Goodwin Insights September 03, 2021

There’s a New Regulator in Town: China Passes an Omnibus Data Privacy Law

On August 20, the People’s Republic of China became the latest global economic powerhouse to pass an omnibus privacy law. Titled the Personal Information Protection Law (“PIPL”), the law was adopted by the Standing Committee of China’s National People’s Congress, China’s top legislative body, and is slated to take effect on November 1, 2021

Similar to other omnibus privacy laws such as the European General Data Protection Regulation (“GDPR”), the PIPL emphasizes data minimization and data impact assessments for certain processing activities. But the PIPL also comes with strict penalties, an emphasis on obtaining user consent, and restrictions on data transfers regulated by the Cyberspace Administration of China (CAC), China’s cybersecurity regulator.

Extraterritorial Applicability

The PIPL applies both within China and extraterritorially, requiring companies that do business around the world to pay attention to the new law. To fall under the PIPL’s scope, a company based outside of China must process the personal information of natural persons within the territory of the PRC for the purpose of providing products or services to Chinese residents or analyzing and evaluating the behavior of natural persons within China. Foreign companies doing business in China must appoint a local representative in the PRC who bears responsibility for compliance with the law.

Key Terms – Personal Information, Handlers, Entrusted Partners

The PIPL defines personal information broadly, to include all kinds of information that relates to an identified or identifiable natural person. Similar to the GDPR, the PIPL divides processors of personal information into two legally distinct categories: “handlers,” which are the companies that determine the purpose for data collection (not to be confused with “controllers,” the name given to this category of business under the GDPR), and “entrusted parties,” who process data on handlers’ behalf. Entrusted parties may only process a handler’s personal information for the purposes specified in an agreement with the handler. 

Data Processing Justifications

While other omnibus privacy laws permit companies to process personal information in accordance with their “legitimate interests” in operating their business, the PIPL offers companies no such flexibility. Rather, to legally justify the processing of personal information, companies must either obtain user consent, process the information in order to fulfill a contract with the user, or rely on a narrow set of justifications such as a public health emergency or compliance with a legal obligation. Functionally, this places a much greater emphasis on obtaining user consent than do similar laws like the GDPR.

Sensitive Data

Companies processing certain categories of sensitive personal information, such as biometric information, financial account information, or information belonging to minors under 14, can only process the information after conducting a risk assessment to determine that the processing is sufficiently necessary and that appropriately strict protective measures are in place to secure the information. 

The law also attempts to wade into complex territory such as the regulation of facial recognition technologies, the use of which has recently prompted a number of legal cases in China where building residents and visitors have protested the submission of their biometric information for facial recognition purposes. Similarly, the law requires that handlers who use personal information to make automated decisions ensure the transparency of the decision-making and the fairness and impartiality of the results. But while the law places strict requirements on businesses processing personal information, there is little in the law to indicate any legal limits on government surveillance. 

Cross-Border Data Transfers

If companies located in the PRC want to transfer personal information across borders, they must take specific steps, such as entering into a contract with the overseas recipient in accordance with a yet-to-be-published standard form, or submit to a security assessment organized by the CAC. But some entities must comply with the PIPL’s data localization rules: operators of critical information infrastructure and processors of large amounts of personal information must store personal information within the territory of the PRC, and cannot transfer the information abroad. 

Enforcement

How the law will be enforced in practice remains to be seen. But the price of noncompliance is high, with violations of the law potentially costing companies fines ranging between $7.7 million or up to 5% of the previous year’s business revenue. The PIPL also provides a mechanism for judicial redress to allow affected individuals to receive compensation from data handlers, and comes with fines for the company officers who are directly responsible for the violations. 

When considering the impact the law will have on a company’s business, companies should also pay attention to the various ways in which the PRC has recently begun to regulate China’s digital economy. For instance, China’s Ministry of Industry and Information said recently that 43 applications, including WeChat, illegally transferred user data such as contact lists and location data, and ordered their parent companies to rectify the alleged violations by August 25, 2021. Similarly, the CAC recently ordered that Didi, China’s ride-sharing giant, be removed from app stores during a review of the company’s data privacy practices as a “critical information infrastructure operator.” China’s market regulator, the State Administration for Market Regulation, also recently issued draft rules aimed at stopping unfair competition on the Internet, and the CAC issued draft guidelines to regulate the algorithms that social media companies use to make recommendations to users. 

Next Steps

Companies doing business in China should keep a close eye on developments over the next couple of months as they seek to determine what steps, if any, they need to take to comply with the new law. The regulator is expected to quickly issue additional guidance, including in connection with cross-border data transfers, in anticipation of the law going into effect.