China’s personal information protection law (PIPL) establishes strong privacy laws for the use of Chinese residents’ personal data both at home and abroad. Companies intending to extend their business into China are affected by the law, which took effect in November 2021.
Non-compliance with China PIPL law carries hefty penalties. Loss of business licenses, payment of up to $7 million or 5% of the company’s income, and a total shutdown of business operations are among the punishments.
PIPL, as well as other security measures, is why data residency compliance techniques are receiving more attention. China data laws, such as the cybersecurity law (CSL) and the data security law (DSL), have long been strict.
However, China’s PIPL, like other data privacy rules, should not prevent you from doing business in the world’s second-largest economy. Although these data rules govern how organizations handle personal customer data, they can often cause complexity for multinational corporations (MNCs).
This blog examines how China’s privacy law, the PIPL, affects your business and how to keep compliant while staying in business.
What is China’s Personal Information Protection Law?
The China PIPL law is a data privacy law that governs corporations’ use of consumers’ personal data for targeted marketing. The law prohibits the transfer of this information across China’s borders to nations with laxer data protection standards.
When it comes to protecting its residents’ personal information, China is very strict. China created industry-specific privacy legislation and data controls under this pretext. China’s Cybersecurity Law (CSL), for example, is directed at Critical Information Infrastructure Operators (CIIO).
China’s personal information protection law, on the other hand, covers personal data leaks. All of these laws and regulations are part of China’s overall network data security plan.
The PIPL is the People’s Republic of China’s first national law to define sensitive personal information. But, more crucially, the law establishes relevant obligations for those who manage personal information.
On August 20, 2021, the Standing Committee of the 13th National People’s Congress passed PIPL. The law, along with the consequences for non-compliance, went into force on November 1, 2021.
The PIPL’s scope is unique in that it clarifies the legal basis for processing the personal data of consumers. In a word, the PIPL China privacy law safeguards the country’s interests when personal data is transferred across borders.
Whom Does China PIPL Apply To?
China PIPL applies to all companies and persons who process personal information (PI), which includes personally identifiable information (PII), about Chinese nationals both inside and outside of China. Both domestic and multinational businesses are affected by privacy regulations.
The PIPL China privacy law also governs the processing of PI by government agencies. As a result, anybody who ‘processes’ personal information and can decide on the purpose and means of processing such is subject to the legislation.
What if you collected personal data using big data? The law is still in effect. Some experts believe the PIPL was designed in response to pricing discrimination enabled by big data.
Assume your company uses personal data to evaluate Chinese consumer behavior and offer products and services to them based on these findings. The PIPL applies to you in that situation.
Key China PIPL Regulations to Worry About
For global organizations and businesses, the primary criteria of China’s personal information privacy law are concerning. So, let’s look at a few of them.
Compliance with the PIPL, in addition to the DSL and CSL, is essential for any corporation with data or operations in China. As previously stated, non-compliance carries severe consequences for the company.
There is also the danger of losing business licenses, in addition to monetary sanctions of up to $7.8 million or 5% of the previous year’s turnover. Non-compliance can also result in a drop in the organization’s credit score, which can have an impact on day-to-day activities in the country.
Violations carry severe criminal and civil sanctions. Individuals, corporate executives, and data protection officers, for example, might face monetary fines of up to $157,000, disciplinary procedures, and prison sentences if they do not comply with the PIPL.
The regulation prohibits corporations utilizing big data automation methods for decision-making from collecting PII for no reason. Transparency, fairness, and impartiality must be applied to all data gathering and use processes.
Consent & Privacy
‘Personal information handlers’ are subject to a number of compliance requirements under the law (PI Handlers). PI handlers are organizations or persons who make choices about the purpose and manner of personal data processing on their own.
Keep in mind that, according to the PIPL, personal information refers to information gathered by electronic or other methods about identified or identifiable natural persons, except anonymized data.
A PI handler must offer notice to individuals describing how their personal information will be processed as part of the China privacy regulations. This requirement for a privacy notice is similar to other data regulations.
Aside from the privacy notification, businesses can only process data if they meet two criteria.
- Legal premise
Businesses can only process the personal information of Chinese customers if they have completed all legal criteria. However, like with all legal duties, it begins with the consumer’s agreement.
- On the basis of consent
Consumer permission is another one of the PIPL’s strict requirements. Corporations that intend to utilize the personal information of Chinese citizens must first seek the individual’s permission, either separately or in writing.
Management of Consent
Under China’s PIPL consent is extremely important. If your company handles sensitive personal information, for example, you must obtain separate consent from the individuals or legal guardians. You must also explain why the data is being processed and how it will affect the individual.
Individuals must give their permission for the following:
- Personal data of consumers is sent across borders.
- Revealing consumer information to a third party or the general public
- Use of personal photographs collected by video cameras for non-public security purposes
- Sensitive personal data processing and storage
Even if you get authorization, individuals in China have the right to withdraw, remove, rectify, access, and copy their consent for organizations to use their personal information.
Individuals also have the right to object to or limit how their personal information is used. They can also object to the usage of decision-making technologies that are automated.
These requirements might be difficult to keep track of, and you have every reason to be concerned about compliance. China’s data rules, on the other hand, require enterprises that manage and keep consumer data on SaaS platforms to comply.
How PIPL Differs from GDPR
China’s personal information protection law was modeled after the EU’s GDPR legislation. PIPL, like the GDPR, gives citizens more control over how businesses use their personal information.
There are some distinctions between the two laws, despite the fact that they are both extraterritorial and define personal information similarly. Although both the PIPL and the GDPR safeguard sensitive data, the categories of data that are considered sensitive differ.
Let’s look at the table below to see how the differences are explained.
How to Stay Compliant with China’s Personal Information Protection Law
Businesses must be able to manage their data assets in order to fully comply with the PIPL. Companies may need to reconsider their data residency compliance practices as a result of this.
Because of the PIPL’s parallels to the GDPR, it’s likely that some businesses will want to utilize the same governance procedures they used for the GDPR. The data residency standards, on the other hand, are rather different.
Business owners must appoint designated persons in the country to assume responsibility for data protection issues under the new law. Furthermore, enterprises will be required to design new infrastructure for their operations in China.
In addition, China’s PIPL privacy regulation emphasizes the need of preserving Chinese data within Chinese borders. One approach to keep data locally is to use cloud services in China.
That is, however, only one aspect of the law. The only approach to quickly bring your company’s data into compliance with the PIPL law is to use Data Residency-as-a-Service solutions.
How InCountry Helps Your Business To Stay Compliant With China’s Personal Information Protection Law
InCountry, a Data Residency-as-a-service platform, helps businesses solve data residency compliance issues without disrupting business operations. As a result, companies can continue their global operations and expansion without worrying about non-compliance with data laws.
Furthermore, InCountry offers international businesses the easiest way for entering the Chinese market, organized and compliant. As an Alibaba Cloud partner, InCountry integrates the perfect solution for local data storage and residency compliance.
InCountry has successfully worked with several multinational corporations worldwide, helping them remain compliant with data laws. For instance, InCountry recently worked with IBM Consulting to implement and deliver ready-to-use data residency services for Salesforce.
Together with IBM Consulting, InCountry created a solution to help remain compliant with local regulatory laws. The encompassing solution also integrated a secure gateway for data transmission, local storage, and processing.
The IBM Consulting case study is one example of several success stories delivered by InCountry. InCountry offers seamless integration with existing infrastructure, meaning you do not have to change anything.
Contact us if you want to easily implement the many beneficial features of InCountry’s platform to stay compliant with your business operations in China.