Chinese privacy law places hurdles for foreign data collection

Meeting domestic and Chinese obligations could be onerous for companies

China passed its Personal Information Protection Law (PIPL) Aug. 20 | Photo: Nikada Eplus/Getty Images

Foreign businesses operating in China will be subject to the country’s new privacy laws even if information is collected outside that jurisdiction, an international law firm says.

China passed its Personal Information Protection Law (PIPL) Aug. 20. 

“The new law will reshape the handling of personal data in China, including the adoption of measures to deal with developing technologies around facial recognition, (artificial intelligence), and data analytics,” said Norton Rose Fulbright lawyers Anna Gamvros in Hong Kong and Lianying Wang in Beijing.

“It will require organizations to consider whether there are existing practices and procedures that need to be revisited,” they said in an Aug. 24 briefing note.

The briefing note said the PIPL is China’s first omnibus data protection law, due to take effect from Nov. 1 allowing companies just over two months to prepare.

“The PIPL is a game changer for any company with data or business in China. It will add another layer of complexity with respect to compliance with China’s security and data laws and regulations, “ the lawyers said.

But, regardless of a legal basis and if consent is given for a transfer of information stored in China to elsewhere, companies are strictly prohibited from providing personal information stored within China to foreign judicial or law enforcement institutions without the approval of Chinese authorities. 

“This will be a difficult issue to navigate for international companies with reporting obligations to regulators in their own jurisdictions,” the lawyers said.

And, fines for violations could be steep.

“Companies in violation of the PIPL may be subject to severe penalties, including a fine of up to 5% of the last year's turnover of the company, revocation of the company’s licence to do business in China and personal liabilities for company executives,” an analysis from Philadelphia law firm Morgan Lewis said.

Both the United States and Canada have had strained relationships with China for the past few years.

In light of such tensions, Morgan Lewis said, “The Chinese government’s heightened focus on national security risks related to the cross-border transfer of sensitive data, the new law is another regulatory tool that the Chinese government can use in addressing corporate behavior it deems at odds with national interests.”

The PIPL is currently at the high-level, conceptual stage with regulations and guidances expected in coming months.

The law covers personal information processing rules; rules for cross-border provision of personal information; individuals’ rights in personal information processing activities; obligations of personal information processors; departments performing personal Information protection functions; and legal liabilities as well as other provisions

The PIPL defines personal information as all information relating to identified or identifiable natural persons recorded by electronic or other form. It excludes anonymized information. 

The concept of processing of personal information in the law includes collection, storage, use, refining, transmission, provision, public disclosure and deletion of personal information.

Of importance to foreign companies operating in China is that PIPL will have extraterritorial effect.

As such, it will apply to the processing, within China, of personal information of natural persons and to processing outside China of personal information of natural persons who are in China, if such processing is for the purpose of providing products or services to natural persons in China, to analyze or evaluate the behavior of people in China, or other circumstances under the law and associated regulations.

As such, if a company outside of China conducts processing activities as described in the law, it would be required to establish “a special institution or designate a representative in China for handling personal information protection matters and report the name and contact details of such institution or representative to the Chinese authorities,” the lawyers said.

The law says cross-border transfers of personal information can only be done for legitimate purposes such as business needs. The organization transferring data would be obligated to ensure processing activities of the overseas recipient of the data meet Chinese protection standards.

“In addition, both a proper legal basis and consent by the data subjects will be required in order for such transfer to be lawful,” the lawyers said.

“Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities,” Morgan Lewis said.

“Foreign organizations or individuals may be put on a ‘blacklist’ that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens, or harm the national security or public interest of China,” Morgan Lewis said.

jhainsworth@glaciermedia.ca

twitter.com/jhainswo