China’s new Personal Information Protection Law recently came into force. Having been passed on 20 August 2021, the law is the last of China’s trifecta of new cybersecurity and data laws, those being:
- The Cybersecurity Law, which came into force on 1 June 2017 and deals predominantly with the protection of what China calls “critical infrastructure”, imposing new requirements on network operators;
- The Data Security Law, which came into force on 1 September 2021 and imposes regulations on data-handling activities relevant to China, introducing a classification of “important” and “core state” data; and
- The Personal Information Protection Law, which came into force on 1 November and introduces for the first time comprehensive protections for personal data originating from China.
Whilst the Cybersecurity Law thus far has had limited impact upon data controllers and processors outside of Mainland China, the combination of the Data Security Law and in particular the Personal Information Protection Law could prove a regulatory headache for businesses with any interest in China. Both laws are extra-territorial, with application regardless of where an entity impacted by the law is located, and a breach of either could lead to the imposition of heavy fines.
The Data Security Law
The Data Security Law applies to both data activities conducted within mainland China and data activities conducted outside of mainland China which may harm national security or interests of China or its citizens. It requires those processing “core state data” or “important” data to establish and perfect data security management systems, strengthen risk monitoring, conduct periodic risk assessment reports for important data and obtain permission from the China Cyberspace Administration for cross-border data provision/transfer.
Whilst “core state data” appears to be data which may, if compromised, have an impact on China’s national security interests, “important” data is not yet defined. This of course creates a headache for businesses who suspect they might process “important” data. Essentially businesses wishing to steer clear of penalties under the new law currently have to make an educated guess, or consult with the authorities, to determine whether the data they process is important.
The penalties themselves are not insignificant, with a risk of rectification orders, fines of up to RMB10,000,000, suspension of businesses or revocation of business licences and potential criminal liability. Such liability may be targeted at a senior person within a non-compliant organisation.
If we take the Cybersecurity Law as a precedent, then the immediate liability of most foreign businesses would hopefully be relatively remote. That law predominantly focused on domestic institutions, in particular technology companies, and it can be expected that the new Data Security Law’s goal is to keep data sensitive to China’s interests within China. One would hope that the majority of businesses processing Chinese data are not processing such sensitive data.
However, two provisions of the Data Security Law are relevant to any entity doing business in China. They are Article 36 and Article 48, which state:
The competent organs of the PRC are to handle requests for the provision of data from foreign justice or law enforcement based on relevant laws and international treaties and agreements concluded or participated in by the PRC, or in accordance with the principle of reciprocity. Domestic organizations and individuals must not provide data stored within the PRC to foreign justice or law enforcement bodies without the permission of the competent organs of the PRC.
Where article 36 of this Law is violated by providing data to foreign justice or law enforcement bodies without the approval of the organs in charge, the relevant regulatory departments are to give warnings, may give a concurrent fine of between 100,000 and 1,000,000 RMB, and may give directly responsible managers and other directly responsible personnel a concurrent fine of between 10,000 and 50,000 RMB; where serious consequences result, a fine of between 1,000,000 and 5,000,000 RMB is to be given, and they may be ordered to suspend relevant operations, suspend operations for rectification, or cancel relevant business permits or licenses, and the directly responsible managers and other directly responsible personnel are to be given a fine of between 50,000 and 500,000 RMB.
These articles, in particular Article 48, prohibit the provision of data to any foreign law enforcement bodies without consent from a Chinese authority and impose heavy fines, on individuals within organisations as well as the organisations themselves, in the event of breach. The reference to foreign law enforcement bodies is, perhaps, deliberately vague.
This is a problem. Many organisations that source goods in China are required to comply with legislation in their home jurisdiction in order to comply with their domestic laws relating to money laundering, anti-bribery requirements, human trafficking, and perhaps even climate change regulations. In at least one of these examples tipping off the suspected infringer of such a rule could be a crime. The problem widens when one considers organisations who regularly do business in China but are also required to comply with sanctions, or those entities which operate in a heavily regulated industry. We will, of course, have to wait to see how the Data Security Law, and in particular this element of it, is applied in practice.
The Personal Information Protection Law
Whilst the impact on non-Chinese businesses of the Data Security Law might be limited, the same cannot be said of the new Personal Information Protection Law. This can be likened to China’s take on the EU’s GDPR, and for the first time introduces in one piece of legislation a comprehensive set or rules to protect the personal data of those within China.
The law also has extra territorial effect, regulating any entity within Mainland China which processes personal data as well as foreign institutions carrying out personal data processing activities outside of Mainland China which relate to individuals in Mainland China or for the purpose of offering services or products to Mainland China. Any foreign entity which is collecting China-originating personal data must establish an agency or appoint a representative in Mainland China.
The prescribed requirements for handling data are reminiscent of many provisions of the GDPR, save that they are worded in a manner which guarantees that they will have to be supplemented by future regulations or guidelines. For example, whilst much reliance is placed on the obtaining of consent (or in some cases multiple consents) , guidance is not always forthcoming on how to obtain that consent. The key provisions will, however, be familiar to anyone versed in handling data subject to laws already established in other jurisdictions.
The provisions in the Personal Information Protection Law:
- Require informed consent to process collect and process personal information (Article 14)
- Require collection and processing to be for a specific and reasonable purpose (Article 6)
- Introduce special rules for “sensitive” personal information (Article 29)
- Stipulate that retention of data must be for the shortest time necessary (Article 20)
- Require cross-border transfer of data to be regulated by state cyberspace authorities (Article 38)
- Require a separate consent for such cross-border transfer (Article 39)
- Introduce rights to have data held corrected or erased (Article 46 and 47)
- Introduce a requirement to have security measures in place (Article 9)
- Require notifications in the event of a data breach (Article 56)
Despite this, the detail of and how to comply with each requirement is not always clear. For example we are told by Article 56 that in the event of a data breach a data handler must take “immediate” remedial measures and notify relevant departments, but we await guidance as to what form such measures should take.
What is clear, however, are the fines for breach of the Personal Information Protection Law, which echo the GDPR by imposing penalties of up to:
- RMB50,000,000 or 5% of annual turnover for the previous year
- Suspension of business
- A personal fine for the person in charge of up to RMB1,000,000; and/or
- Criminal liability
One would expect the impact of the Personal Information Protection Law to me similar to that experienced when the EU’s GDPR came info force, albeit in the case of the EU law businesses had plenty of time to prepare and arguably clearer rules to prepare for. Not so here.
That said, businesses collecting and using Chinese personal data, and/or transferring it outside of Mainland China, should take some immediate steps. The first of these is to conduct a data audit and risk assessment to ascertain the nature and volume of the data the business collects and processes which may be caught by the Personal Information Protection Law, which hopefully for most businesses should be a familiar process. In particular, businesses must pay close attention to how much of this data is transferred out of China and what record, if any, they have of consents in relation to such data given that a new consent most likely will be required.
The more onerous immediate step is to ensure that the business has a agency or representative in Mainland China to deal with queries and compliance under the new law. This is required by Article 53 and may prove problematic since it is likely that in the case of non-compliance this agency or representative may face its own penalties for non-compliance. Anecdotal evidence suggests that China based data protection officers are already in high demand, and one can expect this demand to increase as the Personal Information Protection Law is enforced.
Whilst the immediate reaction from an international business may be concern at the requirement to comply with yet another set of new data rules, a reaction which is perhaps justified, in truth the new laws (or at least the Personal Information Protection Law) should be welcomed.
Prior to the introduction of these new data laws Chinese data governance and its rules relating to the same were piecemeal and scattered across numerous other pieces of legislation. They were difficult to identify, to summarise, and most importantly of all provided scant protection for the personal data of Chinese citizens. The new laws may be a headache for those doing business in China, and may crib heavily from laws of other jurisdictions, but they are to be welcomed.
Article provided by INPLP member: Paul Haswell (Pinsent Masons, Hong Kong)
Dr. Tobias Höllwarth (Managing Director INPLP)