Does the China Personal Information Protection Law (PIPL) really matter to me? Life has changed since November 2021!

If you are an Apple user in China, you may have already received this email notification “Apple is ready for the Personal Information Protection Act”. On October 30th, 2021, right before the China Personal Information Protection Law (PIPL) came into effect, Apple’s official account sent out a short but determined notice to all its Chinese users to demonstrate its active commitment to the new legislation.

If you are a frequent user of Tik Tok e-commerce platform, you may also have noticed its newly introduced Privacy Policy requiring a strict encryption of all consumers’ personal data (mobile numbers, names, shipping addresses, etc.). With “Personal Information Protection” becoming a buzzword in the wake of the PIPL, the entire Chinese commercial environment is changing rapidly. For any organization doing business in China, local companies or multinational groups, it is high time to roll up your sleeves and address this new challenge!

1. What is the PIPL implemented from November 2021？

Effective from November 1st, 2021, the Personal Information Protection Law (PIPL) is the first piece of legislation in the mainland aimed to protecting personal information. Its ultimate purpose is to establish a general framework regarding how companies worldwide — both inside and outside of China — shall process, collect, and transfer personal data under the principles of legality, fairness, good faith, minimum necessity, openness, and transparency.

It shall be underlined that the PIPL applies not only to personal data processing activities within the territory of China, but also externally. In other words, foreign organizations who process personal information outside the country are subject to the PIPL, if they are collecting personal information via providing products/services, or analyzing/assessing the behaviors of the individuals located within the Chinese mainland.

Admittedly, the PIPL has a wide reach with a significant global impact, and its rigorous punitive measures with a fine up to 50 million RMB (~7.8 million USD) or 5% of the violator's previous-year turnover is rather noteworthy. When many international companies start to gain growing confidence in their GDPR (General Data Protection Regulation) compliance adjustments since 2018, the introduction of the PIPL will certainly create another undercurrent beneath the seemingly “calm waters” of the commercial market.

2. Spotlighted cases regarding Personal Information Protection

Back in 2021, even before the official implementation of the PIPL, the emotional appeal for personal information protection among the public was already high. According to a survey conducted by Cisco in October, consumers in China were the most enthusiastic about privacy laws compared to those from all other countries measured and are increasingly aware and vigilant about “unnecessary personal data collection” or “untransparent user data processing” in the domestic market which has led to new categories of lawsuits. ?

• First ever lawsuit on price discrimination based on automated decision-making. In July 2021, one of the largest Mobile Apps for travelling services in China was sued for unfair pricing to targeted customers based on algorithms. It was disclosed that this APP was applying a different pricing scheme to high-end customers (e.g., frequent users with huge cumulative consumption). When booking the same hotel room, those VIPs were charged twice the price compared with other casual users. After the verdict, the APP was ordered to refund 3 times the price difference and to amend its Service Agreement and Privacy Policy by providing alternative options for users, so that they can refuse personal information processing through automated decision-making mechanisms.
• First ever lawsuit on over-collection of individual's personal information. Another similar case was a local wildlife park being sued for unnecessary biometric data collection. From 2019, this zoo had been collecting visitors' photos and fingerprints for membership card services, then further required the members to activate the e-card functionalities via facial recognition. In 2021, after being brought to the court, the park was ordered to delete the biometric information collected from visitors, and suspend using fingerprint recognition gates for access control.

Since November 2021, when the PIPL was officially brought into action, a lot more cases and changes were happening every day and are expected to continue. On Nov 3rd, 38 mobile APPs were forced to “rectify” their current data processing implementations or otherwise be banned within a week; In January of 2022, 3 leading national banks were fined 12 million US dollars for mismanagement of user accounts, improper collection, inquiry, and storage of customers' personal information. With a surging number of institutions, companies and practitioners being confronted with legal sanctions, an effective compliance solution to cope with this rigorous new law is of immense urgency.

3. Is my business violating PIPL and what should I do to comply?

If your office building in China is doing facial recognition or taking photos of the employees at the entrance as a way of “clocking in”, beware: If you have not acquired consent from the individuals, or if the face-capture devices are placed in inconspicuous locations, then your company may already be in breach.

Your organization may have actively updated the Privacy Policy and Consent Notices to conform to the new legislation, but has it clearly listed out all the information to be collected and the purpose for collection? If you are a multinational company headquartered outside of China but serving customers within the Chinese territory, do you have a clear picture of all the requirements prescribed by the CAC (Cyberspace Administration of China) for cross-border data transfers? Is your marketing team still sending out promotional emails or advertising messages to contacts based on algorithms/back-end user data analytics?

It's time to take a pause to reflect and review on those issues, and here are some compliance suggestions from various sources for your reference:

• Review the personal information processing activities & carry out risk assessments. Take a look at the current personal information life cycle inside the organization, and evaluate the legal basis, records and supporting documents of various processing activities. Furthermore, carrying out risk assessment to determine risk level and prioritise remedial actions would be a wise choice.
• Compile and Release PIPL compliance whitepapers and rectification plans. After the enforcement of the PIPL, many organizations have launched self-audit processes to comply with the new legislation. For instance, a Chinese academic institution (CAICT) has put out a Personal Information Protection Audit Leadership project to help local companies conduct internal audits and self-evaluations; Oppo Mobile Telecommunications, as a leading Chinese consumer electronics company, has cooperated with reputable consulting firms to publish Whitepapers on Personal Information Protection for Mobile APPs with detailed legislative instructions and implementation plans.
• Track the volume of cross-border data transfers. When providing personal information to overseas stakeholders, the receiving entity shall conduct PIPL certification assessment through the Cyberspace Administration of China (CAC) / a specialized agency appointed by them, or adopt standard CAC clauses into its contracts. Special attention in particular should be paid to the volume of cross-border data transfers, as an additional assessment may occur (Data Export Security Assessment) if the entity is either transferring personal information of more than 100,000 people or “sensitive” information (e.g., biometric data) of more than 10,000 people.
• Conduct internal personnel management and staff training. Creating effective processes for managing all works related to personal information protection is the best way to cascade the new regulations to related personnel, with well-defined policies, procedures, and guidelines. Privacy awareness training is also necessary to make sure all staff are aware of the importance of personal information protection to the business, clients, third parties, and themselves, as the data lifecycle may involve an extensive range of employees in various positions.
• Pay special attention when using CRMs to manage client contacts. To avoid any potential risk, it is better to embed privacy preservation into design. Especially for companies who allow their marketing team to send out promotional emails using the CRM database, an effective and practical remedy could be the controlled access to the data pool or simply a “disallow” default setting.

People may wonder if there are significant differences between the PIPL and the GDPR that has already swept the commercial environment globally. Is the PIPL just a “replica” of the GDPR in Chinese language? In fact, many world-renowned consulting firms have done large quantities of research concentrating specifically on the comparison between these two laws. Though various methodologies were applied by different institutions, both arrived at the same unquestionable conclusion: that complying to the GDPR is definitely not a safe bet of surviving the PIPL regulations in the Chinese market. Rather, one should proactively and preventatively “layout an anchor to whirlwind” before it is too late.

As the largest player of testing services in China, ATA has been keeping a close eye on the background and milestones of the PIPL since early 2021, and has conducted relevant research. At present, ATA is partnering with a few international clients for the PIPL related consultancy services, and is playing an active role in leading the PIPL topics within the global testing community. For companies who are seeking a safe and smooth development in the Chinese assessment market under the PIPL context, ATA is your ultimate and trusted local partner.

Interested in more information about Chinese testing market? Please following us on?https://www.dhirubhai.net/company/atabeijing?