On November 1st 2021, a new Chinese law, aptly named PIPL, or Personal Information Protection Law, took effect. PIPL is a major piece of legislation that aims at protecting personal information in China, together with Cyber Security Laws (CSL) and Data Security Laws (DSL), it establishes a framework for handling personal information in one of the largest markets in the world.
PIPL, in some ways, is similar to the European GDPR, a law that is by now familiar to most online entrepreneurs. However, there are some important differences between the two regulations.
TMO Group invited Hansheng Law Offices to collaborate on this article, which would serve you as a guide into this new legislation. We will look at basic terms and concepts, introduced by the law; dive into key provisions; make comparison to the GDPR. Finally, we will provide a checklist of actionable items, aimed at maximizing your compliance with the new legislature.
eCommerce is the primary interest for us here at TMO. While looking at the provisions of PIPL, we will specifically pay attention to specific points in PIPL that we think would have the biggest impact on eCommerce enterprises, together with our suggestions of how to handle those.
If you need an audit for your eCommerce enterprise’s compliance with PIPL, support on either technical or legal side, please feel free to contact us: TMO Group for the latest list of technical features for eCommerce website and Hansheng Law Offices for a legal template.
Background of PIPL
China is the home of the largest internet population in the world — about 800 million users. It means almost every 5th internet user in the world connects to the global network from the Middle Kingdom. Chinese IT giants swiftly catching up with their western counterparts: in 2020 Chinese flagman Tencent overtook Facebook by its market capitalization. The digital economy accounts for nearly 40 percent of China’s GDP, second largest GDP in the world.
Yet, the policies that regulated this immense segment of the Chinese economy were rather lax. As digital technologies develop, as more and more companies use a data-driven approach in their operations, the risk of security breaches and data leaks gets higher too. It is impossible to ignore the impact of such incidents on society or on individuals. This is why the security of personal information is a growing concern of both companies and the government.
In 2016, the Chinese government introduced the “Cybersecurity Law” (CSL), that dealt with internet infrastructure, internet service providers, and national cyber security. Next was the Data Security Law (DSL), regulating handling of data in general.
Together with CSL and DSL, PIPL will form a comprehensive legal framework for China to manage data processing and network security issues.
PIPL defines several key terms that are used throughout the regulation. Let’s look at those terms.
Here’s the definition from article 4 of the law.
“Personal information is all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.”
In other words, things like email, telephone, credit card number or address c everything that is routinely used in eCommerce — are all personal information from the law’s perspective.
Technically, PIPL is not limiting personal information to any particular format. If you collect images, sounds, or videos with people on them — you are handling personal information too. It isn’t limited to electronic form either: the law applies to any hard copies that contain personal information as well.
It is worth noting that Personal Information under PIPL has the same concept as “Personal Data” under GDPR; however, it does not mean the same with “Data” under DSL. Data under DSL means “any recording of information by electronic or other means” (article 3 under DSL) and is the expression form of personal information.
Anonymization and tokenization
Two related concepts, also mentioned in the law, are anonymization and tokenization (or, in this translation “de-identification”).
Tokenization (de-identification) refers to a process, where all personal information is replaced with randomly generated strings (tokens). Such tokenized data in itself cannot be used to identify individuals, but it still can be easily “deciphered” by someone who has a token-information key.
Anonymization, on the other hand, is the process of altering the data in such a way that it is not only impossible to identify individuals in it, but also the original information cannot be restored in principle.
Note, that if personal information undergoes anonymization (bit not the tokenization), it is no longer a subject for PIPL — so, for example, you don’t have to worry about services like Google Analytics collecting user behaviour data on your website.
Sensitive personal information
PIPL also defines “Sensitive personal information”. Let’s look at the definition in the article 28:
Sensitive personal information means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
If your enterprise deals with medical information or information of underaged persons — you shouldn’t be surprised the law has extra requirements for that.
For the rest of the businesses, the most relevant part is the individual’s location data. If you use and store any location-tracking based data: for tracking foot traffic to your brick-and-mortar store, to display the nearest shop on the website, or something along these lines — you are presented with an additional challenge.
In a practical sense, it means you would need to obtain extra consent to handle such data and implement stricter protection measures to safeguard it.
Personal information processing handler
In article 73, PIPL defines the term “Personal information processing handler” (“entity” in another translation), as:
Organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling methods.
This is equivalent to the term “data controller” in GDPR: there it is also defined as an organization or a person who decides to collect and process personal information, sets the rules and defines procedures.
Similarly, what GDPR calls a “data processor”, in PIPL is referred to as an “entrusted party”.
However, when GDPR goes into great lengths talking about different functions and responsibilities of “processor” and “controller”, PIPL is much more straightforward. Essentially, it says that the “entrusted party” should handle everything according to the agreement with the “data handler”, and the “entrusted party” should review the agreement to check whether it is in compliance with PIPL on the basic requirements for information processor.
Where and to whom does PIPL apply?
As stated in article 3, PIPL applies to any activity of collecting and processing personal information within Chinese borders.
The law does not stop there, though: it also applies to any company or an individual outside of China that collects personal data, in two cases:
- The data is used to provide services to a “natural person” in China
- The data is used to analyze and evaluate behaviour of “natural persons” in China
These conditions seem to exclude such cases as personal use, or where the use of personal data is incidental, for example stock photos with Chinese people on them, but any business-related use of personal data is clearly a concern of PIPL.
Extraterritorial approach is an important similarity between GDPR and PIPL. GDPR applies to non-EU data operators when EU citizen’s data is handled. Similarly, PIPL applies to non-Chinese entities, when they handle personal data of any “natural persons” in China.
This case, where information is handled from outside of China, is described in a separate chapter of the law, we will discuss it in more detail in a short while.
Key concepts of PIPL
Basis for processing personal information
Whenever a company starts to collect and handle an individual’s personal information, it should acquire a consent first (article 13). The law lists a few scenarios where this is not necessary, such as:
- You already have a legal contract with this individual and handling their personal information is a part of fulfilling the contract
- This is a public health/safety emergency
- The individual has already disclosed this information
- New reporting / public opinion polling
- Fulfilling statutory duties / obligations
In all other situations, not described above — and certainly in the context of online eCommerce stores, PIPL requires companies to acquire consent to handle personal information.
“Inform-consent” is a key concept in PIPL. As for the what it should look like, the law states (article 14):
Where personal information is handled based on individual consent, said consent shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement.
To express their consent, individuals should proactively make an oral, paper-based or electronic statement perform an “affirmative action” that explicitly authorizes the specific processing of his personal information. “Affirmative actions” include such actions as ticking, clicking statements with the words “agree”, “register”, “send”, “call”; or actively filling in or providing related statements etc.
Although currently there is no regulation that requires specific practical form of the “inform-consent”, the released draft of the “Guidelines for Information Security Technology Personal Information Notification Consent” can provide some explanation. After it takes effect it will serve as a legal basis for “inform-consent”.
Additionally, before you start processing personal information, you need to provide an individual with the following information. You should do that in a true, accurate, and complete way, using clear and easy-to-understand language. Here’s another quote from the law (article 17):
- The name or personal name and contact method of the personal information handler;
- The purpose of personal information handling and the handling methods, the categories of handled personal information, and the retention period;
- Methods and procedures for individuals to exercise the rights provided in this Law;
From a practical standpoint it means you need to provide all these points next to your leadform, or (if it is a lot of text) to have a link to a page with all this information.
In addition, where a change occurs in the matters provided in above, individuals shall be notified about the change. At the same time, the notification should be made public and convenient to read and store.
PIPL outlines 5 cases, where a separate consent should be obtained, on top of the basic consent to process personal information. Here are these 5 cases:
- Processing sensitive personal information (article 29)
- Personal information is passed to another personal information handler (article 23)
- Personal information being disclosed (article 25)
- Processing biometric data and distinguishing identity characteristic, except when it is done for the public security (article 26)
- Sending personal information outside of China (article 39).
At the moment there are no agreed standards on how to do that, but there are similar administrative regulations we can refer to. For example, in the “Measures for the Supervision and Administration of Online Transactions” implemented on May 1, 2021. Article 13 of this regulation states:
[..] in case of collection and use of sensitive information such as personal biometrics, medical health, financial accounts, personal whereabouts, etc., consumer consent shall be obtained item by item.
Speaking of the practical side, to follow PIPL requirements, separate consents should be explicit (clearly stated), itemized (each consent should be a separate item), not bundles (an action required for each one, it can’t be “wholesale”), and not generalized (describe the details of particular case).
In two additional cases, PIPL has provisions for a re-consent, that is the situation, where the personal information handler has to once again obtain the consent from the individual.
Those scenarios include the change of either purpose or methods of handling personal information, that occur as a result of a merger, acquisition, bankruptcy or similar event (Article 22), or if a handler passes the information to another handler (Article 23).
Note another thing PIPL introduces in the previous section: retention period. While the law does not define any hard limits on the length of the retention period, in article 19 it states:
Personal information retention periods shall be the shortest period necessary to realize the purpose of the personal information handling.
There is no hard limit on the retention period in the PIPL, but there are specific requirements in certain industries. For example, the Chinese Labor Contract Law has a “shortest period” standard which requires companies to keep the employment contract of the departing employee for at least 2 years. Therefore, it is recommended that personal information be stored in accordance with the “shortest time” standard under the precondition that it is not in violation of Chinese mandatory laws.
Data protection principles
PIPL sets a few principles, companies should adhere to when processing personal information. These are similar to principles listed in GDPR, which, in turn, inherit from Fair Information Practice Principles – an international standard enacted in the 1980s.
Here are the principles, listed in PIPL:
- Principles of “‘legality” and “sincerity” should be observed when handling personal data. Handling it in a “misleading” way is prohibited (article 5).
- Handling of personal information should be “clear and reasonable”, and limited to the smallest scope, required for the purpose (article 6).
- The next principle is “openness and transparency”. Purpose, scope and rules of handling personal data should be disclosed (article 7).
- Handling of personal information should ensure quality of the information. Individuals should not suffer adverse consequences from inaccurate or incomplete data (article 8).
- Handlers should adapt proper security measures to safeguard personal information they have collected (article 9).
- Finally, any illegal collection, handling, selling, buying, disclosing of personal information is prohibited (article 10).
Data subjects’ legal rights
Similar to GDPR, PIPL establishes basic rights of data subjects (people, whose information is being collected).
Essentially, everyone has a right to get access to the information collected about them, delete or amend some or all of it, and/or withdraw the consent of handling personal information completely.
It is on you as a company to set up a way for individuals to exercise these rights (article 50):
Personal information handlers shall establish convenient mechanisms to accept and handle applications from individuals to exercise their rights.
At this point the law does not have any specific requirements, how exactly these applications should be handled: through the form on the website, via email, vai physical paper-based application or in any other way. Neither it sets any specific time limit on processing such applications, only mentioning it should happen “in a timely manner”.
Cross border transfer of personal information
In the case a company outside of Chinese borders is planning to handle personal data of people in China, PIPL has a number of additional provisions in articles 38-43. Here are the things you need to have on top of regular requirements:
- Additional consent for cross-border transfer of personal information.
- Additional notifications, disclosing information of the foreign recipient of personal information: name of the receiving party, methods they will be using, ways to exercise individual’s data rights (review, amend, delete their personal data) with this foreign handler.
Additionally, for “Critical Information Infrastructure operators” (this signifies companies in communication, energy, finance, transport, water supply and other industries, that can potentially affect national security) and in cases where data transfer volume exceeds certain limits (at the moment it is not clear what those limits are), companies will have to undergo a government security assessment before they can start transferring any data.
In other cases (for non-critical, under-limit data transfers) companies should either:
- Undergo a “personal information protection certification” with a special Government agency
- Make sure the contract with the foreign company that handles the data, is “in accordance with a standard contract formulated by the State cyberspace and informatization department”.
The details of such certification or standard contract are not available at the moment, relevant provisions under GDPR may be referred to.
Finally, if a personal information handler happens to be located outside of China, it must establish a “dedicated office” or appoint a “designated representative” within the borders of the People’s Republic of China. Information about this office or representative should be filed with government authorities.
Alternative solutions to cross-border personal data transfers
Provisions related to cross-border transfer of data can be one of the more difficult to follow correctly. When most of the solutions used today were developed, there were virtually no legal requirements concerning “data residency”. As a result, there is a chance you do transfer the data abroad, without even realizing it — for instance, if your cloud CRM solution is hosted outside of China.
There are solutions being developed to address this new “data residency” concern on a technological level. SalesForce, for example, introduced HyperForce — a solution that can be delivered from major public clouds.
There are companies, offering Residency-as-a-service solutions, copying or limiting sensitive data to nationally-located servers.
Another interesting provision in PIPL is concerned with what is called an “Automated decision making”. In article 73 PIPL defines it as:
Activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions.
As machine learning and artificial intelligence technologies become more and more common in the field of e-commerce, their most common practical implementations are artificial intelligence-driven “recommended products” and “dynamic pricing” functions (a way to dynamically adjust prices to maximize profits based on certain behavioral characteristics of customers and other information).
The law allows using automated decision making for “reasonable” differential treatment that guarantees fairness and justice. “Unfair” and “unreasonable” treatment is not allowed.
Additionally, whenever the use of automated decision-making produces decisions with a major influence on the rights and interests of the individual, companies are required to have an explanation how the decision process works and provide an option for individuals to opt out of the machine-only process.
Other Information handlers’ duties
Let’s go through some additional duties that PIPL assigns to personal information handlers.
A company that handles personal information, should formulate correspondent internal structure, set up necessary rules and protocols, and conduct employee training on this subject. It has to adopt appropriate technical security measures, have security incident plans in place etc.
If the amount of data reaches certain limits, determined by the authorities, a company should appoint a personal information protection officer, who would supervise all personal data related activities.
In case a company handles sensitive personal data, or if the data is transferred abroad, personal information handlers are required to conduct a personal information protection impact assessment. Such assessment should be conducted in advance and the records should be preserved.
Penalties in PIPL
The penalty for non-compliance with PIPL depends on the severity of the violation.
In case of a minor violation, as a first step, the government authority will issue a warning and a correction order. If you have gained any unlawful income, connected to the violation, it will be confiscated.
If a company refuses to correct the problem, more serious consequences will ensue. Companies can be fined up to 1 million RMB (150k USD); responsible individuals — up to 100.000 RMB (15k USD), plus a very China-specific penalty: a record in the social credit system.
In case of “serious violations” the size of the fine can go as high as 50 million RMB (7.5M USD), or 5% of the company’s revenue. Interestingly, the law does not specify, if it is the revenue generated in China, or the global one, that would be the basis for the fine calculation.
Final note on the non-compliance. According to the law, violation does not necessarily mean you have unlawfully processed or handled personal information. Failing to take necessary steps to protect the data, implement proper security practices, also may be considered a violation.
PIPL does not explicitly mention cookies. The question about whether cookies are a form of personal information, however, has been discussed for a long time. There are a couple of regulations that will allow us to get clearer understanding on the official position regarding cookies. Two documents in question are “Cybersecurity Law of the People’s Republic of China” (中华人民共和国网络安全法) and “Information Security Technology Personal Information Security Specification” (信息安全技术个人信息安全规范) from 29th of December 2017.
Appendix A of the first document lists items that are considered personal information. List includes things like internet browsing history, software usage logs, and click logs. Also, both regulations to a certain extent refer to the internationally recognized doctrines for the identification of personal information. They recognize that the use of multiple data sources and cross-reference tools can significantly expand capability of analysis. At the current level of technology, the combination of, for example, browsing history with server logs and account information can easily identify a specific individual. Therefore, such records may be recognized as personal information.
There are currently no special rules for collection, use, and processing of cookies, but, in theory, these actions should abide by the “Cybersecurity Law” and other relevant laws, regulations, and other national standards for the protection of personal information.
PIPL compliance checklist
Finally, here’s a brief checklist you can use to make sure your enterprise is compliant with the new PIPL law. While more details and best practices may be established in the future, this is what you can (and should) do according to what we currently know.
1. Check if the law applies to you
Look at your operations to see if PIPL applies to your situation.
Do you collect or handle information from/of natural persons in China?
Can this information be used to identify a person?
Is it anonymized?
Are you within or outside of China?
Do you use it to provide services to or analyze Chinese customers?
Answering these questions will help you figure out if PIPL applies to your operations.
2. Determine your legal basis to process personal information
Unless you are in the news, or public polling business, or in any of the other exotic scenarios mentioned in PIPL, consent should be your legal basis to process personal information.
You also have to make sure individuals can access required information about why and how the data is collected and express their consent for it.
3. Make sure you are following main data protection principles?
Consider your operations, related to personal data processing. Measure them against the principles outlined in PIPL. Make sure you have “clear and reasonable” processes in place, publish related information on the website to be “open and transparent”, and commit to maintaining quality of the data.
Pay particular attention to necessary security measures, doubly so if you handle “sensitive personal information”. Informational security should be an important aspect for any enterprise, regardless of PIPL. This should be a good opportunity to pick up whatever slack you still have left there.
Finally, we don’t have to say that, but stay away from “misleading” practices and do not engage in illegal data collection, selling or buying.
4. Honor consumers’ rights to their personal information
One of the bigger technical and administrative challenges is that now you should have a procedure in place to allow users to review, amend and delete their data.
There is no guidance at this point how exactly this should be handled, so providing a contact point for personal data requests should be a good start.
5. Follow the requirements for the cross-border transfer
If you happen to transfer your data abroad, PIPL has some special requirements for you to comply with. As we discussed, depending on your operations, “data residency” may become the most technically challenging part of compliance to PIPL, although at the moment it is not absolutely clear what the requirements are. However, China’s laws and regulations have made clear provisions for the cross-border transfer of personal information in many other industries, such as the financial sector, online car-hailing and medical industries.
Therefore, the foreign personal information processors shall set up specialized agencies or designated representatives in China to handle matters related to personal information protection.
6. Monitor updates and future developments
While protecting personal information is not a new concept in China, doing so in the face of explosive development of information technologies is something that hasn’t been done before. Therefore, PIPL is a high-level document that outlines general principles of personal information protection and leaves certain details to be clarified in further regulations.
You have to stay tuned to the subject and implement or adjust your solutions according to further legislation that would follow PIPL.
There are undeniable good reasons to have a law like PIPL in place. It provides protection from abuse and mishandling of personal information. Data theft and illegal data trading would flourish in such a rich ecosystem if there were no regulations to stop them.
At the same time, it is difficult not to notice an eerie coincidence that two prominent internet companies, Yahoo and LinkedIn decided to leave China exactly around the time the law was to be enacted.
One thing that is certainly refreshing about PIPL is its high-level approach, and, as a result — relatively small size: translated version is only about 5000 words long. Compare that to “mammoth” GDPR, almost 10 times the size, 50.000 words.
Conciseness, however, comes with a price of quite a few points still being left unclear. In upcoming months we can expect more details providing explanations on how the law should be implemented.
Meanwhile, if you are collecting and processing personal data of natural persons in China, we highly recommend you implement steps outlined in this article. If you need an audit for your eCommerce enterprise’s compliance with PIPL, support on either technical or legal side, we can help you with that. We can provide the latest list of technical features for eCommerce websites and a legal template. Feel free to contact TMO Group to discuss how we can help you build or enhance your eCommerce business, compliant to the new Chinese PIPL regulation.
English Translation by The DigiChina Project at Stanford University
Disclaimer: This article is not legal advice. To ensure your business and website is PIPL compliant we recommend you speak with a qualified legal professional.
This article is written in collaboration with Hansheng Law Offices, Shanghai.
Hansheng Law Offices is a diversified law firm incorporated in 1996 with the headquarter in Shanghai. It has 19 branch offices in mainland China, 6 branch offices offshore and more than 20 strategic partnerships overseas. Currently it has more than 800 staff and 200 licensed attorneys in mainland China. It ranks Top 10 in Shanghai and Top 20 in China. The practicing areas include cross-border transactions, international personal data protection, export control and sanctions, dispute resolution, capital market, etc. Its clients range from multinational companies, state-owned companies, internet enterprises to high-tech, intelligence and new energy companies. Hansheng is currently located at Floor 22-23, No. 1 Building, Lujiazui Century Financial Plaza, No. 729 South Yanggao Road, Pudong New District, Shanghai, China