In October 2021, Yahoo Inc. announced that it was pulling out of China. This is the second well-known U.S. technology firm to downsize China operations in less than a month, following the closure of Microsoft’s LinkedIn social networking site.
LinkedIn said it had decided to shut down its operations in China after “facing a significantly more challenging operating environment and greater compliance requirements.”
Both Yahoo and LinkedIn’s departure from China coincide with China’s updated Personal Information Protection Law, which went into effect on November 1, 2021.
In this post, we’ll break down the PIPL, its data processing, and consent requirements, see how it stacks up to the GDPR, and discuss how your foreign company can ensure compliance.
What is the Personal Information Protection Law?
The Personal Information Protection Law also known as the PIPL is China’s first comprehensive data protection law.
The PIPL helps form the framework that gives China’s government a broad enforcement capability—resulting in a more regulated environment for international businesses operating in China.
Its framework is similar in size and scope to the European Union’s General Data Protection Regulation (GDPR). Both laws require:
- A lawful purpose for data collection and processing,
- require consumer consent to process data, and
- give consumers the right to access or delete their information.
However, a significant difference from the GDPR will impact how international companies handle cross-border data.
Personal information is all kinds of information and data recorded by electronic or other means and related to identified or identifiable individuals.
Personal information handling (or processing) includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.
Personal information handler refers to organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling methods.
What is the Purpose of the Personal Information Protection Law?
Article 1 of the law states that the purpose of the PIPL is to:
- Protect personal information rights and interests,
- standardize personal information handling activities,
- promote the rational use of personal information.
The purpose of the law as described in Article 2 is to provide legal protection to Chinese citizens’ personal information, stating that “No organization or individual may infringe on citizens personal information, rights and interests”.
Who does the PIPL apply to?
Article 3 outlines that the law applies to any organization or business that is “handling the personal information of individuals within the borders of the People’s Republic of China”.
What Consent is Required to Collect and Process Personal Information in China?
The consent required by the PIPL is very similar to the GDPR. Chapter 2 of the law stipulates that user consent is only considered valid if it is knowingly and explicitly granted. This means that your organization must provide individuals with the full extent of personal information processing methods and intended use in clear and straightforward terms.
Users also have the right to withdraw their consent at any time, and your organization must provide an easy option to do so.
For practical purposes, that means consent banners and opt-outs set up for GDPR compliance will likely fulfill the requirement under the PIPL.
Consent will also be required to conduct marketing to individuals through personal information processing. The PIPL also stipulates that businesses must offer consumers options that do not target personal data, or provide a way to decline the processing of their data.
If the processing method or intended use changes at any time, your organization must re-obtain permission from the individual to process the data.
What Requirements and Constraints Exist for Data Processing in China?
Once an organization has proven the legal basis for personal processing information, the PIPL sets forth a series of requirements and constraints to regulate the processing, including special rules for international organizations operating within China.
These rules include:
Organizations based in China must set up a specialized agency or appoint a representative for data compliance.
Cross-border data transfers must be submitted for approval by the Cyberspace Administration of China
Foreign companies operating in China must appoint a local representative who will bear responsibility for PIPL compliance.
Data processing contracts are required between controllers and processors.
Organizations must conduct risk assessments before processing sensitive data, transferring data abroad, or using sensitive data for automated decision-making.
Data handlers must localize data within mainland China.
PIPL’s Impact on International Organizations Operating in China
China’s approach to how your international organization must handle cross-border data transfer is more restrictive than under the GDPR
Article 40 states that your organization “shall store personal information collected and produced within the borders of China domestically”.
If your organization truly needs to provide personal information outside of China, article 38 outlines the procedure required to export data, which includes one of the following:
- Passing a security assessment organized by the State cybersecurity and informatization department according to Article 40 of this Law;
- Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
- Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;
- Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.
Chapter 7 describes the legal liability and penalties organizations out of compliance.
A breach of this new law can significantly impact an international company’s ability to do business in China.
Imagine that your foreign company is evaluating the opportunity to expand into China. Suppose your website is accessing personal data in China and breaches any PIPL requirements. In that case, your company could be “blacklisted”, which would prevent it from entering the Chinese market. Thus, the PIPL compels any foreign company that accesses personal data in China to implement the necessary protective measures to ensure compliance.
Companies already operating in China face a different risk. A breach would put a company at risk of losing its business license and significant financial penalties of up to 50 million RMB or 5% of its yearly turnover.
How Can International Organizations Stay Compliant?
How Tesla is Staying Compliant with the PIPL
International organizations like the electric car behemoth Tesla have established their own data center to stay compliant with the law.
Tesla’s data generated within mainland China is localized on these servers. This move by Tesla avoids cross-border transfer of data and security assessments by Chinese cyber security officials.
How Can Your Company Stay Compliant?
If it isn’t feasible to build your own data centers like Tesla, and your company plans to operate in China unlike Yahoo and LinkedIn, it’s okay. You have a couple of options to stay compliant:
Option 1: Utilize Chinese Native Cloud Providers
Hire an Agency or utilize in-house technical resources to store all of your organization’s sensitive data on native cloud providers like AliYun, Tencent Cloud or AWS China. This option may be feasible for some organizations with the funds and resources to manage and maintain the required infrastructures.
Option 2: Utilize a Modern and Agile Approach with 21YunBox
If your company cares about speed, ease, and cost, you can adopt a modern and agile approach.
21YunBox’s Heroku-like solutions provide your technical team with a simple yet powerful solution to store all personal and sensitive data collected in mainland China on secure Chinese servers.
In addition, 21YunBox’s hosting platform benefits companies by eliminating the costs of an expensive agency or by freeing up your technical resources time for more important tasks by offloading all server operations and maintenance to 21YunBox’s platform. And most importantly, your company will keep its data secure and stay compliant.
In addition, 21YunBox Analytics provides your marketing department a fully compliant solution to fix Google Analytics and other 3rd-party analytics programs’ that don’t work in China. Since no tracking code is needed on your website, 21YunBox Analytics can help simplify your compliance.