10 Things You Need To Know about China's Data Privacy LawsMike Tyson famously said, “Everyone has a plan until they get punched in the mouth.”

Even though many do business with China, few ever have a plan as to how to comply with China’s data privacy laws, policies and regulations, let alone how to adapt a plan when one might be proverbially “punched in the mouth” by the Chinese authorities for data privacy non-compliance.?

Here are 10 things to know to for the implantation of China’s new data privacy laws:?

1. What is China’s first comprehensive law designed to regulate online data and protect personal information??

China’s first comprehensive law is designed to regulate online data and protect personal information in the?Personal Information Protection Law?(“PIPL”), and went in effect November 1, 2021. This is significant because China has the world’s second largest economy, the most Internet users, and many foreign businesses deal with China either directly or indirectly. As such, it affects your business.?

2. Which China laws define data security??

China’s?Data Security Law?(DSL) is relatively new. It came into force one month before PIPL came into effect. The DSL applies to a wide range of data processing activities, including but not limited to, processing personal information. China’s DSL is extraterritorial in scope, and includes fines and penalties for wrongdoers. PIPL and the China DSL impose an increasingly complex and comprehensive legal framework for processing personal information when doing business in China or with Chinese entities.?

3. Which Chinese regulatory agency enforces and administers PIPL??

PIPL is enforced and administered by the Cyberspace Administration of China, and relevant state and local government departments. The law is similar in many aspects to the European Union’s?General Data Protection Regulation?(GDPR). PIPL consists of 70+ articles spanning eight chapters.

4. Who is regulated by PIPL??

PIPL has a broad scope, an extraterritorial application, and if breached may trigger fines and penalties. Organizations and individuals should assess their PIPL compliance obligations if they: (1) process personal information within China, (2) gather information with the purpose of providing products or services for individuals within China, and (3) analyze or evaluate the behavior of individuals within China.

5. What are some of the most important obligations included in PIPL??

One aspect is a company has an obligation to adjust to public-facing documentation, including privacy policies, data subject rights request procedures, user interfaces and user experiences — i.e., sign-up flows for signing up clients, users, or even viewers to your website. A company has an obligation to implement any standard contractual clauses in contracts involving personal information that may be transferred outside China. Additionally, companies have to implement consent mechanisms, including multiple layers of consistency for certain processing activities or transfers — e.g., transferring personal information outside of China, or to another personal information processor. Another obligation includes adding PIPL data breach notification requirements to incident response plans. Lastly, companies must assess the need to localize data in China and the impact that data may have on global operations.

6. What might multi-national corporations (MNCs) have learned from their previous implementation of E.U. and U.S. privacy laws that may also be helpful when implementing PIPL??

Data mapping and other undertakings created by MNCs related to the compliance with E.U.’s GDPR, California?Consumer Privacy Act?(CCPA) and other data privacy regulations might be repurposed to begin a pathway to implement China’s PIPL. There is no question that customization will be required to meet PIPL’s “Chinese characteristics” when it comes to both implementation and application. To remain complaint, PIPL implementation efforts by those who operate within China — or with China organizations — will remain a work in progress, given the uncertainty posed by interpretations and enforcement of the new law, and impending evolving implementation rules and regulations of PIPL. As with E.U.’s GDPR and the California’s CCPA, clients should continue to pro-actively monitor amendments to PIPL, await to evaluate PIPL implementing regulations, and track PIPL enforcement actions, in order to adjust PIPL practices to remain compliant.

7. Who must comply with PIPL??

Like the E.U.’s GDPR, China’s PIPL is intended to impose extraterritorial jurisdiction. PIPL covers any company or individual who processes the personal information of individuals in China regardless of an individual’s nationality or residency. PIPL requires personal information processors, located outside of China to establish dedicated entities, or appoint individual representatives in charge of personal information within China. Such organizations or representatives do not need to have any employment relationship or be affiliated with the foreign processor. Like the “Data Protection Officer” concept in the E.U.’s GDPR, personal information processors that process a certain threshold of personal information (yet to be quantified) are required to designate and publish the contact information of an individual in charge of processing and protecting personal information.

8. Does PIPL differentiate between “controllers” and “processors” of personal information??

Under PIPL, personal information processors are deemed controllers and “entrusted parties” are deemed processors.

9. Under PIPL, who bears the liability in case of a breach??

Personal information processors assume liability and compliance requirements under PIPL. According to PIPL, joint personal information processors must enter into an agreement that designates the specific rights and obligations for each personal information processor. PIPL indicates joint personal information processors are jointly and severally liable.

10. May one sub-contract the one’s data privacy obligations to another trusted party under PIPL??

According to PIPL, if processing of personal information is performed by an “entrusted party” on behalf of a personal information processor, these parties must enter into an agreement specifically designating the purpose, duration, method, categories, protection, rights and duties of processing personal information.