Memorandum on the Chinese GDPR – The new “Personal Information Protection Law”. Implications and consequences
Introduction
The recent legislative activity in the People’s Republic of China regarding the protection of personal data has attracted the attention not only of operators in the sector but also of the daily news, thanks to a series of strict stances taken by the control authorities.
In the last five years, China has established itself globally as a one of the main players in the regulation of the network and the digital sectors. It has approved a series of measures that have been, as in the case of the “E-commerce Law”, of the most prominent relevance in the global scenario. This trend began in 2016 with the approval of the “Cybersecurity Law” (“CSL”). It has been characterized from the outset by a so-called “data sovereignty” approach, highlighting in an increasingly way the role that is attributed by the legislator to the various economic and social aspects of the “digital economy”.
The attention to data security is considered as a further step by the Chinese legislator with regard to the Internet sector and data protection regulation. The predominant role that the use of data plays within the business models of companies on the one hand, and the increasing concern of Chinese citizens regarding the use of their personal data by private companies on the other, has addressed the Legislator towards the drafting of the “Personal Information Protection Law” (“PIPL“) which, for its content, has been considered close to the framework of the European General Data Protection Regulation (“GDPR“).
Purpose and scope of the Law
The purpose of the Personal Information Protection Law is to regulate the processing activities of data collected within the territory of China. Even if the main targets of this Law are the Chinese big tech companies (Alibaba, Baidu, Tencent), its effects will also impact the foreign companies that process, outside the Chinese territory, personal data collected in China or regarding Chinese citizens.
A series of definitions are introduced to track the perimeter of this legislative measure:
- The definition of “personal information” is as follows: “all kinds of information related to identified or identifiable natural persons”, specifying that they must be “recorded by electronic means” and that information processed anonymously does not fall into this category.
- Different and separate is the definition of “sensitive personal information” described as “Personal Information is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used”.
- No less important is the new figure of the “personal information processor” (the “Processor”), as the main subject of the obligations of the Law, which can be assimilated to the “data controller” in our GDPR. This definition encompasses a particularly relevant number of companies, foreign and otherwise, that process in a more or less varied and disparate manner, the different types of data of their users, suppliers, employees, etc. for different purposes.
The classification of data has been further specified by the State Administration for Market Regulation, which has made the following subdivision:
a) “Non-sensitive data” (e.g., public information uploaded by the user)
b) “Fairly sensitive data” (e.g., customer center call records)
c) “Sensitive data” (e.g. telephone numbers, emails, transaction history)
d) “Very sensitive data” (e.g., ID card numbers, user names and passwords)
Localization now falls under sensitive data and as such will be severely limited by greatly reducing how much brands can, for example, track offline visits to stores.
Informed Consent
On the basis of these definitions, revolves the principle of informed consent for those who intend to process user data: it has to be requested in relation to the type of data collected and where they will be processed. The general rule established by PIPL is that consent should always be required for the processing of personal data. There are some exceptions specifically identified by art. 13 [1] .
Furthermore, the processing of personal data must be adequately notified in accordance with the applicable requirements and the consent of the identified subject has to be obtained. The latter has the right to know and make decisions about the processing of his personal information and has the right to withdraw or refuse the consent.
Additional obligations are placed on e-commerce platforms:
- To establish an independent and external supervisory body to oversee the Platform Provider’s personal information processing activities.
- To cease providing the use of the platform to economic operators who seriously and frequently violate personal information processing requirements established by Law and regulations.
- To publish personal information responsibility reports and consequent actions to implement on a regular basis.
Cross-border transfer of personal data
The regulation of the cross-border transfer of personal information collected within the territory of the PRC is particularly burdensome.
Indeed, the PIPL requires an additional and separate consent in all cases where the subjects in charge of processing share personal information with other subjects, process personal information for specific purposes and share personal information abroad (articles 24, 30 and 39).
A cumbersome process is also provided to transfer personal information abroad. Specifically, it is necessary, first, for the Cyberspace Administration to issue a “Security Assessment”, to obtain by an authorized subject a “Personal Data Protection Certification” (the requirements of which have yet to be published). Moreover, it is necessary to make sure that the subject processing the data abroad still meets the requirements under Chinese Law and, finally, it is mandatory to use a standard contract published by the Cyberspace Administration of China.
The Law also requires the Processor to have a “dedicated office” or, at the very least, a “designated representative” responsible for matters relating to the protection of personal data (article 53). This strict legislation, if applied literally, implies that almost every company that plans to sell its products or services in China is required to comply. Because even just collecting the buyer’s name and contact information triggers the requirements of PIPL.
Finally, it is expressly forbidden to provide personal data to foreign judicial or administrative authorities without obtaining the consent of the relevant Chinese authorities.
Sanctions
Penalties for violating the PIPL are of an administrative nature and vary according to the seriousness of the violation.
A simple violation may result in: a warning and confiscation of the illegal proceeds, an administrative fine of up to RMB 1 million, and a fine of RMB 10,000 to RMB 100,000 (approximately EUR 1,300 to EUR 13,000) for the person responsible for data protection.
In the event of a serious violation, the consequences may be: a demand for correction and confiscation of the illegal proceeds, an administrative fine of not more than RMB 50 millions (approximately EUR 6,500,000) or confiscation of the proceeds up to 5% of the previous year amount, a fine to the person responsible for the protection of personal data from RMB 100,000 to RMB 1,000,000 (approximately EUR 13,000 to EUR 130,000).
The burden of proof is always on the subject which gather and process the personal information.
Consequences for Italian and European companies
Italian and European companies operating in China will also have to take into account the new legislation, with a particular risk exposure for luxury brands that might collect personal data from public officials or people holding public office.
The requirement of a specific and informed consent could lead to a downsizing of targeted advertising and creating consumer profiles will be more difficult.
The challenges are not just on the commercial side, these issues require companies to adopt a model that ensures data is processed in accordance with the Law and the consent of the individual, leading to increased attention to be dedicated to compliance and privacy.
Nctm will be able to assist companies in adapting to China’s new data protection regulatory framework. We are available to discuss the current privacy model and provide a proposal for specific legal assistance.
This article is for information purposes only and is not, and cannot be intended as, a professional opinion on the topics dealt with. For further information please contact Carlo Geremia and Marco Cappa.
[1] a) When the processing activity is necessary to execute the contract for the subject whose data is being processed is one of the parties. b) When the processing activity is necessary to fulfill legal obligations or responsibilities. c) When it is necessary for reasons of public health emergency. d) When it concerns personal information already made public. e) For journalistic purposes. f) For other purposes provided for by the Law.