China Data Privacy Laws: How They Affect Foreign Companies
In 2021, China enforced 2 new laws that deal with data privacy and security. These laws have been implemented to impact companies in China that utilize user data, ensuring they comply with how they handle, store, use, and transfer the personal information they collect. The implementation of these laws will have an effect on all e-commerce businesses in China and any other type of business that collects data of users online.
China’s New Data Privacy Law: The Personal Information Protection Law and Data Security Law
The Data Security Law (DSL) is a framework that categorizes user data collection and storage in China based on its potential security and economic impact on the country. Regulations on the storage or transfer of data depend on its classification level.
Meanwhile, the Personal Information Protection Law (PIPL) regulates the collection and protection of personal information obtained by organizations operating in China. Personal information is defined as “any information related to identified or identifiable natural persons stored in electronic or any other format.”
The scope of the PIPL is wide and it refers to the collection, reorganization, storage, usage, transmission, disclosure, provision, and deletion of personal information.
Reasons for Creating New Regulations on Data Privacy
The implementation of these laws is primarily to protect the privacy rights of individuals and provide a limitation on the power and scope companies have to people’s data. The laws laid out conditions on how companies should use, collect, store, secure, and transfer personal data. It defines how organizations should ask for consent before obtaining personal information.
The new laws are part of the country’s effort to regulate cyberspace and monitor the compliance of companies handling personal data. Public complaints about the misuse and mismanagement of private user data guided authorities in drafting the laws.
Additionally, the law was enforced to put reins on the unchecked growth of local tech giants in China like Tencent, ByteDance, and Douyin. Early in 2021, government bodies and state-backed organizations criticized tech companies for tricking customers into making purchases and the misuse in the transferring of user data.
How Do These Laws Affect Foreign Companies in China?
Foreign businesses in China that need to process the personal data of locals should comply with the regulatory requirements enforced by the Personal Information Protection Law and Data Security Law. This means foreign companies need local representatives to file for compliance.
The law has not been implemented to only stop data theft in China but also reinforce the government’s regulations on data security laws and cybersecurity. Foreign companies that fail to comply with the DSL and PIPL may be blacklisted, preventing them from processing personal data in China.
Due to the more stringent regulations surrounding data usage, foreign companies are finding it harder to continue operating in the country. An example can be seen with LinkedIn and Yahoo!, who decoupled and shut down their full operations in China due to the increasingly challenging business and legal environment.
Framework of the Data Security Law
- Core data – any data that concerns the national and economic security of China, its citizens, and public interests. Under the DSL, data under this category are given the highest level of security and strictest regulation.
- Important data – the specifics are left undefined, as the task to identify its scope is given to relevant national, regional, and sector authorities.
Critical Information Infrastructure Operators (CIIOs) handling sensitive information regarding informational networks, infrastructure, and natural resources must ensure that the data is generated and safeguarded in China. Additionally, they are required to conduct a security self-assessment to ensure data privacy is maintained before sending the data overseas.
Both CIIOs and non-CIIOs are forbidden from sending any data stored in China — sensitive or not, and regardless of whether it was collected in China — to foreign law enforcement or judicial bodies outside the country without prior approval from the PRC.
Companies that violate this and send “core data” overseas may face fines of up to USD 1.5 million, potential criminal liabilities, and a forced shutdown of business operations. On the other hand, organizations found sending “important data” may be fined up to USD 780,000.
Downstream intermediary services that use data for commercial purposes are obliged to ask the data providers from which they get information, about the legality of the data they are sending. These intermediary services must verify the identity of the source of information and keep identification and transaction records ready for auditing. Businesses that fail to comply may be fined up to USD 300,000, stopped from operating, and get their licenses revoked by the PRC.
For companies doing business in China, they are required to update and improve their data security systems. Measures should be implemented to quickly fix data security breaches and have a way to immediately notify users and authorities in case they occur.
Companies handling “important data” are required to designate a team or individual responsible for data security. These people must regularly submit risk assessments to authorities.
Organizations that fail to ensure data security may be fined up to USD 77,000. If a company fails to resolve system failures or the breach results in massive data leaks, the company may be fined up to USD 300,000, have their operations shut down, and have their licenses to operate in the country revoked.
Framework of the Personal Information Protection Law
Data Localization and Deletion
When a certain volume of personal information reaches the threshold designated under the PIPL, the data localization and deletion requirement will be triggered. In this case, data handlers must appoint an information protection officer to supervise how the data is handled and protected after collection.
Under the PIPL, data handlers must delete all personal data after the purpose for collection has been attained. Data must also be deleted in the following cases:
- when it no longer serves the disclosed purpose,
- the service is no longer available,
- the retention period has lapsed,
- the user reverses consent,
- or when data processing methods violate laws and regulations.
Restrictions on the Transfer of Personal Information
Data handlers must first get user content before they forward personal information to either local or foreign third parties. Additionally, data handlers must verify how the data will be used and ensure the methods of the third party abide by the laws and regulations enforced in China.
For international data transfers, the data handler must ensure the recipient enforces data protection security and compliance that are at least on the level of that of the PIPL.
Before data is collected, businesses must obtain user consent. Companies collecting sensitive personal information such as biometrics, religion, health status, finances, address, and data on children must follow more stringent data protection measures. They should disclose why data collection is necessary and for what specific purpose they will use the gathered information.
Companies handling data are required to conduct self-audits to ensure they identify potential security risks and enforce compliance with regulations. Those that use algorithms to automatically analyze the personal information collected from users must abide by the fairness and transparency clauses stated in the PIPL.
Implications of the Implementation
With the DSL and PIPL in full effect, companies in China that deal with user data have to assess whether their existing systems comply with the relevant laws. They may have to reorganize their operations, depending on the level of personal data they handle. If a company is unsure on any matter concerning these laws, they should seek legal advice from the local PRC counsel, especially if they deal with exporting data gathered or stored in China to third parties overseas.
Comparison Between the GDPR and the Chinese Privacy Laws
The PIPL is similar to the General Data Protection Regulation (GDPR) in that they both allow people to access the information about them, correct it, have it deleted, or have their consent rescinded. Companies that handle personal information are required to enforce stricter measures to protect their data.
The PIPL is handled by the Cyberspace Administration of China (CAC) which is a state-backed regulator. This is different from GDPR, which is handled by independent data regulators in each country. While the enforcement of GDPR is slow, the CAC is stricter in putting in line those that violate the PIPL and the DSL.
Under the data privacy laws in China, non-compliant companies may be blacklisted. This is not the case with the GDPR, which only imposes financial penalties on those in infringement. Companies operating in China also need to go through a national security review before they can send personal data overseas. The GDPR does not impose this restriction on exporting data to overseas third parties.
Potential Market Restrictions
The PIPL enforces requirements to regulate the marketing activities of businesses that use their customers’ personal data. Algorithms and automated systems are also monitored to ensure they are compliant with the relevant laws and regulations.
Companies that need to share data outside of China must go through a national security review, especially if they are sending data that is classified as “important data” overseas. They must also submit the contract between themselves and the third-party companies to which they will be sending data. The file should state why the data needs to be transferred abroad, the type of information being sent, and the potential risks of the activity.
For companies operating in China, it is essential to ensure that you are aware of China’s data privacy laws and adhere to them, in order to avoid any issues when you set up your business in the country. Let us assist you to set up your business in China or improve your operations by getting in touch with us right away and having 1 of our friendly consultants attend to your business needs.
Disclaimer: all articles and its related content are the property of Moore Stephens Consulting Company Limited and may not be reproduced either in part or in full without prior consent.
Stay up-to-date with relevent issues in China.
Subscribe for the Moore - MS Advisory newsletter!