China has now rolled out its own GDPR - the Personal Information Protection Law (PIPL). We talked to Mark Schaub at King & Wood Mallesons, one of the experts within the Crayfish.io network, to see how the PIPL impacts foreign companies doing business in China, covering the background, terms and impacts, as well as how foreign firms should prepare for it.
Mark: China has been looking at protecting privacy of citizens for a number of years. Privacy has become a major concern due to the rise of the digital economy. Big tech has access to massive amounts of data and this data can be used to abuse privacy, manipulate consumers, compromise security (i.e. collection of biodata, financial details etc.).
Mark: PIPL is a consolidated law that has real teeth and places obligations upon companies. Clearly inspired by EU’s GDPR the law gives Chinese citizens much greater control over the use of their data. In addition to requiring active consent the PIPL also allows citizens supervisory rights over their data held by tech companies, including the right to correct, opt out, restrict or remove their data. Companies will also need to provide details as to how their data is being used and who has access.
Mark: PIPL’s greatest impact will be on companies dealing with mass amounts of consumer data. Internet platforms, online retailers, ride hailing apps – the more consumer data you handle the more scrutiny you will face. If your company’s China privacy policies are already GDPR compliant then there will be little work required.
Generally, businesses dealing with China will need to analyze how they collect, interact and process customer data. Most commonly this will involve review of privacy policies, IT systems that differentiate between different data points, review data processing arrangements. Even if you are not a consumer facing company you will need to also handle in a compliant manner the personal information of your employees, suppliers etc.
Mark: Many MNCs are concerned about cross border data transfers. In this regard the recent draft Cross-border Data Transfer Security Assessment Measures (“Draft Measures”) set low thresholds for mandatory assessment by the Cybersecurity Administration. The thresholds are far lower than expected in that the draft foresees an assessment being required if the business that processes personal information of more than one million people transfers data overseas; or if the business transfers overseas the personal information of more than 100,000 people or if the personal information is sensitive (i.e. biometric, health, financial or children) of more than 10,000 people. This is still a draft but these numbers are very low from a Chinese perspective. Currently, the Draft Measures are still being provided for public comment until 28 November 2021.
Mark: The greatest impact will not be on foreign businesses. The main companies affected will be the Chinese tech giants and companies that misuse APPs to collect information.
Foreign businesses which are dealing with large amounts of data will be most affected. Companies that rely on Chinese internet platform (i.e. Tmall sales) will likely need to show compliance to avoid being restricted by the platform.
PIPL provides sufficient guidance for companies to address as soon as possible privacy issues in respect of consumers, employees, suppliers, partners etc. If you have provided GDPR type protection to European stakeholders why not Chinese stakeholders? Not having the full picture will not be a good excuse for not starting to address obvious issues.
At Crayfish.io we want to be your helping hand as you achieve success in China and Southeast Asia. Visit our online marketplace to hire bilingual providers to get your bespoke projects done, or browse our comprehensive range of fixed price services that deliver the best value for money for your cross-border working. For specific enquiries, you can also contact us.