On November 1st 2021, a new Chinese law, aptly named PIPL, or Personal Information Protection Law, took effect. PIPL is a major piece of legislation that aims at protecting personal information in China, it establishes a framework for handling personal information in one of the largest markets in the world.
PIPL, in some ways, is similar to the European GDPR, a law that is by now familiar to most online entrepreneurs. However, there are some important differences between the two regulations.
In this article we will look at basic terms and concepts, introduced by the law; dive into key provisions; make comparison to the GDPR. Finally, we will provide a checklist of actionable items, aimed at maximizing your compliance with the new legislature.
eCommerce is the primary interest for us here at TMO. While looking at the provisions of PIPL, we will specifically pay attention to specific points in the new Chinese privacy law that we think would have the biggest impact on eCommerce enterprises, together with our suggestions of how to handle those.
Background of PIPL
China is the home of the largest internet population in the world — about 800 million users. It means almost every 5th internet user in the world connects to the global network from the Middle Kingdom. Chinese IT giants swiftly catching up with their western counterparts: in 2020 Chinese flagman Tencent overtook Facebook by its market capitalization. The digital economy accounts for nearly 40 percent of China’s GDP, second largest GDP in the world.
Yet, up until a few years ago there were few, if any, laws that regulated this immense segment of the Chinese economy. This changed in 2016, when the Chinese government introduced the “Cybersecurity Law” (CSL), that dealt with internet infrastructure, internet service providers, and national cyber security. Next was the Data Security Law (DSL), regulating handling of data in general.
Together with CSL and DSL, PIPL will form a comprehensive legal framework for China to manage data processing and network security issues.
PIPL defines several key terms that are used throughout the regulation. Let’s look at those terms.
Here’s the definition from article 4 of the law.
“Personal information is all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.”
In other words, things like email, telephone, credit card number or address c everything that is routinely used in eCommerce — are all personal information from the law’s perspective.
Technically, PIPL is not limiting personal information to any particular format. If you collect images, sounds, or videos with people on them — you are handling personal information too. It isn’t limited to electronic form either: the law applies to any hard copies that contain personal information as well.
Note, that if personal information undergoes anonymization, it is no longer a subject for PIPL — so, for example, you don’t have to worry about services like Google Analytics collecting user behaviour data on your website.
Sensitive personal information
PIPL also defines “Sensitive personal information”. Let’s look at the definition in the article 28:
Sensitive personal information means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
If your enterprise deals with medical information or information of underaged persons — you shouldn’t be surprised the law has extra requirements for that.
For the rest of the businesses, the most relevant part is the individual’s location data. If you use and store any location-tracking based data: for tracking foot traffic to your brick-and-mortar store, to display the nearest shop on the website, or something along these lines — you are presented with an additional challenge.
In a practical sense, it means you would need to obtain extra consent to handle such data and implement stricter protection measures to safeguard it.
Personal information processing handler
In article 73, PIPL defines the term “Personal information processing handler” (“entity” in another translation), as:
Organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling methods.
This is equivalent to the term “data controller” in GDPR: there it is also defined as an organization or a person who decides to collect and process personal information, sets the rules and defines procedures.
Similarly, what GDPR calls a “data processor”, in PIPL is referred to as an “entrusted party”.
However, when GDPR goes into great lengths talking about different functions and responsibilities of “processor” and “controller”, PIPL is much more straightforward. Essentially, it says that the “entrusted party” should handle everything according to the agreement with the “data handler”.
Where and to whom does PIPL apply?
As stated in article 3, PIPL applies to any activity of collecting and processing personal information within Chinese borders.
The law does not stop there, though: it also applies to any company or an individual outside of China that collects personal data, in two cases:
- The data is used to provide services to a “natural person” in China
- The data is used to analyze and evaluate behaviour of “natural persons” in China
These conditions seem to exclude such cases as personal use, or where the use of personal data is incidental, for example stock photos with Chinese people on them, but any business-related use of personal data is clearly a concern of PIPL.
Extraterritorial approach is an important similarity between GDPR and PIPL. GDPR applies to non-EU data operators when EU citizen’s data is handled. Similarly, PIPL applies to non-Chinese entities, when they handle personal data of any “natural persons” in China.
This case, where information is handled from outside of China, is described in a separate chapter of the law, we will discuss it in more detail in a short while.
Key concepts of PIPL
Basis for processing personal information
Whenever a company starts to collect and handle an individual’s personal information, it should acquire a consent first (article 13). The law lists a few scenarios where this is not necessary, such as:
- You already have a legal contract with this individual and handling their personal information is a part of fulfilling the contract
- This is a public health/safety emergency
- The individual has already disclosed this information
- New reporting / public opinion polling
- Fulfilling statutory duties / obligations
In all other situations, not described above — and certainly in the context of online eCommerce stores, PIPL requires companies to acquire consent to handle personal information.
As for the what this consent should look like, the law states (article 14):
Where personal information is handled based on individual consent, said consent shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement.
It is not clear at the moment what practical form can satisfy these requirements, if you, say, have a registration/checkout form on your website. Most probably, a checkbox with the consent declaration should be enough.
Additionally, before you start processing personal information, you need to provide an individual with the following information, here’s another quote from the law (article 17):
- The name or personal name and contact method of the personal information handler;
- The purpose of personal information handling and the handling methods, the categories of handled personal information, and the retention period;
- Methods and procedures for individuals to exercise the rights provided in this Law;
From a practical standpoint it means you need to provide all these points next to your leadform, or (if it is a lot of text) to have a link to a page with all this information.
Note another thing PIPL introduces in the previous section: retention period. While the law does not define any hard limits on the length of the retention period, in article 19 it states:
Personal information retention periods shall be the shortest period necessary to realize the purpose of the personal information handling.
There is no hard limit on retention period in the law.
Data protection principles
PIPL sets a few principles, companies should adhere to when processing personal information. These are similar to principles listed in GDPR, which, in turn, inherit from Fair Information Practice Principles – an international standard enacted in the 1980s.
Here are the principles, listed in PIPL:
- Principles of “‘legality” and “sincerity” should be observed when handling personal data. Handling it in a “misleading” way is prohibited (article 5).
- Handling of personal information should be “clear and reasonable”, and limited to the smallest scope, required for the purpose (article 6).
- The next principle is “openness and transparency”. Purpose, scope and rules of handling personal data should be disclosed (article 7).
- Handling of personal information should ensure quality of the information. Individuals should not suffer adverse consequences from inaccurate or incomplete data (article 8).
- Handlers should adapt proper security measures to safeguard personal information they have collected (article 9).
- Finally, any illegal collection, handling, selling, buying, disclosing of personal information is prohibited (article 10).
Data subjects’ legal rights
Similar to GDPR, PIPL establishes basic rights of data subjects (people, whose information is being collected).
Essentially, everyone has a right to get access to the information collected about them, delete or amend some or all of it, and/or withdraw the consent of handling personal information completely.
It is on you as a company to set up a way for individuals to exercise these rights (article 50):
Personal information handlers shall establish convenient mechanisms to accept and handle applications from individuals to exercise their rights.
At this point the law does not have any specific requirements, how exactly these applications should be handled: through the form on the website, via email, vai physical paper-based application or in any other way. Neither it sets any specific time limit on processing such applications, only mentioning it should happen “in a timely manner”.
Cross border transfer of personal information
In the case a company outside of Chinese borders is planning to handle personal data of people in China, PIPL has a number of additional provisions in articles 38-43. Here are the things you need to have on top of regular requirements:
- Additional consent for cross-border transfer of personal information.
- Additional notifications, disclosing information of the foreign recipient of personal information: name of the receiving party, methods they will be using, ways to exercise individual’s data rights (review, amend, delete their personal data) with this foreign handler.
Additionally, for “Critical Information Infrastructure operators” (this signifies companies in communication, energy, finance, transport, water supply and other industries, that can potentially affect national security) and in cases where data transfer volume exceeds certain limits (at the moment it is not clear what those limits are), companies will have to undergo a government security assessment before they can start transferring any data.
In other cases (for non-critical, under-limit data transfers) companies should either:
- Undergo a “personal information protection certification” with a special Government agency
- Make sure the contract with the foreign company, that handles the data, is “in accordance with a standard contract formulated by the State cyberspace and informatization department”.
The details of such certification or standard contract are not available at the moment.
Alternative solutions to cross-border data transfers
Provisions related to cross-border transfer of data can be one of the more difficult to follow correctly. When most of the solutions used today were developed, there were virtually no legal requirements concerning “data residency”. As a result, there is a chance you do transfer the data abroad, without even realizing it — for instance, if your cloud CRM solution is hosted outside of China.
There are solutions being developed to address this new “data residency” concern on a technological level. SalesForce, for example, introduced HyperForce — a solution that can be delivered from major public clouds.
There are companies, offering Residency-as-a-service solutions, copying or limiting sensitive data to nationally-located servers.
Another ingenious way of solving this problem is tokenization — all sensitive data you are sending to the foreign database is replaced with randomly generated strings (tokens). Whenever you need to retrieve data, it is “deciphered” in real time. Mapping of tokens to actual data is hosted nationally; data that is transferred abroad is anonymized (tokenized), thus is no longer the subject of the personal data law.
One seemingly exotic, yet potentially one of the most profound provisions in PIPL is concerned with what is called an “Automated decision making”. Article 73 of PIPL defines it as:
Activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions.
What is described here is nothing less than machine learning and artificial intelligence — technologies that become more and more widespread in the world of eCommerce. Two major practical implementations are AI-driven “recommended products” and something known as “dynamic pricing” (a practice of dynamically adjusting the price based on customer’s behaviour and other information, to maximize the profit).
It looks like the dynamic pricing is exactly what PIPL is after. The law states that personal information handlers
may not engage in unreasonable differential treatment of individuals in trading conditions such as trade price, etc.
Companies that use automated decision-making technologies are required to have an explanation how the decision process works and provide an option for individuals to opt out of the process.
Other Information handlers’ duties
Let’s go through some additional duties that PIPL assigns to personal information handlers.
A company that handles personal information, should formulate correspondent internal structure, set up necessary rules and protocols, and conduct employee training on this subject. It has to adopt appropriate technical security measures, have security incident plans in place etc.
If the amount of data reaches certain limits, determined by the authorities, a company should appoint a personal information protection officer, who would supervise all personal data related activities.
If a company that collects personal data happens to be located outside of China, it must establish a “dedicated office” or appoint a “designated representative” in China. Information about this office or representative should be filed with government authorities.
In case a company handles sensitive personal data, or if the data is transferred abroad, personal information handlers are required to conduct a personal information protection impact assessment. Such assessment should be conducted in advance and the records should be preserved.
Penalties in PIPL
The penalty for non-compliance with PIPL depends on the severity of the violation.
In case of a minor violation, as a first step, the government authority will issue a warning and a correction order. If you have gained any unlawful income, connected to the violation, it will be confiscated.
If a company refuses to correct the problem, more serious consequences will ensue. Companies can be fined up to 1 million RMB (150k USD); responsible individuals — up to 100.000 RMB (15k USD), plus a very China-specific penalty: a record in the social credit system.
In case of “serious violations” the size of the fine can go as high as 50 million RMB (7.5M USD), or 5% of the company’s revenue. Interestingly, the law does not specify, if it is the revenue generated in China, or the global one, that would be the basis for the fine calculation.
Final note on the non-compliance. According to the law, violation does not necessarily mean you have unlawfully processed or handled personal information. Failing to take necessary steps to protect the data, implement proper security practices, also may be considered a violation.
PIPL compliance checklist
Finally, here’s a brief checklist you can use to make sure your enterprise is compliant with the new PIPL law. While more details and best practices may be established in the future, this is what you can (and should) do according to what we currently know.
1. Check if the law applies to you
Look at your operations to see if PIPL applies to your situation.
Do you collect or handle information from/of natural persons in China?
Can this information be used to identify a person?
Is it anonymized?
Are you within or outside of China?
Do you use it to provide services to or analyze Chinese customers?
Answering these questions will help you figure out if PIPL applies to your operations.
2. Determine your legal basis to process personal information
Unless you are in the news, or public polling business, or in any of the other exotic scenarios mentioned in PIPL, consent should be your legal basis to process personal information.
You also have to make sure individuals can access required information about why and how the data is collected and express their consent for it.
There is currently no officially defined way to comply with these requirements, but a link to required information and a checkbox next to your leadforms seem like a good start.
3. Are you following data protection principles?
Consider your operations, related to personal data processing. Measure them against the principles outlined in PIPL. Make sure you have “clear and reasonable” processes in place, publish related information on the website to be “open and transparent”, and commit to maintaining quality of the data.
Pay particular attention to necessary security measures, doubly so if you handle “sensitive personal information”. Informational security should be an important aspect for any enterprise, regardless of PIPL. This should be a good opportunity to pick up whatever slack you still have left there.
Finally, we don’t have to say that, but stay away from “misleading” practices and do not engage in illegal data collection, selling or buying.
4. Honor consumers’ rights to their personal information
One of the bigger technical and administrative challenges is that now you should have a procedure in place to allow users to review, amend and delete their data.
There is no guidance at this point how exactly this should be handled, so providing a contact point for personal data requests should be a good start.
5. Follow the requirements for the cross-border transfer
If you happen to transfer your data abroad, PIPL has some special requirements for you to comply with. As we discussed, depending on your operations, “data residency” may become the most technically challenging part of compliance to PIPL, although at the moment it is not absolutely clear what the requirements are. So, start with obtaining additional consent and providing additional information of the foreign recipient of the data.
6. Monitor updates and future developments
You probably noticed how many “not clear at the moment” moments there are in this post. While protecting personal information is not a new concept in China, doing so in the face of explosive development of information technologies is something that hasn’t been done before.
You have to stay tuned to the subject of personal information protection in China, implement or adjust your solutions according to the new information.
At this point it is difficult to predict the overall effect PIPL would have. On one hand it does provide protection from abuse and mishandling of personal information. Data theft and illegal data trading would flourish in such a rich ecosystem if there were no regulations to stop them.
On the other hand, it already seems to have played a part in at least two companies leaving China: Yahoo and LinkedIn both cited “challenging legal environment” as one of the reasons to pull out.
One thing that is certainly refreshing about PIPL is its high-level approach, and, as a result — relatively small size: translated version is only about 5000 words long. Compare that to “mammoth” GDPR, almost 10 times the size, 50.000 words.
Conciseness, however, comes with a price of quite a few points still being left unclear. In upcoming months we can expect more details providing explanations on how the law should be implemented.
Meanwhile, if you are collecting and processing personal data of natural persons in China, we highly recommend you implement steps outlined in this article. Feel free to contact TMO Group to discuss how we can help you build or enhance your eCommerce business, compliant to the new Chinese PIPL regulation.
Disclaimer: This article is not legal advice. To ensure your business and website is PIPL compliant we recommend you speak with a qualified legal professional.