China has implemented data protection legislation that impacts how companies operate in, or transact with, businesses or individuals in China. The Personal Information Protection Law of the People’s Republic of China (PIPL) applies to organisations and individuals who process ‘personally identifiable information’ in China.
Companies who process, analyse or access personal data relating to individuals based in China, for example to provide a product or service or analyse their behaviour, will be required to comply with PIPL.
However, PIPL is not restricted to just Chinese companies or local affiliated multinational companies, Australian businesses that deal in Chinese personal information will also be caught by PIPL. This means Australian businesses that are working in China or offering goods and services to individuals based in China should review China’s data governance and cybersecurity regime to ensure they comply with relevant laws.
PIPL came into effect on 1 November 2021. This is the third pillar of China’s data governance and cybersecurity regime. The other two pillars are the ‘Cybersecurity Law’ and the ‘Data Security Law’ which primarily focus on protecting China’s security interests. The recent compilation of laws comes as an attempt to consolidate regulations and regulate the digital economy.
PIPL governs the way you handle personally identifiable information. Handling includes ‘collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.’ (PIPL Art 4).
Where an organisation handles personal information outside of China, PIPL applies where the purpose of the activities include:
- providing products or services to individuals in China;
- analysing or assessing individual behaviour in China; or
- other circumstances defined by law and regulations.
Personally identifiable information is defined as ‘all information related to identified or identifiable natural persons.’ It does not include information which is anonymised. This is similar to the definition of personal information under the Australian Privacy Act, however PIPL does not include opinions about identified persons or persons who are ‘reasonably identifiable’ whether true or not in its definition.
PIPL imposes obligations upon a personal information handler which is defined as any organisation or individual who determines the purpose and method of data handling.
PIPL has adopted similar, but not identical principles to the European Union’s General Data Protection Regulation (GDPR).
For example, both PIPL and GDPR have similar extraterritorial application and threshold tests for businesses regardless of location, which process or handle personal information.
Another similarity is the use of standard clauses to safeguard data transfers and to clarify the limited circumstances where the processing of personal information is permissible without consent. The grounds are more stringent under PIPL than the GDPR.
PIPL also imposes fixed penalties up to RMB 50 million and turnover based penalties (up to 5% of annual turnover from prior financial year) for grave violations of personal data processing. PIPL is silent on what is considered grave, but it would likely include intentional or repeat violations of the law.
China’s updated data protection laws come at a time of significant transition in the global community. With the EU and US agreeing in principle to a data transfer agreement to enable safe and secure transfers of US and EU personal information, this is a promising move towards synthesising international data transfer laws. PIPL also notes the Chinese Government may enter into treaties with other countries to allow for cross-border transfers of information. This would mean businesses can rely on the treaty instead of demonstrating compliance with PIPL. No treaty has been entered into yet.
What does this mean for Australian businesses?
If your business handles personal information that relates to any individual inside China (Chinese personal data), you need to ensure you comply with PIPL. An Australian business will be caught by PIPL if it:
- sells goods or services to persons in China;
- analyses the behaviour of persons in China;
- has a web platform accessible in China;
- employs personnel in China or individuals who ordinarily reside in China; and
- has customers who access their products or services in Australia but ordinarily reside in China.
What steps do these businesses need to take? At a high level if you are handling Chinese personal data as a result of the scenarios contemplated above, your business will need to:
- Consider why you are processing the personal information and whether you have a clear lawful basis, such as to enter into or perform a contract with the data subject;
- Obtain appropriate consent from the relevant individual to handle their data, this can be done through a collection statement;
- Consider whether you require approval from the Chinese Government for cross border transfers. Companies which handle 1 million or more individual’s personal information and engage in cross border transfers of data must submit a self-assessed security assessment to the Chinese Government and obtain approval;
- Implement appropriate technical security measures to protect the personal information; and
- Keep track of the information you are sending to other entities, particularly where the other entity is located overseas.
If you are unsure whether your business is impacted by PIPL, you can contact us here.
This article was originally posted to OneTrust.