New China Personal Information Protection Law (PIPL) and international business challenges
Summary: 1. Background – 2. Personal Information Protection Law (PIPL): the first personal data protection regulation in china, ever – 3. Cross-border transfer of personal information – 4. Fines – 5. Conclusions
The Chinese economic reform, also known as opening of China, is the program termed as “Socialism with Chinese characteristics” that started in the 1980s under the Chinese Communist Party (CCP). It was clear to Chinese economists that the Marxist theory of the law of value could not sustain the economic system much longer. So that, the first reform phase, involved concept such as de-collectivization of agriculture, opening up the country to foreign investments and allowing entrepreneurs to start a business. It was just the very beginning since, thereafter, privatization, capital market and the impressive economy growth from 2001 and 2013 became the protagonists of this economic and political escalation.
Due to these drastic changes, the individual begins to play a central role in the market and the new democracy requires the free subject participation therein. These new considerations also led to a new awareness about the individual right to privacy highlighting the need of an adequate protection of this emerging right.
Privacy in traditional China resides primarily in the family unit as distinct from the State, but literary evidence also shows the existence of private realms for individuals and non-familial small groups. Moreover, the China legal system has many provisions related to the legal data protection albeit privacy was not considered an independent right but rather the expression of the individual right in the collectivity life.
For instance, Article 40 of Chinese Constitution provides the freedom and privacy of correspondence of the citizen; Article 252 of General Principles of Criminal Law states that ‘‘those infringing upon the citizen’s right of communication freedom by hiding, destroying, or illegally opening other’s letters, if the case is serious, are to be sentenced to one year or less in prison or put under criminal detention” and Article 101 of General Principles of Civil Law (1986) states that “personality of citizens shall be protected by law, and the use of insults, libel or other means to damage the reputation of citizens or legal persons shall be prohibited”.
However, until now, there has been no general Data Protection Law in China, with the exception of some local laws involving data protection thus, considering the important period of social and economic transformation, the matter regulation has become a must have. With the commercial and technology growth, many companies started to require customers to share personal information such as name, telephone number or address. Over time this has become an unpopular practice since China increased the privacy-minded approach and the protection of data turned as mandatory requirement.
For a long time, China has used sectorial laws with no authority that deals with the personal data protection, but with various authorities that protect personal data in the areas of their competence. For instance, the Cyberspace Administration of China (CAC), National Medical Products Administration (NMPA), China Banking and Insurance Regulatory Commission (CBIRC) and some additional entities.
An important consideration must also be made in relation to the Cybersecurity Law (“CSL”) went into effect in 2017. In particular, the standard GB/t 35273-2017 “Information Security Technology Personal Information Security Specification” entered into force on May 1st, 2018, only 25 days prior of (EU) GDPR. It shares with (EU) GDPR many principles and its Article 76 defines personal information as “various types of information that can be used separately or in combination with other information to identify a natural person, including but not limited to the name, date of birth, identity certificate number, personal biological identification information, address, telephone numbers, etc. of the natural person”. It is evident the similarity with the definition provided by Article 4 of (EU) GDPR: “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. This analogy highlights that Chinese Government was already meditating a concreting Data Privacy general Regulation despite the conservative approach that characterizes the country.
Therefore, it does not seem superfluous to recall that China is the major proponent of “Cyber sovereignty” where the definition of sovereignty, based on 1928 Island of Palmas international law ruling, is when a country’s internal affairs is independent without interference from other countries. The direct consequence with reference to “Cyber sovereignty” is that information, infrastructures, regardless of their specific owners or users, are under the sovereignty of a country’s judicial and administrative jurisdiction, which is protected by sovereignty. This aspect is essential to understand the impact that, combined with new “PIPL”, this regulation as well as the additional Data Security Law (into effect from September 1, 2021) have to the commercial negotiations with China, especially if they include cross- border data transfer.
2. Personal Information Protection Law (PIPL): the first personal data protection regulation in china, ever
On 20 August 2021, the Standing Committee of China’s National People’s Congress promulgated the Personal Information Protection Law (“PIPL”), which came into effect on 1 November 2021. Today, the data protection and cybersecurity legal framework in China consists in some regulations, which together govern the matter: PIPL, Guarding State Secrets Law (2010), the Cybersecurity Law (2017), the Encryption Law (2020), and the Data Security Law (2021).
Despite some similarities PIPL and (EU) GDPR have many differences because of the different concept of individual’s rights and national security.
With regard to the definition of personal information (hereinafter, “PI”), there is a clear similarity with the language used by the (EU) GDPR, as such information is defined pursuant to Article 4 , as any type of information, whether or not recorded electronically, referring to persons identified or identifiable physical persons, except for anonymous information to which the PIPL does not apply. The same applies to the definition of PI processing, understood as the “collection, storage, use, dissemination, supply, disclosure, cancellation, etc.” of personal information.
Article 28 defines sensitive information as PI which, if leaked or used illegally, could easily cause serious damage of an economic or patrimonial nature as well as harm the dignity of individuals. This concept includes biometric data, religious beliefs, the designation of a special status, health data, financial data, data relating to the location of the individual, etc., as well as the PI of children under 14.
The data controller, namely, the natural or legal person who independently determines the purposes and methods of the processing of PI, is called “personal information handler” (hereinafter, “PIH”). Similarly, to the provisions of the (EU)GDPR, the PIPL identifies the role of data processor (“entrusted party“, pursuant to art. 21), without however providing a definition. The same applies to the joint data controllers, briefly identified as two or more PIHs who jointly determine the purposes and methods of the aforementioned processing. In both cases, the PIPL imposes the obligation to conclude a contract that determines the obligations and rights of each party.
The lawful basis for processing, similarly to (EU)GDPR are, alternatively: informed consent has been collected from individual (Articles 14 and 15 of the PIPL identify the standards for obtaining informed consent and the withdrawal of consent); the processing is necessary for entering into or performing a contract to which the data subject is a party; compliance with legislations and/or obligations to which data processor (ie Data controller in the EU GDPR) is subject; need to react to public health emergencies or in order to protect the life and health of an individual; PI processing in the context of news dissemination, public opinion supervision and other similar activities carried out in the public interest; processing of PI which has been already made public by the individual or through other legal means; additional circumstances provided by laws and administrative regulations;
An important divergence by (EU) GDPR is that PIPL does not include the concept of legitimate interest in the list however, the point 7 allows itself authorities to identify from time to time, and through appropriate legislative or administrative acts, additional residual legal bases.
With reference to Personal Sensitive Information, they include biometrics, religious beliefs, specific identities, medical and health, financial accounts, whereabouts, and other information, as well as personal information of minors under the age of 14. The data processors can process this sensitive data only when it is strictly necessary (e.g., in case of medical treatment), and they have to adopt strict protection measures, including conducting advanced impact assessments as well as informing individuals of the necessity of processing and the impact on personal rights and interests. In this case, a specific Consent is required as per Article 29 of PIPL.
While the (EU)GDPR is particularly specific in addressing the Personal Information rights language (ie., Data Subject rights), PIPL lacks more precise in highlighting where some restrictions or exemptions may apply. In particular, are provided: Right to access, Right to Information, Right to objection, Right to withdraw consent, Right to lodge a complaint with the regulator and, as established by (EU)GDPR as well, the Right to data portability. However, in this last case, the request needs to meet the condition stipulated by the Cyberspace Administration of China.
A different approach is also referred to the regulation of the Consent. Therefore, under the PIPL scope, are provided two Consents: valid consent to process personal information of individual (Article 17); valid separated Consent in particular cases: i) Sharing of data with a third party (Article 23); ii) Treatment of sensitive information (Article 29); iii) Transfer of PI outside of China (Article 39); iv) Treatment of biometric data (Article 26); v) in any further case provided by law or regulation (Article 14).
Moreover, PIH will not be able to transfer any PI to foreign public or judicial authorities, without the request having first been evaluated and approved by the Chinese authorities
3. Cross-border transfer of personal information
One of the most important aspect of PIPL is the regulation of Cross-border data transfer. This element is highly influenced by the concept of “cyber sovereignty” and it highlights the multiple overlaps and contrasts between the new Personal Information Protection Law and the Cyber Security Law.
In general, PIH who intend to transfer PI beyond Chinese borders, are required to meet one of the following conditions: successful IT security assessment, which will be carried out by the CAC, i.e., the Cyberspace Administration of China; obtain a certification in the field of IT security, issued by the CAC; conclude a contract with the foreign receiving party, using the contractual model always proposed by the CAC. In this sense, it is specified that the aforementioned model has not yet been finalized; compliance with additional conditions provided for by laws or regulations administers.
The preventive CAC security assessment is mandatory in the following circumstances: data collected and/or generated by critical information infrastructure (“CIIO”) operators (as defined under China’s Cybersecurity Law); transfer from PIH who process more than 1 million individual’s PI; cumulatively transferring PI of more than 100,000 individuals. or “sensitive” personal information of more than 10,000 individuals; or other conditions to be provided by the CAC.
PIH who violate Article 31 of Cybersecurity Law, will receive by the competent authorities an order of rectification and may be concurrently fined not less than RMB 100,000 (US$15,460) but not more than RMB 1 million (US$154,600). In serious cases the fines are between RMB 1 million (US$154,600) and RMB 10 million (US$1.55 million) with the possible additional measure of the business interruption and/or license revocation.
As part of these transfers, it is also necessary to obtain the separate consent of the individuals involved in these operations and to inform them of the identity of the foreign natural or legal person who will receive the data, the purposes and methods of the transfer, the types of PI that will be transmitted and the procedures to exercise individual’s rights. The collection of the separate consent is the preliminary legal base required for all transfer.
In general: PIPL further requires the PIH to take necessary measures to ensure that the overseas recipient achieves an equivalent protection level as provided under the PIPL, so that, except for any additional requirement as per Cybersecurity law, the data transfer to EU recipients can be considered compliant with the rule since EU(GDPR) grants the highest level of personal data protection so far.
The aim of this stringent regulation is to safeguard core national interests by ensuring data security. This is not so different from what US did when they realized that data is matter of national security, and they introduced the Cloud Act to allow US authorities to acquire data from cloud service operators independently by the server location.
In case of PIPL violation, the competent Authorities can establish an administrative penalty of maximum RMB 50 million ($ 7,9 million) or 5% of the annual turnover. Unlike the EU(GDPR), PIPL doesn’t specify whether it is the turnover achieved in China or worldwide. May also can be issued a sanction providing the suspension or termination of activities or the withdrawal of previously granted business licenses. The risk of sanctions is also extended to “apical” individual of the organization that is guilty of a violation.
With new PIPL China laid the foundation to its digital economy for the next future. 20 years ago, only 10% of the Chinese population had access to the internet, today the Chinese tech system is worth about 4 trillion dollars therefore, China now recognizes the data as the fifth lever of production. The country wants to harness the power of these not only by protecting their treatment, but also by monitoring the way in which they are collected. In dealing with Chinese consumer data, the measures to be put in place are not limited to the compliance with the law but will require the use of more effective lens. Indeed, foreign companies will have to understand that in some cases the interference of data laws will reach their business requiring an additional effort to comply with these provisions.
In particular, the law will require an additional layer of data governance, including the employees training and the prioritizing of three main areas: i) Separate Consent collection: the subject whose data is collected is requested to give separate consent with specific information on Cross-border data transfer. Corporates should be aware about this main difference with EU(GDPR); ii) Data residency: to localize governance and technology in China as part of market entry or market expansion; iii) Privacy budget allocation: a good privacy strategy is a winning weapon, so that a minimum budget should be used to work on this front, avoiding PIPL penalties and business barriers
Moreover, PIPL also requires the appointment of a representative in China, even if the company is not present in China. It is a good chance to appoint the right person as representative of the business strategy, also considering the knowledge of the new Regulation and the ability to drive the business to the market in compliance with PIPL.
Many companies decided to leave China market after the law changing. For instance, LinkedIn was sent to the exits and the top management said that environment has become increasingly difficult from an operational point of view, also due to the increasingly stringent requirements requested by Beijing. In fact, in recent months, Chinese regulators have approved new and increasingly stringent measures against technology companies that manage data, creating an exasperating climate even for Chinese big techs.
On November 2, just one day after the new PIPL came into effect, Yahoo announced it was leaving the China market due to “the increasingly challenging business and legal environment”. Google gave up several years ago.
The above examples are the clear expression of the challenging circumstances in which companies have to operate to access the China market; however, we need to keep in mind that what matters to them is only to go in the right direction and that, to achieve the result, you need a strategy.
They are the real strategy emblem, in the Chinese literature, the hero is never the warrior, he is always the strategist. This means that it’s not sufficient to set a plan to make business in China, you should evaluate your accountability and the capacity to comply with a different culture and law tradition.
In terms of Data Privacy, the best strategy is the one that can assess in advance risks and opportunities, the ability to put in place all the security measures to grant the highest level of required data protection, and the determinacy to meet the country’s expectation. The appointment of a DPO, a preventive Data Privacy Impact Assessment, the budget allocation for the purpose, the provisions of tools in order to provide compliant infrastructures and resources, are just some pieces of a winning strategy.
And a winning strategy is the only thing companies need to succeed in China.
 Karl Marx, The Poverty of Philosophy (1847)
 B. S. McDougall, ‘Particulars and universals: studies on Chinese privacy’ (Leiden, Brill, 2002)
 Cyber security law of 2017, Data Security Law of etc.
 Shen, Y. Cyber Sovereignty and the Governance of Global Cyberspace. Chin. Polit. Sci. Rev. 1, 81–93 (2016). https://doi.org/10.1007/s41111-016-0002-6
 Schmitt, Michael N. ed. (2013). Tallinn manual on the international law applicable to cyber warfare
 On June 10, 2021 the Standing Committee of the National People’s Congress passed the Data Security Law (the “DSL”).
 Cryptography Law of the People’s Republic of China “for the purpose of regulating the application and administration of cryptography, promoting the development of cryptography work, ensuring cyber and information security, safeguarding national security and public interests, and protecting the legitimate rights and interests of citizens, legal persons and other organizations” (Article 1).
 Article 13 of PIPL
 Article 6 of GDPR “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
 Obtaining that PI are transferred to a different PIH
 The central internet regulator, censor, oversight, and control agency for the People’s Republic of China http://www.cac.gov.cn/2021-08/25/c_1631480920680924.htm
 Article 31 Cybersecurity Law: CII are infrastructure in important industries and sectors, such as public communications, information service, energy, transport, water conservancy, finance, public service, and e-government, and other critical information infrastructure that – once damaged, disabled, or data disclosed – may severely threaten the national security, national economy, people’s livelihood, and public interests
Articles 13-19 PIPL: Right to information, right to access, right to correction/rectification, right to portability, right to withdraw consent etc.
“Clarifying Lawful Overseas Use of Data (CLOUD) Act”, 23 March 2018
 Article 66 PIPL
 Maximum RMB 1 million of fine plus the possible interdiction from managerial roles
 Edward Tse, The China Strategy: Harnessing the Power of the World’s Fastest-Growing Economy, 2012
Latest posts by Roberta Sole (see all)
- New China Personal Information Protection Law (PIPL) and international business challenges - 12 December 2021
- EU Medical Device Regulation and EU General Data Protection Regulation intersection - 29 September 2021
- EU GDPR and Japanese Act on the Protection of Personal Information: a strategic partnership - 19 May 2021