China's Rules of the Road for Foreign Business are Changing Dramatically

The EU adopted GDPR (general data protection regulation) in April 2016. The GDPR now brings personal data into a complex and protective regulatory regime. Do 'any' business in the EU without understanding/complying with it and the penalty may be very severe. In November 2021, China enacted the PIPL (personal information protection law). In fact, some of the concepts of PIPL were 'borrowed' from the GDPR.The entire life-cycle of personal information processing is covered. The PIPL compliments and further strengthens their existing Data Security Law and their Cybersecurity Law. PIPL compliance references the IT infrastructure requirements, system designs and applications. However, Article 40 also requires that personal data collected and generated by critical information infrastructure (CII) operators and processors must generally be stored in China. If a remote user (cross-border) outside of China has access that could violate the law unless the Cyberspace administration of China has previously green-lit access. Foreign companies may need to deploy stand alone systems and networks. Operating guides/procedures have yet to be issued. Users will have influence as to what personal data is stored, where and for how long. How consent is defined is worth researching. China's legislator's have expressed serious concern regarding the use of facial recognition, fingerprints and CCTV. Alternatives for access must be considered. Regardless, compliance must be integral with IT systems. Keep in mind, this will also extend to mobile device management. Infringement liabilities could include administrative, civil and criminal recourse. Serious violations could cause an employer to face fines of RMB 50M or up to 5% of the previous year's turnover. Having reliable local partners and solid legal counsel will help you adapt to China's unique business, media and consumer culture.