Status quo of data regulation in China – What you should do now

PrintMailRate-it

published on 18 November 2021 | reading time approx. 4 minutes
 

Since China’s new data laws, namely the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), have become effective on 1 September and 1 November 2021 respectively, there seems to be widespread uncertainty about the actual implications these new rules will have on business activities of companies operating in or with China.


 
Especially the PIPL and its objective to lay a comprehensive legal foundation for personal information processing raises multiple practical questions among concerned companies.
 

Therefore, we would like to give a short overview on what we consider the most urgent issues as well as present practical measures to be adopted in the following weeks and months.

 

 

Data security

First of all, we consider crucial to emphasize that the provisions of the DSL apply, without exception, to all companies China who collect, store, process, transfer, etc. data with the borders of the People’s Republic of China (PRC). Since data is legally defined as any information recorded electronically or in other forms and given such data is not limited to personal information, it is imperative to understand that compliance risks do exist, regardless if the data has a connection to individual persons or not. The DSL and the PIPL, although similar in some areas, pursue different regulatory purposes, which is why equal attention should be paid to both of them when conducting data compliance checks.
 

Secondly, data processing activities outside of the territory of the PRC should be particularly cautious about regulatory as well as national and international political developments in general. The DSL, just like the overarching PRC Cybersecurity Law, are primarily geared towards safeguarding China’s national security and public interests, so data processing activities taking place overseas should always be included in any data compliance check to rule out potential conflicts with China’s fundamental interests.
 

As currently most pressing measures to be taken in the field of data security, we recommend the following:

  • Obtain a comprehensive overview on the current situation of data processing within your company (What kind of data are stored, processed, transferred abroad? What is the total volume of processed data?). This should also include looking at the integration of your IT system into the company group network, both inside and outside of China.
  • Determine if and what kind of data security mechanisms are currently in place (organizational, technical, contractual) to prevent data form being lost, stolen, altered, damaged, etc. and improve them if necessary.
  • Establish a system for data classification.
  • Formulate an data emergency response plan to be implemented in case of data loss, theft, damage, etc.
  • Determine if in your industry the competent regulatory authority has already released a catalog regarding so-called ‘important data’. If this is the case and you process such important information, regular data risk assessments must be conducted and corresponding reports must be submitted to the competent authority. In addition, processors of important data must assign special internal responsibilities for data security, the details of which, however, are not specified in the DSL.
  • Assess if your company can be qualified as ‚critical information infrastructure operator‘.
  • Organize regular trainings, workshops etc. on data security for your entire staff.
     

Personal information protection

Processing of data belonging to an identified or identifiable person creates significant additional legal challenges for companies. However, measures to implement personal information protection should not be taken in an isolated manner, but rather included as part of a comprehensive data processing compliance check. Personal information are, after all, a special category of data as defined in the DSL and a joint data processing analysis and implementation strategy can save considerable costs and time.
 

The measures recommended above for data security can, to a large extent, be applied to processing of personal information as well. In addition, we recommend the following:

  • Determine whether you are processing personal information outside of China that might fall under the scope of the PIPL.
  • Examine transfer of personal information to third-parties (also affiliated companies) and corresponding legal requirements.
  • Determine if individual persons must give consent to your processing of their personal information or if processing can be justified based on other grounds as listed by the PIPL.
  • Assess if and to what extent concerned individuals must be informed about the processing of their personal information (general rule) or if there are possible exemptions.
  • In case you are using a general data privacy policy, make sure this policy has been published and is easily accessible for concerned individuals.
  • Formulate internal rules for processing of personal information, including assignment of responsibilities and establishment of an emergency response plan
  • Assess if you are obliged to conduct a personal information impact assessment for certain processing scenarios (e.g., sensitive personal information, cross-border transfer). The impact assessment report must be stored for at least three years according to the PIPL.
  • If you process personal information up to a certain threshold (yet to be determined by China’s Cyberspace Administration), a personal information protection officer must be designated.
  • Review and (if necessary) amend all legally binding documents (contracts, company rules and regulations, etc.) to bring them in line with the PIPL.
  •  

Outlook

The countless requirements set up by China’s new data laws appear huge at first glance. We would like to seize the opportunity and add some perspective to the overall picture: in our view, Chinese authorities will most likely not launch a massive enforcement campaign against no matter which company operating in China overnight. Our assumption in this regard is based on mainly three aspects:

  • Firstly, China has spent quite some time (even years) drafting these new laws, which is why the authorities will grant companies some time as well to adjust their operations to the new legal background.
  • Secondly, there is still a considerable amount of provisions that need to be specified by means of implementing rules in order to be workable in practice.
  • Lastly, the PIPL contains provisions that take into account the special situation of „small personal information processors“ on one side of the spectrum and of „big players“ such as internet platform operators on the other. This shows the Chinese legislator’s willingness to treat companies differently according to their respective size and capacities. 

Regardless of the size of a company, the industry it operates in or other criteria, each entitiy with business operations linked to China is well advised to keep track with and closely monitor relevant developments in the rapidly evolving fields of data security, personal information protection, and cybersecurity in general. This way, relevant developments (like the Draft Measures on Security Review for Cross-Border Data Transfer released for public comments on 29 October 2021) can be detected and appropriate steps taken at an early stage. Finally, a timely assessment of possible implications of data protection rules existing in the jurisdiction of companies‘ headquarters (in particular Germany and the EU) is mandatory. Even if provisions and concepts in the EU’s GDPR and China’s PIPL are sometimes similar if not identical, there are still enough differences in important areas that need to be known and reasonably balanced.

Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu