China’s first Personal Information Protection Law (PIPL) is on the books as of late 2021 and enterprises that do business with its citizens should take notice, if they haven’t already, or risk paying the hefty price of noncompliance.
The PIPL joined two other security measures already on the books. The Cybersecurity Law, passed in 2016 and effective mid-2017, and the Data Security Law, along with PIPL, complete China’s framework of data protection.
The new law places restrictions on personal data in terms of how it is collected, stored, managed, and used. Taken as a whole, the data handling requirements are somewhat broad, but many echo the standards set forth by the European Union’s General Data Protection Regulation (GDPR). A key item to note for enterprises who are or plan to be doing business with Chinese organizations or consumers is they must obtain personal consent when processing personal information. Upon closer examination of the law, personal consent is considered to be given as a baseline during the transaction but can also be interpreted as needed for “separate consent.” In addition, the PIPL calls for businesses to not simply relay how information will be used, but to offer an opt-out option for customers.
As you can see, a word seemingly as innocuous as “consent” can be at the core of a potential hefty fine and enterprises will need to undergo due diligence of their policies and protocol to protect themselves from the outset. Other data process areas to consider within the PIPL’s 74 Articles include:
- Personal data collected by global enterprises outside of China’s geographic borders, such as analyzing activities and providing products to people located in China.
- Compliance regulations require a personal information processor who must designate an agency or a representative in China for personal information protection. Information audits and impact assessments are some duties that need to be fulfilled in this role.
- Legal liability can be in the form of warnings, suspension or termination of services, rectification, or fines anywhere between $1,570.48 and $157,047.50 (10,000 to 1 million yuans). There is also the potential to levy fines against individuals within an enterprise.
- Notification of lost, leaked, or falsified data.
Data privacy management software solutions can be an enterprise’s best friend in its quest to maintain compliance. OneTrust, which provides these services, told AOTMP® “some solace can be taken in the PIPL’s similarities to the GDPR however caution should be taken when addressing the PIPL’s nuances.”
It’s not unusual that Nike and Starbucks find themselves alongside Boeing and Ford as top United States companies selling within China. When it comes to B2B commerce as the largest country in the world by population, China’s market is highly coveted.
American import of goods to China grew steadily the last three years, hitting $124.5 billion in 2020, according to the Office of the United States Trade Representative (USTR). Electrical machinery, machinery, and medical instruments were among the largest categories of goods. Topping the service category were travel, R&D licenses, and financial services.
That’s the tip of a robust economic relationship. The same year, China’s exports to the U.S. totaled $434.7 billion in Chinese goods and services, or 18.6% of all U.S. imports. While it’s a slight decrease from the year prior, the sum represents a 325% increase from 2001.
All these dollars represent countless data information transfers and a deep understanding of the PIPL would be in the best interest of enterprises of any size selling or buying goods and services with China. It is interesting to note in an October public statement, the USTR mentioned “inadequate regulatory transparency” on behalf of China. In contrast to this wariness, some lawmakers are pushing the Biden administration to relax its import laws as promised during the presidential campaign. International technology policy scholar Roslyn Layton, Ph.D., focuses on comparing policies such as data and trade at play within the U.S, EU, and China. She is also the senior vice president of Copenhagen-based Strand Consult, a global telecommunications and mobile industry analyst firm. Layton is outspokenly frank in her assessments of data privacy laws for the U.S. and in the GDPR and the PIPL.
“U.S. privacy laws are based upon pragmatism — a law-in-action approach,” she said. “It focuses on where risks are real and regulates accordingly. That is why there is a sector-specific approach. The U.S. recognizes that special rules for health, finance, and children are needed where information is sensitive. However not all personal information is necessarily sensitive. The U.S. privacy regime originated in the eighteenth century to protect people from the government, for example with the post and census.
“EU data protection laws are much younger by comparison and are based on fundamental rights and the notion that all data is equally valuable, finite, and extinguishable,” she noted. The requirements for GDPR in the EU are costly, leading many small- and medium-sized firms to exit, according to Layton. She added EU firms working in personal data are becoming scarce.
“It’s just too expensive to start a business. GDPR has been a gift to U.S. platforms. They are protected from competition. Since GDPR began in 2018, U.S. tech platforms have greater market share than before.”
Layton’s commentary on the PIPL is sharp and addresses China’s creation of a policy to protect citizen personal data with outside countries and businesses while operating unrestricted itself.
“Chinese data protection laws have strict rules on companies, but the government gets to do whatever it wants with personal data. That means the government can get data from any Chinese-made product or service at any time anywhere for any reason. No warrant needed. No judicial address.”