The Cyberspace Administration of China (CAC) recently issued draft administration regulations on network data security that augment the Personal Information Protection Law (PIPL) enacted November 1. If the CAC finalizes these new provisions by the end of 2021, as expected, it may create one of the most stringent regulatory regimes many multinationals will encounter and significantly increase the risk and cost of doing business in the world’s most populous country.
If your company processes any personal data from China to provide a product or service to Chinese residents or to analyze their behavior, you will likely have to comply with PIPL’s rules — even if you have no business presence in China. For PIPL, “personal information” is any information related to an identified or identifiable person. It does not include anonymized data. A “personal information processor” as defined by the law is any individual or organization with the discretion to determine the purpose and method of data processing.
If you process any personal data originating in China, the law may apply to you — regardless of your location.
Controlling data throughout its entire life cycle is no longer just an industry leading practice — in China it’s the new minimum baseline. When you take the new rules in the context of the existing China Cybersecurity Law (CSL), Data Security Law (DSL) and PIPL, a clear picture emerges of ten high-impact changes for non-Chinese multinationals.
China requires classification of data into general, important and core categories. Multinationals with a significant presence in China will need to enhance their record of processing activities with new required fields and automate as much of this process as is feasible with data discovery, classification and workflow technologies.
Companies that meet the criteria under CSL for critical information infrastructure operator (CIIO) or process large volumes of Chinese personal data are subject to data localization requirements in China. The new rules bring the reach of these requirements to foreign companies outside China if they process data for providing goods or services to China, analyze behaviors of individuals in China or process important data.
Recent legislation sets out extra requirements on appointing data responsible persons. If your company processes Chinese resident data but lacks a business presence in the country, you’ll have to either create a special agency or appoint representatives in China to be in charge of your compliance. This provision adds China to the list of about 70 territories tracked by PwC’s Risk Atlas database that require local data protection officers.
To transfer Chinese resident data abroad, you’ll generally need to follow a series of steps including obtaining consent; registering the transfer with the government or completing an assessment certified by a third party; implementing technical security measures to prevent foreign-government access to the data; and tracking onward transfer to other entities.
Multinationals currently enhancing their data-transfer controls for EU General Data Protection Regulation (GDPR) and Schrems II readiness will need to apply a similar but augmented approach to their Chinese data transfers and extend their SOC 2 assurance capabilities to this scope.
China’s data privacy and security laws require risk and impact assessments across a broad array of use cases. Companies that automate their data privacy and protection impact assessments for the Americas and EMEA now have a driver to extend this capability to the Asia-Pacific region.
If you process data designated as “sensitive personal information,” you’ll have to seek separate consent from these individuals or their guardians, state why you’re processing this data and explain the impact.
China’s rules amplify the impact on consumer-facing companies of similar consent requirements in Europe and the United States at the same time that technology platforms are restricting the use of tracking mechanisms such as cookies, putting a premium on permission-based consumer relationships.
Data processors must notify multiple business and government stakeholders as well as affected individuals about the incidents, risk of data breaches and remedial actions they’ve taken within three working days. If the incident involves important data or personal data on more than 100,000 people, companies must report the breach to the appropriate regulators within eight hours.
This timeline is among the most stringent globally and will require state-of-the-art detection, response and resilience capabilities typically seen only in advanced financial and technology companies.
Many companies from retail to insurance are striving to address their talent shortage by applying artificial intelligence and machine learning to robotic process automation. If your company uses Chinese personal data for automated decision-making about individuals, you may need to provide transparent explanations about how you’re making decisions about them and enable them to reject the automation and ask for a manual review.
If you operate a large digital platform, you may have to enforce fair, transparent and impartial data-processing rules for the product and service providers who use it. You’ll also need to publish social-responsibility reports on data handling, establish a personal information protection compliance system, and create an independent, external body to supervise personal information protection.
The internal audit departments that constitute the third line of defense in organizational systems of control historically have not maintained data privacy talent in many companies. Instead, they often turn to their own privacy offices or external audit firms for consultation and support. The new rules in China don’t explicitly require internal audit privacy expertise. If PIPL applies to your company, however, data privacy is likely to join cybersecurity as a top risk and it will require ongoing monitoring and control.
PIPL establishes a spectrum of materially significant penalties for businesses: confiscation of illegal gains, a fine of up to RMB 50 million (about $7.8 million) or 5 percent of the past year’s turnover, and even the possibility of business suspension. Violations could also affect a company’s social credit scores, making it difficult to access credit, purchase property and conduct everyday business operations.
Significantly, the law also contemplates criminal and civil penalties, with a reverse burden of proof in civil cases. Rather than a plaintiff having to prove violations, companies must prove compliance. There is no cap for civil cases, making liabilities potentially unlimited.
PIPL may also hold individuals, such as business leaders and data protection officers, responsible for violations. Authorities and courts could then impose monetary fines of up to RMB 1 million (about $157,000) on individuals, take disciplinary actions and even impose prison sentences.
|Right to stop processing||Right to withdraw consent or otherwise stop processing of EU personal information||Right to opt out of selling/sharing personal information; must include opt-out link on website||Right to limit or refuse processing of personal information, with some exceptions; right to withdraw consent|
|Right to stop automated decision-making||Right to require a human to make decisions that have a legal effect||Regulations to govern access and opt-out rights for automated decision-making technology||Right to explanation and right to refuse solely automated decisions with significant impact|
|Right to stop third-party transfer||Right to withdraw consent for data transfers involving second purposes of special categories of data||Right to opt out of selling/sharing personal information to third parties||Requirement to obtain explicit consent before transfer to third parties|
|Right to equal services and price||At most, implicitly required||Explicitly required||Partial. Cannot refuse to provide goods and services if individual refuses to consent (unless necessary)|
|Regulator enforcement penalties||Ceiling of 4% of global annual revenues||No ceiling—$7,500 per violation||Ceiling of 5% of annual revenues or RMB 50m ($7.8m), plus potentially unlimited penalties to businesses and individuals|
China’s new data legislation potentially poses new risks and costs, but it’s possible to mitigate both. To support holistic, cost-effective and agile compliance, we suggest five steps.
PIPL may become a critical turning point for some companies. Non-Chinese firms with robust operations in China may face substantial increases in the cost of doing business. Those in the technology, retail, automotive, banking and pharmaceutical sectors — where the Chinese government has focused its enforcement attention — should prepare for change.
Companies may need to take these steps.
Some companies may require a larger shift in their Chinese business strategy to optimize their market position, finding new opportunities in a transformed marketplace. Swift and thorough action is imperative to successfully navigate this new digital landscape.