Six Tips for Complying with PIPL
• read
The Personal Information Protection Law (PIPL) passed by the People’s Republic of China on 21 August and effective November 1, 2021, is not the GDPR.[1] While it shares some familiar grammar with the General Data Protection Regulation, its underlying precept is of a much different nature.
The foundational principle of the GDPR rests on a perceived human right to privacy. PIPL, on the other hand, is premised on China’s broader ‘informatization’ policy, which Chinese President Xi Jinping has described as the modern equivalent of industrialization” (Brumfield, 2021). And, given the “socialist” nature of China’s economy, information (including personal information and its monetization) defined as an industry, is controlled by the state.
The comparison to the GDPR works in a superficial way. The language is similar and at the end of the day, people will get privacy notices, the use of personal data is restricted to certain purposes, and there are onward transfer provisions.
But, on a not that much deeper level, this is a fundamentally different law. The EU is motivated fundamentally by protection of human rights. And I think China is fundamentally motivated by the assertion of sovereignty over the data. They want to control the information in the country…they don’t want American tech companies to control it. They don’t want Chinese tech company to control it.
—Ed McNicholas, Ropes & Gray LLP
As part of an ongoing series of conversations, WireWheel CEO, Justin Antonipillai and privacy legal scholar Daniel Solove were joined by Mingli Shi and Ed McNicholas. Their discussion is available here.
Mingli Shi is an attorney at Qualcomm responsible for compliance with global privacy laws, and a frequent contributor to a think tank Digital China affiliated with Stanford’s Cyber Policy Center. Ed McNicholas is a Partner, and the U.S. leader of the Data Privacy and Cybersecurity Practice at Ropes and Gray, and was a litigator in the Clinton Whitehouse.
No “Legitimate Purpose”
China has a national strategy for a Digital economy,” notes Mingli. “China’s digital industry is booming…and the government has clearly expressed its determination to take great efforts to promote and invest in industries around data, big data, and AI.” Interestingly,
The original word used in China privacy law literally translates as interests in rights, but the Chinese phrase is more focused on the interest aspect rather than the rights. China’s privacy law, and its data governance…is focused on national interests in…cyber sovereignty and data sovereignty.
—Mingli Shi, Qualcomm
McNicholas notes that while it is PIPL that has “burst onto the scene, there are actually a whole series of laws” enacted by China including the 2017 cybersecurity law, the 2018 state secrets law, and biosecurity law “that altogether assert what I think chairman Xi has been very clear about: the notion of data sovereignty. That China wants to be in charge of the information in China.”
While extremely broad – perhaps purposefully so – in its language, the concept of sovereignty and control is both tacitly and implicitly expressed in PIPL. As Solove notes, there are provisions that notably diverge from the GDPR and are much more restrictive:
One is the requirement is there has to be a Personal Information handler in the company in China: a representative for foreign data handlers.
And there are no legitimate purposes or lawful basis to process data which is I think is the most common. Lawful basis used to process data under the GDPR. So, I’m wondering how this is going to play out without that lawful basis.
—Daniel Solove, John Marshal Harlan Research Professor of Law, George Washington University Law School
Mingli affirms that “the law is quite clear. Foreign organizations that would be subject to China, privacy law need to establish a local office or appoint a local data protection staff based in China.” She further notes that PIPL also includes an additional category of protected information called “Important Information.” However, it does not define it.
PIPL is about Localization, Control, and “National Security”
Antonipillai notes that while PIPL would receive a lot of attention under any circumstances, “everybody’s paying attention to the Chinese Government’s move to block the IPO of Diddy. It appears to have been based, in part, on the amount of data that Diddy holds on Chinese persons and what going public in the U.S. would do to what can be perceived as a strategic amount of data in the possession of Diddy.”
They see, I think everyone does, that data is the new oil…and they will have an industrial policy for tech companies the same way they have industrial policy for other segments of the economy…China is practicing socialism – not the kind of socialism we talk about in American politics – real socialism. With industrial policy that is using the sovereign interests to control corporate activity. I think that we will see more like the Diddy case coming forward.
— Ed McNicholas, Ropes & Gray LL
Ms. Shi notes that the “extraterritorial application of privacy law is not unique to China. GDPR has similar requirements for organizations that get the personal data of EU residents….China, privacy law also adopts this approach. If foreign organizations process personal data of people in China or they assess the behaviors of people in China, then they are subject to China’s privacy law.”
Mingli further cautions that PIPL relies heavily on notice and consent as well as organizational obligations like regular auditing and data categorization (including “important information”).
If you do cross-border transfers, you need to pay attention to whether your data is subject to the localization requirement by default. And if you are a bigger platform and run a big social media service or you run an app store then you are subject to additional liabilities and you need to have an independent supervisory body composed of external experts to supervise your data activities…”
—Mingli Shi, Qualcomm
Ultimately, says McNicholas, “if you have an office in China, think, can we just localize that data? Do we really need to export it? There’s a lot of data export that happens because it’s easier for companies…Chinese contractual mechanisms, warns Ed, might be “more onerous and require a bit more consideration” than Standard Contractual Clauses. I think this regime will just become more focused on localization over the long run.
What do organizations need to do now?
With so little time to prepare, what should organizations consider to accommodate PIPL? Fortunately, says McNicholas, “I don’t know that a well-run Chinese program is going to be all that different than a well-run European program.”
Key considerations include:
- The increased importance of data inventory and data mapping.
- Pay particular attention to personal data of Chinese persons if your company has enough that it might be perceived as a strategic asset.
- Pay close attention to additional types of data including “important data” and data generated by “critical information infrastructure operators” doing business in China.
- Pay attention especially to the extraterritorial transfer nature of the law which carries with it any number of consequences (not yet completely defined).
- Ascertain whether you need to locally store certain data at your China-based operations.
- Make sure you know how the organization is using data for marketing purposes and integrating that data in analytics platforms.