Navigating Data Security Compliance Challenges in China

China’s historic Personal Information Protection Law (PIPL) is a significant first for the country and poses a direct and far-reaching impact on the protection of personal information rights of individuals, as well as data privacy compliance for enterprises.

To help companies develop efficient strategies for their data compliance and prepare for upcoming changes brought by new regulations, Partner and Head of IT & IS Services at Dezan Shira & Associates, Thomas Zhang, and International Business Advisory Manager Guilherme Campos  discussed the core requirements of the regulations and share some of our best practices to ensure compliance, with a special focus on PIPL.

Here we have selected some frequently questions asked by companies with brief answers. To watch the webinar, please click here.

Does the “PRC territory” in the context of Personal Information Protection Law also include Hong Kong and Macao territory?

Hong Kong and Macao are Special Administrative Regions (SARs) and the PIPL is not applicable there directly, which means the “PRC territory” in this context does not include Hong Kong and Macao. However, please note that the PIPL does have extra territorial jurisdiction to the specific personal information processing activities outside the territory of PRC, such as providing the service to people in China or analyzing their behavior, as stipulated by Article 3 of the PIPL. We recommend that you analyze your business scope and personal information processing activity scenarios before making a conclusion on whether PIPL is applicable to your business.

If the customers for an e-shop are employees of certain companies (contact people for B2B transactions), does such an e-shop have to comply with all PIPL requirements?

Yes, as long as the business operation involves personal information (PI) processing activity. However, a B2B company will have much less pressure to comply when compared to a B2C company considering the difference of the volume and type of processed PI.

Regarding Article 13 in the PIPL - if the individual discloses personal information on a website himself, and that information is captured in a server outside of China, is that defined as the organization requiring data export approval?

Article 13 of the PIPL is about the legal basis of processing PI while obtaining consent from the PI subject is the most common one. The organization may not need to obtain consent from the PI subject if they have disclosed their PI on the internet themselves. However, there are a few more considerations:

• The legitimacy of the “capture” operation itself – there are certain rules to regulate data collection through a web crawler under China’s law and regulation framework. So, the organization needs to be careful about the way they are “capturing” data from internet.

• Article 27 of the PIPL explicitly states that the organization can process the PI being disclosed by PI subjects themselves or PI being legally publicized by others. However, the processing should be in a “reasonable scope” and does not a major impact on PI subject’s interest and rights, otherwise explicit consent needs be obtained from them.

• Besides the legal basis to process PI, the PIPL also specifies other legal obligations for PI handlers (controller/processor) such as the “obligation to notify”, which requests the organization to notify PI subjects before processing their personal information. So even if the organization can collect disclosed PI from the internet directly, the organization still has the responsibility to inform the subject why and how their PI will be processed, as Article 17 specifies, when the organization is going to use collected information for business purposes.

How to count personal data? For example, does the name, email, ID card, address of the same person count as ONE, or count as FOUR?

There is no explicit specification. However, in practice, it is usually counted based on the PI subject, which means one piece of personal information instead of four in the example mentioned here. There are several considerations for reference:

• There are different types of PI, such as direct or indirect. Indirect PI cannot be used to identify specific PI alone, and multiple indirect PI need be combined to identify a single individual. From this perspective, multiple personal info of the same person can be considered one piece of record.
• The interpretation from Supreme on Article 253 of Criminal Law in 2017 specified how to calculate the quantity of personal information. Although it did not explain the example here directly, we can see the basis of calculation of PI is related to PI subject instead of the different information for the same subject.