China’s New Data Protection Law Enters into Effect and Further Regulations are Expected
9 November 2021
China’s new sweeping data protection law – the Personal Information Protection Law (hereinafter “PIPL“) has entered into force on 1 November 2021.
The Cyberspace Administration of China (“CAC“) will enforce this new law and is expected to enact further regulations, including with regard to international data transfers, as elaborated below.
Similarly to other key data protection legislation, such as the European General Data Protection Regulation (“GDPR“), the PIPL has an extraterritorial applicability on entities that process personal information outside of China, if the processing is aimed for one of the following purposes:
- Providing products or services to Chinese individuals;
- Analyzing or assessing the behavior of Chinese individuals; and
- Other purposes as specified by other laws and regulations.
Violations of the PIPL could lead to suspension of services, or fines of up to 7.7 million USD or 5% of the violating entity’s annual revenue (the law does not specify whether this refers only to revenues generated in China).
Below are some of the key provisions of the PIPL:
- Appointment of a local representative: the PIPL requires foreign entities that fall within the scope of the law to assign a designated representative within the territory of China. The details of the representative would need to be communicated to the CAC.
- Lawful basis for processing: Similarly to other common privacy laws, the PIPL includes several legal bases for processing (i.e. consent, performance of a contract with the data subject, necessity for legal obligations). However, unlike the GDPR for example, the PIPL does not provide ‘legitimate interests’ as a lawful basis. In addition, separate consents must be collected for certain types of processing, including international transfers and disclosure of personal information to third parties.
- Data subjects’ rights: the PIPL provides data subjects with the exact same rights as the GDPR. However, one noticeable difference is that data subjects would be entitled to file lawsuits against entities that reject their requests to exercise their rights. The PIPL also imposes a presumption of liability on the data controllers in this regard.
- Personal information impact assessments: the PIPL presents a concept that is similar to the GDPR’s Data Protection Impact Assessments (“DPIAs“). Covered entities are required to conduct these assessments in various circumstances, including, inter alia, approval of vendors who process personal information, international data transfers and other processing activities with significant impact on data subjects’ rights. The records of the assessments must be retained for three years.
- Data localization: entities processing a large amount of data would need to store the collected personal information within China, and their international data transfers would need to rely on a security impact assessment (“SIA“) administered by the CAC. The CAC has yet to define the threshold in this regard.
- International data transfers: the PIPL presents several requirements with regard to international data transfers. The transfers will need to rely on one of the following legal bases:
- Obtaining a personal information protection certification by a professional organization in accordance with the regulations of the CAC; or
- Entering into a contract with the data importer, based on a standard contract, as formulated by the CAC (such contract has to been published by the CAC yet).
As mentioned above, certain entities whose volume of processing reaches the threshold to be specified by the CAC will be required to undergo a SIA by the CAC, in addition to the abovementioned legal bases for international data transfers.
In this regard, the CAC has recently released for public comments “Draft Measures on Security Assessment of Cross-border Data Transfers” (hereinafter “Guidelines“). These proposed Guidelines set out the thresholds that would trigger a mandatory SIA, which include the following:
- Entities that process data of over 1 million data subjects and intend to transfer data internationally;
- The accumulated international data transfer amount of personal information exceeds 100,000 data subjects or sensitive personal information exceeds 10,000 data subjects
- The transferred data includes ‘important data‘ (currently undefined);
- The entity is a critical information infrastructure operator (as defined under China’s Cybersecurity Laws) that collects personal information and ‘important data’; or
- Where otherwise required by the CAC.
Entities that fall within the scope of the CAC’s thresholds would need to submit various materials in connection with the SIA, including the entity’s self-security assessment of the transfer, an application form and the relevant data processing agreement (which in turn would need to be PIPL compliant and possibly even translated). If approved by the CAC, the assessments would need to reviewed every two years.
At this point, the draft Guidelines are open for public consultation until 28 November 2021, and therefore the thresholds and requirements are still subject to changes.
Due to its extraterritorial applicability, the PIPL presents a significant regulatory development for entities that conduct business in connection with personal data of China residents. While the law is similar to other existing legislation in various aspects, it has several unique requirements that may require addressing.
Please feel free to contact us if you have any questions regarding the new law and its potential effects on your company’s compliance efforts.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation