On 20 August 2021, the Standing Committee of the National People’s Congress passed the Personal Information Protection Law of the PRC (PIPL), after deliberating two draft versions and seeking public comment in a ten-month span. The passage of the PIPL signifies that China is stepping into a more robust and comprehensive personal information protection regime by establishing a unified, cross-sector legislation, as the EU does with the aid of the General Data Protection Regulation (GDPR).
The PIPL, in general, establishes a regime similar to the GDPR, although the requirements may not be entirely the same, with the PIPL imposing stricter requirements in some areas. For instance, the PIPL imposes heightened requirements in terms of details to be disclosed to individuals for processing of sensitive personal information and cross-border provision of personal information (pursuant to the PIPL, the name and contact details of each and every foreign recipient must be disclosed), and requires separate consent from individuals to the same. Also, the PIPL mandates controllers to conduct security impact assessments under a number of processing scenarios. Further, the PIPL imposes a data localization requirement on operators of critical information infrastructure and controllers that process an over-the-threshold volume of personal information (the threshold will likely be set at one million personal information subjects). In addition, the PIPL exerts more rigid control over cross-border data transfers.
Being GDPR-compliant does not warrant being PIPL-compliant. Companies are advised to take actions as soon as practically feasible to ensure that their China-related privacy practices are compliant with the requirements prescribed under the PIPL, as the PIPL will soon take effect from 1 November 2021. We recommend that companies:
- Develop a data governance framework and an in-house data compliance program.
- Conduct data mapping and data inventory check, system profiling as well as security risk identification and profiling.
- Review and update existing privacy notices that apply to Chinese residents by measuring against the requirements (especially taking into account the heightened notification and separate consent requirements) under the PIPL.
- Develop and update internal policies, protocols, standard operating procedures, and response mechanisms in regard to protection of personal information, including, among others, conducting security impact assessments and establishing a channel of responding to requests of personal information subjects.
- Review and prepare for data localization to the extent applicable.
- Review and prepare for cross-border data transfers, restrictions and formalities.
- Maintain and document appropriate contractual, technical, organizational and physical privacy and security measures for China, including the performance of due diligence of vendors, the management of vendor agreements, the monitoring of vendor compliance, and the administration of regular data privacy and security training for personnel.
With the enactment of the PIPL, the Chinese legislature has promulgated all of the “Three Horse Carriages” for data protection and cybersecurity regimes of the new age, namely: (i) the Cybersecurity Law of the PRC, governing the construction, operation, maintenance, use and security of (cyber) network in the PRC territory; (ii) the Data Security Law of the PRC, principally dealing with data security, governance and trading, with a focus on data other than personal information; and (iii) the PIPL, which regulates personal information and related matters. Going forward, cybersecurity, non-personally-identifiable data and personal information will be regulated under these three principal laws separately.
Click here to access full alert.