The Flanders-China Chamber of Commerce (FCCC) – with the support of Flanders Investment & Trade – organized a legal webinar focused on the new PRC Personal Information Protection Law (PIPL) on October 6, 2021. Mr. Carl Li, Senior Partner at AllBright Law Offices, discussed the impact of the new law on businesses operating in and with China.
Ms Gwenn Sonck. Executive Director, Flanders-China Chamber of Commerce, welcomed the participants to the webinar. The PIPL will become effective on November 1, 2021. It is the most important law in China regarding the protection of personal information and will impact almost every company in China. Mr Carl Li, Senior Partner at AllBright Law Offices, will discuss the impact of the new law on businesses operating in and with China. Every company will need to put in place compliance measures, either before or within a very limited time frame after the Personal Information Protection Law comes into force in order to ensure that they are not at risk of non-compliance. AllBright Law Offices is an important structural partner of the Flanders-China Chamber of Commerce. Mr Carl Li belongs to the top 15 China M&A lawyers for 2020 and to the Asia League of Business and he is also a recommended M&A lawyer in the Asia-Pacific 2020 Legal 500 rankings. Mr Li has 20 years intensive experience in providing legal services to foreign investors in China. His clients include Fortune 500 transnational corporations and European SMEs. He is also advising several FCCC member companies. Mr Li graduated from Renmin University Law School – the top 1 law school in China – and is also a graduate of the EMBA program at the China Europe International Business School which is also the top 1 business school in China. He was a visiting scholar at the University of Maryland in the U.S. and also trained at Harvard Law School. Mr Li became structural partner of the FCCC last year and we hope to welcome him in Belgium next year or the year after.
Mr Carl Li, Senior Partner at AllBright Law Offices, said the Personal Information Protection Law is very important and many foreign clients pay a lot of attention to this law and want to have more details and know how to comply with the law as it will impact their operations in China. In China the first legislation on data compliance dates from 2012, with the Data Security Law and Cybersecurity Law. But before, most of the laws and regulations were targeting internet companies and big companies. The PIPL however is different from other laws. There are also some privacy protections in the Chinese Civil Law. Every company will deal with personal information so almost every company in China will be involved. Also outside China, the GPDR provides China with long-arm jurisdiction. European companies having business in China deal with suppliers and customers in China, which might provide personal data that you process, so you are still under the jurisdiction of this law and need to comply with it.
There is still less than one month before the law becomes effective, but there is a transition period to take the necessary measures. We recommend that our clients do an assessment because companies' headquarters will have already taken measures to comply with the GDPR, which is similar to the PIPL. However, there are also some different points which are more stringent compared to the GDPR and punishments are much more serious, up to 5% of annual turnover.
1. Important matters to ensure the compliance of personal information protection: Make an assessment and review all your policies, not only HR policies, to determine what you need to do and the scope of compliance. Sometimes you need a third-party professional institution to make a security assessment and file a special report to the authorities. If you encounter hacking or illegal disclosures, you can be exempted from liability because you have taken all the measures required by law.
2. Legislative background of the Personal Information Protection Law: PIPL is the first law in China that specially regulates the protection of personal information. Together with the Cybersecurity Law and the Data Security Law, it constitutes the framework of the Chinese data compliance system. But the PIPL involves most companies, even if you are just a manufacturing company in the B2B business, you still need to take some measures to comply with this law. Some implementing rules for the PIPL are still expected before or shortly after November 1.
3. Definitions in the Personal Information Protection Law: Personal information includes all kinds of information related to identified or identifiable natural persons, excluding information processed anonymously. If the information can be re-identified, it still falls under the law. If you are not a processor of personal information under the law you don't need to comply with many of the provisions. But if you deal with sensitive personal information (SPI), such as biometric identification or religious beliefs, you need to comply with additional obligations.
4. Basic principles of the PIPL: They are quite similar to the GDPR, such as the principles of lawfulness, necessity and good faith. You should not collect unnecessary or irrelevant information, such as information on the parents or children of employees, unless it is for the benefit of the employees. We need to comply with the principle of openness and transparency. Information should be accurate to avoid adverse impact on the employees. The company should take security measures to protect this information and to ensure that it will not be illegally disclosed.
5. Main rules of the PIPL: The most important rule for the processing of information is that you need the consent of the individual involved, not only from your employees but also suppliers and customers. In some cases you need additional consent for special events. Consent should be given by an individual in a voluntary and explicit manner under the condition of full knowledge. The individual is also entitled to withdraw consent. The processor of the information has the obligation to inform the individuals of the title or name and contact information of the personal information processor, the purpose and method of the processing, and the retention period. They also need to be informed of the method and procedure to exercise their rights to protect their personal information. The concepts of jointly and entrusted processing are similar to the GDPR. But according to the PIPL the joint processors will bear joint and several liability, which means that if either of the processors violates the law the others would also be liable, which is more serious compared to the GDPR. There are also detailed rules on transferring and providing personal information. If you want to disclose the information to the public, you should get a separate consent.
6. Processing sensitive personal information: for this there are some special obligations and rules. It is only allowed for a specific purpose and in case of sufficient necessity, and strict protection measures need to be taken. A special policy is required for collecting personal information of juveniles under the age of 14.
7. Personal information processing in special scenarios and cross-border transfer: international companies might need to transfer personal information to their headquarters, for example when Didi acquired Uber's Chinese business and Didi went public in the U.S. it also used the process of “automatic decision making”, which is not allowed under the PIPL. The company should ensure the transparency and fairness of decision making. Unreasonable discrimination is also not allowed. Cameras installed in public areas are only allowed for public security purposes. Many companies use image capture to supervise workers, which is generally not allowed and require employees' separate consent. Cross-border provision of personal information to databases abroad will be covered by draft implementing rules. A special procedure is required if you process mega data.
8. Rights of individuals and obligations of processor: Companies' employees, visitors, suppliers and customers have the right to know and to make decisions if their information is collected, including the rights to copy, transfer, correct and delete information. Processors should establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. They should not intentionally make the procedure too complicated. Processors should have a person in charge of personal information protection. The threshold for the quantity of personal information – half a million or a million sets – will be further specified. If you are not an internet company you will not need to comply with the obligations of an “important processor”.
9. Punishment measures: You will need to make corrections, receive a government warning or have illegal gains confiscated. The government could impose an administrative penalty up to CNY50 million or not more than 5% of turnover of the previous year, compared to 2% or 4% in the GDPR. This applies only to major violations, but we should be careful. For some industries such as automotive there are also special requirements, whereby suppliers might be in breach of contract if they do not comply with the PIPL. The liability of breaching the contract could be more serious than administrative punishments. A comprehensive review should be made, including your suppliers and customers.
Q&A: What is the transition period? Mr Carl Li: There is no legal transition period, but there will be some time for companies to take the necessary measures after the law comes into force on November 1. The period will be no longer than six months.