PIPL: The Rules and Impacts for Businesses

The China Personal Information Protection Law PIPL is the new data privacy law in China. It‘s aimed at protecting personal information and addressing issues with leakage of personal data. PIPL is a new cybersecurity law first conceptualised in 2014. It was passed into law on the 20^th August 2021 and took effect on 1^st November 2021.

This cybersecurity structure will regulate data protection and security in China indefinitely. All companies need to have been China data security law compliant by September 2021.

Businesses that have operations in China involving data collection and processing need to follow the rules set out by the PIPL, if not, they will face contraventions for non-compliance.

Who is Subject to PIPL?

Companies in all industries are affected by PIPL. Entities affected include Chinese domestic companies and Chinese subsidiaries set up by multinational companies. Also affected are foreign companies that do business in China, even those without physical business presence there. Any business whose activities include selling products or services to the Chinese market and collecting data and PII within China are subject to the law. It includes special reference to businesses that assess and analyze the behaviours of individuals in China.

Requirements of Data Security Law for Businesses

All companies with data processing activities are subject to DSL (Data Law Security). The DSL also provides for extra-territorial conditions if data processing activities conducted outside China harm the national security and public interest of Chinese citizens or entities. If information is regarded as critical to national security (Critical Information Infrastructure/CII) then Critical Information Infrastructure Operators (CIIO’s) must store that data locally in China.

All businesses that act as data processors need to establish and optimize a data security management system, adopting lawful and justified methods in collecting and using personal data. This includes consent management, data minimisation, access restriction, logging, auditing, encryption and data masking. Businesses operating in China need to arrange data security training for all staff who may come into contact with the data asset.

China operates a Multi-level Protection Scheme which is a certification grading an organisation by two considerations: impacted object and impacted level. Impacted objects refer to who or what will be impacted by a cybersecurity incident. These include Chinese citizens, individuals, organisations, social interest, public order, or national security. Impacted level refers to whether a cybersecurity incident will cause minor, major, or critical levels of impact on the objects by national security and social stability. Businesses that do not affect national security or public interests are usually classified as Level 1, while businesses that may affect social order and public interest are classified as Level 2 or above. Systems or applications with higher degrees of impact are more likely to be classified as Level 3 or even Level 4. Level 5 is reserved for state-owned military systems.

Companies operating in China also need to evaluate their exposure by association and prepare for these certification processes. If a network is determined to be Level 2 or above, the network operator must engage a qualified expert to carry out additional security reviews. Qualified experts are usually a third-party agency, but they can also be certified security professionals within the organisation.

Significant Impacts on Personal Information Handlers

Cross-border transfers may require a government security assessment or certification by a professional institution if the data transferred is above a certain size in terms of the number of customer records or the raw data volumes.

The law has requirements for the following disclosures to be made: The name and information of the overseas recipient, their purpose, and method of the data transfer, the type of personal information being processed, and the process by which an individual may consent and exercise their privacy rights.

Impact assessments will be required for businesses that wish to collect sensitive personal information and any business that wishes to use this information for automated decision-making. The processing purposes and methods will need to be assessed to ensure they are legitimate, justified, and necessary. How this impacts an individual’s right will need to be clarified, as well as the resulting security risk.

When collecting a subject’s financial status, consumption habits, and sensitivity to pricing, the data legislation may require a business to explain the data processing and justify any refused decisions based solely on the automated decision. This kind of assessment will ensure transparency, fairness, and impartiality when using data to make an automated decision.

New Additional Requirements on Sensitive PI

The PIPL includes an extended scope which defines that biometric characteristics, religious beliefs, medical records, financial accounts, and individual location, as well as the personal information of minors under the age of 14 are all considered sensitive personal information, and as such, have stricter processing requirements. This includes obtaining specific additional consent “ a person must consent to the capture of each of these and then separately consent to how they are processed.

PIPL requires additional security measures to secure sensitive personal information. These new measures may include strong encryption, separate storage facilities, no storage of biometric information such as facial images. PIPL will only allow facial recognition technologies in public areas for security purposes, with easily identified notices and independent consent of data subjects. Use of facial recognition technology must always obtain the subject’s specific, independent and explicit consent.

Impact on Businesses for Non-Compliance

If the collection of personal information is taking place, a business will be required to appoint a Personal Information protection officer. The officers appointed are similar in capacity to that of a DPO (Data Protection Officer) to supervise data processing and oversee the protection measures to be carried out.

Foreign companies without a business presence in China will need to set up an agency or appoint a representative in China to deal with data protection matters if the data processing outside of China is subject to the PIPL. Companies not preparing for these processes will face elevated compliance risks. These risks include audits and police-led inspections.

After audits and investigations have been completed, businesses that have been found to contravene the data security law can be subject to various penalties. This includes revoking of business licenses, suspension of business activities, potential criminal repercussions, and fines of up to 5% of annual business revenue.

Future Business Impact

As this law is in the early stage of implementation it may be too soon to ascertain how far-reaching the impact will be regarding data security around the globe.

The data security law will have the biggest impact on multination companies outside of China. China’s localised technology companies will most likely be the least affected, as the DSL primarily focuses on data leaving the country. The data security law will create a significant compliance process for companies who don’t want suspension face huge penalties.

The best way to navigate the future of business dealings in and around China is to establish a best practice that correlates with the PIPL and DSL and matches the processes set out within the legislation. Businesses impacted will need to revisit their existing data management procedures, identify specialists to support them with assessing exposure, impacts and the changes required to remain compliant,

Security legislation is a complex and every evolving domain, it is critical to revisit this often difficult to navigate and continually evolving landscape.