Blog post

Do you handle personal information in China? You’re probably going to have to change your approach

By Nader Henein | August 25, 2021 | 0 Comments

Information Technology

Chinese Architecture

It’s no surprise that China’s personal information protection law (PIPL) was coming. A shiny new set of rules, similar to the GDPR, meant to govern how personal information collected in China is to be handled.

On August 20th the National People’s Congress passed the PIPL which then enters into effect 73 days later on November 1st. If your organization processes personal information collected in China either as a first or third party, that is when you will be expected to comply.

The Good News

The PIPL is similar to the GDPR, it’s nowhere as comprehensive and we expect it to be heavily supported with ongoing guidance from the regulatory bodies. But if you’ve taken the last few years to put in place a comprehensive privacy program, associating processing activities with one of the six legal bases outlined within the GDPR, then you should be in a good position to tackle the PIPL.

The Not So Good News

Though similar, the PIPL is not the GDPR.

Processing data as part of a contractual or legal obligation is supported, BUT critically, the concept of “legitimate interest” continues to be absent, which means that most processing of personal information will have to rely on informed consent.

Furthermore, even in areas where you have a legal basis other than consent, consent would still be required if the processing involves: sensitive data, cross-border transfer of data or sharing data with third parties.

Note: China has always adopted a consent-first model, the PIPL cements that approach moving forward.

What about data residency?

The cross-border transfer of data from China in most instances will require consent from the data subject.

Organizations that process a certain volume of personal information, a volume yet to be determined by the Cyberspace Administration of China (CAC) must store the information exclusively in China.

If the exporting organization can demonstrate that it is “necessary” to transfer the data outside of China, they will have to undergo a security assessment process to be defined by the CAC.

The “necessity” exemption is potentially there to allow for international banking and similar activities to take place, activities that would otherwise be impossible.

What next?

Consent and preference management is going to be the linchpin for any processing of personal information in China. Whether your choice is to build or buy, if your organization processes or plans to process personal information in China, investing in consent and preference management capabilities should be your top priority. For further detail review the Market Guide for Consent and Preference Management

Regarding the data residency requirements, consent is not a viable path forward for cross-border transfer, and the exemptions from consent will apply to only a few use-cases. Organizations should budget for localized governance and technology in China as part of market entry or market expansion.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed