encryption implementations.
JET IT Helps MNCs in PIPL Compliance
With the PIPL in effect since 2021, enforcement of penalties for PIPL non-compliance is already feasible. It is the obligation of any company handling Chinese personal information data to regularly engage in audits of their cybersecurity. To ensure your company’s networks are PIPL compliant, contact JET IT for an IT security audit.
As experienced providers of IT services, JET IT specializes in helping MNCs setup and secure their networks to meet Chinese regulatory standards. Aside from helping MNCs navigate ICP filings and licenses and local ERP software for their Chinese databases, we have also helped MNCs localize their data management and cybersecurity in China by creating separate networks for their China operations.
For example, to localize a client MNC’s multinational digital infrastructure for the Chinese regulatory environment, we helped them establish a local Microsoft 365 tenant to create a new PIPL compliant IT network interoperable with global operations. By purchasing local solutions in China to sort out their backups, we also helped localize the company’s cybersecurity.
The information published in this article is not intended to be nor constitutes as legal advice. This article only serves as a general guide; we recommend getting in touch with legal team for legal support on PIPL compliance.