A Broader Perspective on the Data Protection Law in China

As data protection legislations become more established around the world, with influential laws such as the European Union's General Data Protection Regulation (EU GDPR) and China's Personal Information Protection Law (PIPL) leading the way, data protection professionals need to take a broader view.

This is the opinion of Sarah Wang Han, Head of Research at Straits Interactive and a data privacy consultant who has studied China's data protection regulations or the PIPL.

“Organisations need to know that for certain regions, for certain countries, there are different data privacy requirements. These are countries that may require data localisation, or classified data, and if you are doing business or dealing with personal data there, you need to be very clear about what is required,” she said.

“Can you transfer the personal data [from one country to another]? Can you get the personal data from a country? These are questions you need to know the answer to, as this will affect your business. So of course you need to know the differences in data protection for those jurisdictions,” said Han, who has a Master of Laws from Hunan University.

An Eye On China’s PIPL

The PIPL, which was passed on 1 November 2021, is the first dedicated data protection law in China. Together with the Cybersecurity Law (CSL) and the Data Security Law (DSL), these three laws are known as the “Three Pillars” of data protection and information security in China.

“In China, when you're doing business [there or with the data of Chinese citizens], be very clear about the laws and regulations. Keep abreast with legal developments, not just the national laws, but also look at sector regulations.”

Han noted some major enforcement cases in China since these three laws came into force between 2017 and 2021. These included DiDi, a ride-hailing service that was given a staggering fine of more than 8 billion yuan (USD 1.2 billion) in July 2022, and a number of banks that incurred fines of more than 10 million yuan (USD 1.38 million).

“I have to say that because the PIPL is very strict and it has very hefty fines, organisations have felt threatened by these fines and fear the suspension of their business licences. So they've come to the realisation that data protection is a must, they cannot ignore it,” she said.

Legal Requirements for Local Businesses

The new privacy law significantly affects Chinese companies by imposing stringent regulations on how they handle personal data. Here are several key impacts:

Strict Compliance Requirements

Chinese companies must adhere to rigorous standards for processing personal information, including obtaining explicit and informed consent from individuals before collecting or processing their data. Companies will need to ensure that their data handling processes are transparent and that users are fully aware of how their data is used.

Regulation of Predictive Algorithms

The PIPL works in conjunction with regulations on predictive algorithms, such as those announced by the Cyberspace Administration of China (CAC). Companies that use algorithms for recommendations or targeted advertising must ensure these do not encourage harmful behaviours, like online addiction, which restricts how companies can leverage data for marketing and product development.

Increased Accountability

Organisations must implement stricter data protection practices, including security controls to safeguard personal information. These additional requirements may require companies to appoint data protection officers (DPO) or similar service providers and conduct audits on a regular basis to ensure compliance with the law.

Penalties for Non-Compliance

The PIPL introduces severe administrative penalties for violations, which can include hefty fines and operational restrictions. This creates a strong incentive for companies to prioritise data compliance and avoid data breaches.

Impact on International Operations

Chinese companies operating globally must consider how data protection laws in China affect their data processing activities outside of the country. Since the law applies to the processing of Chinese citizens' data regardless of where it is done, multinational companies need to ensure they are compliant with local regulatory frameworks, leading to complex legal considerations.

User Rights

The PIPL grants users expanded rights over their personal data, including the right to access, correct, and delete their information. Companies must establish processes to facilitate these rights, which adds another layer of protection, but also an added layer of operational complexity.

The PIPL Going Beyond Chinese Borders

In the interest of national security, the China PIPL, like the EU GDPR and the newly passed Indonesian personal data protection law, also has extraterritorial applicability; this means that its provisions and enforcements are not only applicable to local firms, but also those based outside of China.

How Does China’s Privacy Law Affect Foreign Businesses?

China's privacy laws significantly impact foreign businesses operating within its borders, primarily by extending its jurisdiction beyond national boundaries. Additional rules are in place for personal information processing activities. Any organisation processing personally identifiable information (PII) of Chinese citizens and holding a business license in China, regardless of its location, is subject to compliance with the PIPL. Consequently, foreign companies must reassess their data handling practices and processing activities to align with the stringent standards set forth in data protection laws in China.

The data protection law in China imposes rigorous requirements regarding data localisation and security controls. Organisations must ensure that they have adequate protection measures in place to protect personal information, along with clear protocols for cross-border data transfers.

In addition to operational changes, the law introduces substantial penalties and remedial measures for violations, creating a heightened risk landscape for businesses. Foreign entities and responsible persons under these organisations must navigate these complexities while balancing the differing requirements of their home countries.

Furthermore, the PIPL's requirements for transparency regarding algorithmic recommendations and the rights of users to opt-out of such services create additional obligations for companies engaged in online activities. This was brought by the recent focus on regulating predictive algorithms in China.

Overall, the PIPL represents a significant shift in the regulatory landscape that foreign companies must navigate, compelling them to adopt proactive security measures and a comprehensive approach to data privacy and protection in their dealings within China.

By taking the Advanced Certificate in Data Protection Principles, you can also learn about the GDPR and its application in Asia.

Watch Straits Interactive's Chief Marketing Officer, Alvin Toh's interview with CNBC on China's recent PIPL Law.

Common DPO Concerns About China's Data Protection Law 

Data protection professionals, such as DPO roles that are mandatory in many jurisdictions, have some common concerns relating to the data protection law in China, according to Han, who is a trainer for the Advanced Certificate in Data Protection Principles issued by Singapore Management University.

“As a trainer, I see these professionals often and their common concern is, ‘How do we get started with data protection?'” she said. “They need a very systematic way to do things because they feel kind of lost when they look at legal requirements.”

“While they may have some idea of what to do, and they are clear about the requirements of the law, they struggle with how to comply with the laws and how to operationalise data protection principles alongside data processing.” One consistent feedback Han and her fellow trainers get is that course participants like how the courses have been designed.

“This is because we usually start from the cultural perspective, the local background, to give participants an introduction [to the landscape]. For data protection, there are many commonalities around the world, such as the basic principles, the rights of individuals, the obligations of the data controller and data processor.”

“But [across jurisdictions] there are nuances as well. To understand the local data protection law of each territory, you need to respect the local culture and respect the local legal system,” added Han.

Security risks happen anywhere and everywhere. “For a DPO here, it's not just about knowing what is happening in Singapore. You also need to know what is going on in the region, say for ASEAN countries, so that you can comply with these regulations.”