China's Personal Information Protection Act: A primer

IPL (China’s privacy law) is in force: Here's what you need to know about the law and how you should start thinking about compliance.

On Nov. 1, the brand-new Personal Information Protection Law (PIPL) came into force in the People’s Republic of China. It is a comprehensive, modern, globally consistent law on par with the EU’s General Data Protection Regulation, and it is imperative that you understand it if you’re collecting the personal information of people residing within China’s borders. 

How comprehensive is it? Both LinkedIn (which Microsoft owns) and Yahoo have decided compliance is not worth the cost of doing business at this point. They pulled out of China as the law went into effect last week.

The law is not, however, particularly difficult to understand, nor is it overly complex. The translation by the folks at Stanford isn’t even 6,000 words, and many of the provisions should already be part of any decent privacy program that’s complying with the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). 

In fact, most of the initial portion of the PIPL asserts that organizations should follow basic privacy principles that go back to the 1970s:

• Personal information is all information, electronic and otherwise, that relates to identifiable people — unless it’s been anonymized. 
• You should only collect information necessary for the service being performed or the contract being executed. 
• You should only collect data with explicit consent, in order to fulfill contracts and employ people, to keep people safe, and when “handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope.” (Though you should tread lightly on that last one until there’s some litigation or enforcement surrounding it to provide scope and understanding of reasonableness. Oh, and there’s no such thing as “legitimate interest” in PIPL, so don’t give that one a try, either.)
• Once you’re no longer using the data for the specific purpose you gathered it, you should delete it. 
• You should take the necessary measures to safeguard the data. 
• If unauthorized people gain access to personal data, you have to tell the people affected. This law is particularly robust, though, in that you have to notify people if you think it’s possible unauthorized people gained access or will gain access in the future. Yes, really. It’s unclear how this would be enforced. 
• You should always be transparent and provide notice at the time of data collection explaining who you are and what you’re doing in simple terms. 
• It should be easy for people to exercise their rights regarding their data. 
  
  

If you’re doing all of that, you should be good! It sounds simplistic, but PIPL, like many privacy laws over the last decade, really does basically adhere to the good old “surprise minimization” principle: Would someone be surprised to discover you were doing that with their data? Then don’t do it. 

And PIPL gives you good reason to follow that principle: Minor violations can result in the Chinese government seeking to recoup the money you made by violating PIPL. It may halt your operations entirely within China. In addition, major violations can result in a fine of up to 5% of your annual revenue, or $7.5 million or so, whichever is higher. And there can be fines for individuals of up to about $150k. Plus, you may have to compensate affected parties. People can sue you directly and can sue individuals directly for violations of the act. 

As the law is still brand-new, there are still a few areas where Chinese regulators still need to fill in details. Especially important will be amounts of data that trigger certain elevated requirements for sending data outside the country, for example, and certain security measures be put in place. More news will be coming out of China over the course of the next six months to a year, for sure. Of course, additional regulations and guidelines are forthcoming.

That’s the sort of situation that catches your attention, hopefully, if you’re doing business in China. There are some nuances worth paying attention to, even if you’re following the basic principles outlined above.

Data localization 

The methods of transfer outside of China are still a bit in flux. As it reads now, you need to have explicit consent from the data subject and be able to satisfy one of the following:

• You get a “personal information protection certification conducted by a specialized body.” The problem here is that those bodies haven’t been created yet, but it may be that the certification isn’t that difficult to acquire. 
• You have a contract in place that the Chinese government will supply, similar to the EU’s standard contractual clauses, but which hasn’t been created yet. 
  
  

If you handle a certain amount of data — to be determined — you will also have to satisfy the Chinese cybersecurity and information department that you have appropriate security in place.

For the time being, if you’re moving personal data from China to not-China, you should make sure that it’s secure, that you have a contract of some kind in place that gives you assurances about adequate security if you’re working with a third party, and that you have explicit consent gathered in a way that explains where the data is going and who will have possession of it. 

Also: the law explicitly prohibits providing personal information to any foreign government entity (like law enforcement) without permission from the Chinese government. 

Consent 

You’ll need to get sophisticated with your means of gathering consent. Not only does it need to be explicit, but it also needs to be specific. If you’re changing your handling of the data, if you’re passing the data onward or if the data is involved in any kind of automated decision-making, you’re going to need to get new consent for that. 

Make sure your meta-tagging involves specific reference to what exact consent is attached to each piece of personal data. 

Oh, and the age of consent is 14. Before that, you need parental or guardian consent. 

Third parties

If you’re sharing data with anyone, even inside China, not only do you have to get consent for that, but you also need to have a contract with that third party outlining exactly what they’re allowed to do with the data. Nor can they ever share that with yet another third party, even if they contract. You have to set up an independent contract for that onward transfer. 

Sharing data with a third-party outside of China? See above on data transfers and data localization. 

Automated decision making

If you’re doing any automated decision making, you not only need explicit consent, but that consent needs to be based on a transparent explanation of how the decision making is done, and you have to guarantee “the fairness and justice” of the results. 

If it creates a biased result, where some people get a better deal based on providing their personal information, that’s not allowed. 

Data subject rights

In general, the data subject rights are similar to those already in place for the GDPR and CCPA. People have a right to see what data you have, to be provided a copy, and to be able to easily take that data to another organization. They have a right to deletion and correction, as well, though, you’ll remember, you’re supposed to delete their data anyway when you’re done using it for the specific purpose you collected it. 

Finally, it has to be “convenient” for people to exercise these rights. 

Operations

The law is fairly specific about how you have to handle personal data in terms of your internal operations. You have to have an internal policy that you can demonstrate to regulators and the public, and if you handle a certain amount of data (to be determined), you have to have a specific “personal information protection officer.”

It’s unclear whether you can outsource that position, but that person definitely has to be easy to find. 

Also, if you don’t have a mainland presence in China, you have to have an on-the-ground representative who people and the government can contact. 

Finally, as part of your personal information protection program, you have to “regularly” audit yourself to make sure you’re doing what you’re saying you’re doing, and you have to perform personal information impact assessments any time there’s a chance you’re handling sensitive information, doing automated decision making, sending data outside the mainland or providing it to a third party. That PIIA has to determine the legality of what you’re about to do and what the impact on the individuals would be in terms of their rights, interests, and the likelihood of their data being protected in the future

If you don’t follow any of the above requirements, the penalties begin to enter the realm of possibility. There are also special requirements for “personal information handlers providing important Internet platform services, that have a large number of users, and whose business models are complex” — including a requirement that you create a fully independent body to oversee your data handling — but we’ll assume that if you’re one of those kinds of companies you have a team of lawyers already working on this and you’re not getting your guidance on this from us. 

For most organizations operating in China, the safest course is radical transparency. Gather only what you need, tell people exactly what you’re going to do with it, and don’t do anything without getting consent to do it. Oh, and make sure no one gains unauthorized access and the data stays in China. 

That should keep you below the radar for the time being.