Practice Points for China's New Data Regulations

Welcome everyone to the 3rd edition of my China Tech Law Newsletter!?Today we’re going to talk about another topic that has been in the headlines over the last few months, data privacy regulation in China.?

China is relatively late to the party on having a comprehensive set of data privacy laws. Three foundational laws now make up a data regulatory framework – the 2017 Cybersecurity Law which primarily governs network security, the Data Security Law (DSL) passed in June and effective September 1st, focusing on national security and non-personal data, and the most recent?Personal Information Protection Law (PIPL)?passed August 21st, and effective November 1st, addressing personal information protection more akin to Europe’s GDPR (General Data Protection Regulation).

I distinctly remember in the buildup to the Cybersecurity Law in 2016, lawyers in China were predicting huge compliance costs for large (and especially foreign) companies in China.?As it turns out, that process has not been nearly as difficult as the doomsayers predicted.?

With PIPL, there has been ample warning it was coming, but still so many misconceptions among companies especially based outside of China about what is actually required. For example, reading the headline that Tesla is storing all its data locally and thinking that this is now required for all foreign companies here (when it is not).

While the compliance burdens are real, the difference today is that (with a bit of education) most global companies have a big running head start coming in to PIPL based on their experience with GDPR.?

Wrapping Our Heads Around PIPL for Different Sized Companies

Many of the mechanics between GDPR and PIPL overlap even to the point that for some decent sized clients, we have simply adapted their existing policies to add in PIPL China-specific requirements either directly as a separate China user or employee privacy policy or by using an addendum (typically with GDPR as the baseline for the policy).?

As always in putting these policies together, some of what is going on here is a check-the-box exercise.?Here quite literally, in the form of taking existing global policies and pulling out consents for things to be presented to the user as specific, separate consents (yes, in check-the-box format, for example) rather than a broad catch-all policy document.

Not surprisingly, most (especially small and medium-sized) companies, have not had everything in place on November 1st.??And that’s basically fine and in some ways actually smart.?Hear me out.

First, the primary regulator here, the Cybersecurity Administration of China (CAC) is an overstretched regulatory agency at the moment and will not be knocking on your door during the first few months after the law takes effect, especially with implementing regulations still to follow. The key in the short-term will be to make a good faith effort towards building a compliance system as soon as practicable, not as soon as possible.

Also, many SMEs, for cost reasons, need to piggyback off of the work that is done by the bigger companies first to sort through what and how to comply with the new requirements.?To be perfectly blunt, they do not have the luxury of spending money on lawyers and other privacy advisors to be on the cutting edge of data compliance.?Better they wait and let those beautiful precedent templates (such as the new self-assessment forms) be developed on someone else’s dime, i.e., when compliance is a bit more commoditized.

As you are not likely to be randomly audited by government authorities, any inquiries into your compliance system will instead be as a result of a complaint by a disgruntled customer or employee with another agenda to settle – just as we see play out in so many other compliance domains.

And it’s worth repeating again, that as with all major pieces of legislation in China, a lot of the specific details for how to fully comply are yet to come in the form of implementing rules to be issued in the next year and beyond.

Finally, as I mentioned last time, it's again important to think about macro policy.?The DSL and Cybersecurity Law, and even the PIPL, were drafted with national security in mind first in addition to concerns over data integrity and privacy.?Technical compliance is one thing, but being aware of this overarching principal and how it will drive enforcement of these new laws is also key to helping you look at your own business in China and deciding how much of your (limited) resources you put into building the “perfect” data compliance system.

Now if all of this is still completely over your head, let’s dig into a primer on the new PIPL written in a style that hopefully is a bit more readable.?If you’re familiar with the basic requirements already, skip ahead to the section on “Practice Compliance Steps” down below.

PIPL Key Requirements

(adapted from a previous client alert I wrote with Robin Tabbers and Leslie Kong at my firm, R&P)

1. Handling personal information generally

• You must obtain?consent?from the individual (and again if the purpose/use changes).
• Consent is not needed if handling the personal information is necessary to?fulfill a contract?with the individual.
• Human resource activities are permitted without additional consent so long as the activities are contemplated in the employee’s?labor contract?or other rules such as?employee handbook.
• Consent not needed to fulfill certain?statutory obligations.
• An individual?can withdraw consent?later for any further handling of their data.
• An individual can?opt-out/reject?the result of any?automated decision-making?process.
• An individual can?request a copy and correct?any of his or her personal information.
• You need a?local company or representative?who is responsible (as point of contact for handling complaints, etc.).

2. Transfer of data to 3rd?party

• A?separate consent?(e.g. a pop-up window) will be required from the individual for transfers of personal information to third parties.
• And the individual must first be?informed?as to who the third-party recipient is, how and for what purpose they are handling the information, their contact information, and the rights of the individual vis-à-vis you and the third party.
• A contract between you and the third party?(including between your China entity and your headquarters or other affiliated companies) will be required incorporating obligations of the PIPL.
• For outsourced companies which are?entrusted to process data for your benefit?(and not their own or someone else), you may not need consent for such third party transfers so long as you have a data processing agreement in place with them.

3. Overseas transfer of data

• A?separate consent?(e.g. a pop-up window) will be required from the individual.
• A contract between you and the third party?with standard terms incorporated from a model contact to be published by the Cybersecurity Administration of China (CAC).
• Note there are other options to permit overseas transfers, such as passing a security assessment or obtaining certification by CAC, but?most companies will choose the first (contract) alternative.

4. Storage in China in some circumstances

Data must be stored in China if the company is a:

• Critical information infrastructure operator (CIIO,?generally large entities in industries such as transportation, telecommunications, energy, finance, and other national security related industries) OR?
• Company handling a certain “amount” of data?(not yet fully defined under the law).

At a minimum, this local storage requirement is not necessarily going to apply to many small and medium sized?enterprises engaged in non-data intensive businesses.

5. Handling sensitive information

A?separate consent?(e.g. a pop-up window) will be required from the individual for handling sensitive personal information:

• Biometric
• Religious/Ethnic
• Medical health
• Financial (such as bank/payment information)
• Location (tracking)

6. Limited purpose, access, retention time

• Handling of personal data must be done for a?limited purpose.
• A user?cannot be denied service?for refusing to provide information which is not necessary to perform the service being offered.
• Access must be limited?to those with a need to handle the information and access only given to the information they need to perform their task.
• Remote access?also needs to be restricted to avoid any risk of the data being considered transferred out of the country without consent.
• Retention time?must be the minimum necessary.
• A company must set up internal management procedures?to comply with these and other PIPL requirements as well as implement security measures to secure information (such as encryption).

Practical Compliance Steps

Okay, now what should you actually do??To put your best compliance foot forward, I’d recommend to:

(1) Review and revise your?current privacy policy?with external users and?your employment contract, handbook?and other employment related policies.

• Transparency is the key principle that should be reflected across your policies.?
• Even before the PIPL, this was the trend we saw with specific data privacy regulations, for example with mobile phone applications, requiring clear and detailed explanations at every step on how data was to be used.

(2) Incorporate?specific, separate consents?upon customer intake – done via separate pop-up windows or one interface with multiple check-the-box buttons.??

• The latter option can be a more user-friendly way to still obtain multiple separate consents on use, transfer to third party, or export, for example.??
• Also remember that not all transfers to third parties may require consent – for example where the transfer is to an outsourced “entrusted party” processing the information on behalf of your company (as opposed to themselves) and there is a data processing agreement in place with them.
• In these cases, you may not need to list them for purposes of obtaining a separate consent of the user.

(3) Incorporate similar specific, separate consents for?employee onboarding?either online via check-the-box buttons or offline via one page stand-alone consent forms.??

• Also?mirror the same language in your employee handbook?or other employee policy directly as an argument that processing the information is necessary and covered under employee work rules no matter what (for which consent is not required in the first place, so cannot be withdrawn!).
• Amending the employee handbook will require a consultation and de facto approval by employees, so best to do it in tandem with other changes you have been meaning to make anyway.

(4) Develop an?internal management system?with internal controls.

• Individual information that is easy to?locate and remove?for withdrawn consents, copies, or corrections,
• Where the system is?robust?to survive in cases of data removal or if automated decisions are unacceptable to users.
• Data access?is limited to and data separated/masked in database fields from people without access privileges (e.g. someone providing routine technical support not needing to see all your personal payment/billing information for example)
• Retention?policies that are necessary to perform the service.
• A system to?secure?(using encryption/de-identification, etc.) data and respond to?data breaches.?
• Adequate training?of staff to properly identify and inventory different types of data on the front end and to be able to respond to data breaches.
• And where you have a?central hub to implement?all of this. Remember many policies are written by lawyers but breakdown when they get to IT implementation and business operations.

(5) Contracts?incorporating PIPL necessary terms with data transferees (including internally with affiliates).

• Model or “standard” terms from CAC will be available to guide companies here.

Bear in mind again that as with all major pieces of legislation in China, a lot of the specific details for how to fully comply are yet to come in the form of implementing rules. We’re just in the first couple of innings of the ballgame here.?I’ll continue to update folks via this newsletter on developments as they roll out. And finally, remember to take a deep breath, the new laws are not as bad as you think.

In the meantime, thanks again for making it through another edition of my China Tech Law Newsletter, please subscribe if you haven't already, and see you back here again in another 14 days!