It’s no surprise that China’s personal information protection law (PIPL) was coming. A shiny new set of rules, similar to the GDPR, meant to govern how personal information collected in China is to be handled.
On August 20th the National People’s Congress passed the PIPL which then enters into effect 73 days later on November 1st. If your organization processes personal information collected in China either as a first or third party, that is when you will be expected to comply.
The Good News
The PIPL is similar to the GDPR, it’s nowhere as comprehensive and we expect it to be heavily supported with ongoing guidance from the regulatory bodies. But if you’ve taken the last few years to put in place a comprehensive privacy program, associating processing activities with one of the six legal bases outlined within the GDPR, then you should be in a good position to tackle the PIPL.
The Not So Good News
Though similar, the PIPL is not the GDPR.
Processing data as part of a contractual or legal obligation is supported, BUT critically, the concept of “legitimate interest” continues to be absent, which means that most processing of personal information will have to rely on informed consent.
Furthermore, even in areas where you have a legal basis other than consent, consent would still be required if the processing involves: sensitive data, cross-border transfer of data or sharing data with third parties.
Note: China has always adopted a consent-first model, the PIPL cements that approach moving forward.
What about data residency?
The cross-border transfer of data from China in most instances will require consent from the data subject.
Organizations that process a certain volume of personal information, a volume yet to be determined by the Cyberspace Administration of China (CAC) must store the information exclusively in China.
If the exporting organization can demonstrate that it is “necessary” to transfer the data outside of China, they will have to undergo a security assessment process to be defined by the CAC.
The “necessity” exemption is potentially there to allow for international banking and similar activities to take place, activities that would otherwise be impossible.
Consent and preference management is going to be the linchpin for any processing of personal information in China. Whether your choice is to build or buy, if your organization processes or plans to process personal information in China, investing in consent and preference management capabilities should be your top priority. For further detail review the Market Guide for Consent and Preference Management
Regarding the data residency requirements, consent is not a viable path forward for cross-border transfer, and the exemptions from consent will apply to only a few use-cases. Organizations should budget for localized governance and technology in China as part of market entry or market expansion.