China has Published Its Specific Law for the Protection of Personal Data.
What Are the Implications?
Global efforts to ensure data protection have increased dramatically over the years. Governments around the world have been concerned with creating laws and regulations that ensure the security of circulation and processing of information from citizens and users, especially by companies, respecting people’s privacy and operating within the specific laws of the country.
After the European Union General Data Protection Regulation (GDPR), which seeks to guarantee citizens greater control over their own data, governments in several countries also started to invest in their own regulation with the same purpose.
PIPL Construction Route
The most recent regulation was from China, which, after several revisions since October 2020, has officially approved its PIPL (Personal Information Protection Law) in August of this year. The first draft was presented at the National People’s Congress of China on October 13, 2020, and opened for public review on October 21 of the same year.
A month later, the reviewed document was closed for internal assessment. In August 2021, the proposal was approved and is expected to take effect on November 1st.
The Chinese data protection law is similar to the European law, but with a stricter structure, especially for “Big Techs”. The goal is to further strengthen the current protection regime, regulating the collection, processing, and use of Chinese citizens’ data, including rules that avoid the monopoly and over-enrichment of some companies through population data.
The China Consumer Association strongly criticized this type of behavior by companies, saying that the algorithms are becoming a “technical intimidation” to consumers.
How does PIPL impact organizations?
The data is seen by the Chinese government as a basic strategic resource and belonging to the country, and its use by third parties should be kept to a minimum, monitored, and for well-defined purposes. Therefore, with PIPL’s approval, the activities of organizations and individuals working with personal information will be heavily impacted.
European entities fear that Chinese regulations will jeopardize trade between companies in the bloc and China, putting at risk the privacy of their businesses, as it is necessary to be subject to protection demands different from the European LGPB.
For multinationals, the situation is no different, as they consider an uncertain business scenario and an invasive behavior by the Chinese government when auditing companies. In short, this uncertain scenario ends up generating concern for companies due to the following requirements:
- Users are given more control over their data: Users can request/control the editing, removal, and restriction of the distribution, processing, and use of their data. In addition, prior consent can be changed or canceled by the user.
- More rigorous requirements for data sharing and transfer: An organization or any other parties involved in data control need to pass assessments related to the legal use of data.
- Penalties and fines in cases of data breaches: The value of fines can reach up to 50 million RMB (Yuan Renminbi), the equivalent of 40 million reais or 7 million dollars, deduction of annual revenue percentage, or even termination of business.
- Mandatory security controls: The processing of personally identifiable, sensitive, or critical information must be subject to strict mandatory security controls and personnel responsible for handling it must receive appropriate training.
- Mandatory location of data: The processing of personally identifiable information is limited to the boundaries defined by the China Cybersecurity Administration – CAC. If a company exceeds these limits, it must provide the location of this data.
Key Points of the Chinese Law
The law presents requirements and regulations on the legal form of handling personally identifiable information, which is those that somehow identify the user in electronic media, including critical state security information and sensitive information involving religion, beliefs, ethnicities, financial information, user tracking, and others.
Thus, some key points can be highlighted that must be observed by companies in operations that deal with information of this nature.
User Consent
Before any operation with personal data, companies or interested parties must request the consent of the users, who must be explicitly notified about any matter related to the processing of their data, including the identity and contact information of those responsible for handling it. (Article 24)
Organizational Management
Those responsible for handling the data must adopt security measures that ensure protection against intrusion, leaks, or theft during data collection, distribution, and processing. Some of these measures involve data encryption and proper training of those responsible for operations and/or overseeing operations. (Articles 50, 51, 52)
Individuals’ Rights
Users must have the right to access their own data, being able to modify them, delete them, decide when their information can or cannot be processed, or request an explanation about the processing. (Articles 44, 45, 46, and 48)
Data Transfer Borders
The transfer of data outside China can only be done with the explicit consent of the subjects, who must be notified when their information is transferred outside Chinese territory. When processing crosses borders, an organization undergoes a security assessment, which must be approved to proceed with operations. (Articles 39 and 40)
Data Location
When organizations reach the limit of data volume defined by CAC, they must maintain the storage of the information already collected and generated on the premises of the Chinese territory. Article 40)
What Can We Expect as Next Steps?
The approval of the Law affected various sectors of the economy and raised concerns for Chinese companies and European multinationals, especially the ‘Big Techs’. In this sense, companies that deal with the distribution, collection, and processing of data, as well as the development of software and related activities must work ethically and morally, paying attention to all the requirements established by the law, if they want to ensure the smooth running of their business and a good reputation.
