The PIPL, in general, establishes a regime similar to the GDPR, although the requirements may not be entirely the same, with the PIPL imposing stricter requirements in some areas. For instance, the PIPL imposes heightened requirements in terms of details to be disclosed to individuals for processing of sensitive personal information and cross-border provision of personal information (pursuant to the PIPL, the name and contact details of each and every foreign recipient must be disclosed), and requires separate consent from individuals to the same. Also, the PIPL mandates controllers to conduct security impact assessments under a number of processing scenarios. Further, the PIPL imposes a data localization requirement on operators of critical information infrastructure and controllers that process an over-the-threshold volume of personal information (the threshold will likely be set at one million personal information subjects). In addition, the PIPL exerts more rigid control over cross-border data transfers.
Being GDPR-compliant does not warrant being PIPL-compliant. Companies are advised to take actions as soon as practically feasible to ensure that their China-related privacy practices are compliant with the requirements prescribed under the PIPL, as the PIPL will soon take effect from 1 November 2021. We recommend that companies:
- Develop a data governance framework and an in-house data compliance program.
- Conduct data mapping and data inventory check, system profiling as well as security risk identification and profiling.
- Review and update existing privacy notices that apply to Chinese residents by measuring against the requirements (especially taking into account the heightened notification and separate consent requirements) under the PIPL.
- Develop and update internal policies, protocols, standard operating procedures, and response mechanisms in regard to protection of personal information, including, among others, conducting security impact assessments and establishing a channel of responding to requests of personal information subjects.
- Review and prepare for data localization to the extent applicable.
- Review and prepare for cross-border data transfers, restrictions and formalities.
- Maintain and document appropriate contractual, technical, organizational and physical privacy and security measures for China, including the performance of due diligence of vendors, the management of vendor agreements, the monitoring of vendor compliance, and the administration of regular data privacy and security training for personnel.
With the enactment of the PIPL, the Chinese legislature has promulgated all of the "Three Horse Carriages" for data protection and cybersecurity regimes of the new age, namely: (i) the Cybersecurity Law of the PRC, governing the construction, operation, maintenance, use and security of (cyber) network in the PRC territory; (ii) the Data Security Law of the PRC, principally dealing with data security, governance and trading, with a focus on data other than personal information; and (iii) the PIPL, which regulates personal information and related matters. Going forward, cybersecurity, non-personally-identifiable data and personal information will be regulated under these three principal laws separately.
Click here to access full alert.
* * * * *
Baker & McKenzie FenXun (FTZ) Joint Operation Office is a joint operation between Baker & McKenzie LLP, an Illinois limited liability partnership, and FenXun Partners, a Chinese law firm. The Joint Operation has been approved by the Shanghai Justice Bureau. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
This client alert has been prepared for clients and professional associates of Baker & McKenzie FenXun (FTZ) Joint Operation Office. Whilst every effort has been made to ensure accuracy, this client alert is not an exhaustive treatment of the area of law discussed and no responsibility for any loss occasioned to any person acting or refraining from action as a result of material in this presentation is accepted by Baker & McKenzie FenXun (FTZ) Joint Operation Office.