China has fully embraced the digital age. Almost every interaction and transaction with a company or product is done through an APP or web portal. Commerce has also moved into the digital space with many users using the various forms of electronic payments instead of cash. All these interactions have given companies access to more data about their users than ever before. It has also given rise to more scammers, intrusive sales calls, and lax data security within companies.
To combat this the China government has begun to roll out new laws and policies in order to better protect user data. The result is the two new data laws below.
Data Security Law
Effective September 1st, 2021, it outlines China’s plan on how data of its users will be handled internationally, and locally, and what businesses will be responsible for. It also sets the legal framework for personal data and gives legal avenues to punish companies and individuals for non-compliance.
An unofficial English translation can be found on China Law Translate.
Personal Information Protection Law (PIPL)
Effective November 1st, 2021, the next phase of the China government’s plan was to create a user protection law that shares many similarities with the European Union’s General Data Protection Regulation. The result is the Personal Information Protection Law or PIPL. This law will be enforced by the Cyberspace Administration of China and local and state authorities and will be China’s first comprehensive law designed to protect users’ personal information and regulate how companies can process data.
An unofficial English translation can be found on China Briefing
How Will It Affect You Business
The Chinese government is very serious about the new privacy laws. Many companies have already been audited and companies that are in non-compliance have been fined or their websites or APPs have been temporarily suspended. If your company is in China, or if your company processes a lot of mainland China user data you need to conduct a China Data Security law and PIPL compliance audit of your website or APP.
China Data Security Law and Compliance Self Audit
Step 1: Do you have mainland China customers
NO: These new policies should not affect you.
YES: These new will policies will affect you immediately and you should continue your internal audit.
Step 2: Do you collect personal data?
NO: These new policies should not affect you.
YES: PIPL guidelines allow the collection and processing of personal data under the following provisions:
Article 13 (Aged 14 or Above)
- You have the consent of the person’s information you are collecting
- Necessary to give services related to a contract, or conduct human resource operations of a company
- If it is required by law
- It is needed for health emergencies, or to protect the life, health, and safety of a person.
- Used by news agencies for reporting purposes
Article 31 (Below the age of 14)
- Article 14 is considered a minor and personal information can only be processed with the consent of a parent or guardian.
You will also have to update your Privacy and Data collection policies on your APP or website and inform your users very clearly with simple language as specified in Article 14.
Article 14
- The name and contact method of the personal information processor.
- The purpose and method of processing personal information, and the type and retention period of processed personal information.
- Methods and procedures for individuals to exercise the rights provided under the PIPL.
*You must also be ready to update your policies as the government updates its own. This should happen with increased frequency as China builds more robust data laws.*
Step 3: Is this information stored outside of China?
NO: You must make sure that you keep all personal data stored in China, any breaches or large dumps of information sent abroad need governmental approval.
YES: Currently the PIPL doesn’t specify the threshold of overseas users’ data that will require companies to store the data in China. Companies that deal with high volumes of China users’ data, will have to move their web hosting or data storage solutions to China. Many countries, China included, are feeling less secure with companies that store mass amounts of user data outside of their country. To be perfectly safe, and avoid any business interruptions, it would be prudent to begin moving your China users’ data storage solution to China. You can read more about it in Article 40 below.
Article 40
- Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China.
- If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration; if laws, administrative regulations, or the provisions of the State cyberspace administration provide that the security assessment is not required, such provisions shall prevail.
Step 4: Do third-party agents or partnerships have access to your customers’ information?
NO: As long as you inform your current users clearly of your data policies you should not be affected.
YES: You will need to contact all third parties that process your users data and update your cooperation agreements to fulfill the following duties specified in (Article 21).
Article 21
- Third-party processors will agree with you beforehand on the purpose, duration, and method of process and storage of all data they are shared.
- It is your company’s responsibility to ensure your third-party agents are using the information properly and safely.
- If your contract ends with a 3rd party processor, they must return all personal information or delete the personal information.
- Third-party processors can not share the information you shared with other third parties.
You need to make sure that they understand your stance on personal information, any breaches on their behalf could affect your operations.
Step 5: Do you have a data protection role at your company?
YES: It’s great that you have been proactive and your company values data privacy. This person will have a more important role in your company as they will have more work volume as more and more users exercise their rights.
NO: You will have to hire or assign a role in your company to manage how your company manages user data and make sure it complies with the law. This role will have to respond to many more user requests to:
- Restrict Usage (Article 44)
- Request Copies (Article 45)
- Request changes/updates (Article 46)
- Delete information after service termination or by request of the user (Article 47-50)
Article 44
- An individual has the right to know and make decisions on the processing of his/her personal information
- An individual has the right to restrict or refuse others to process his/her personal information unless otherwise provided for by laws and administrative regulations.
Article 45
- An individual is entitled to consult or copy his/her personal information from a personal information processor
- Where an individual request to consult or copy his/her personal information, the personal information processor shall provide such information in a timely manner.
Article 46
- Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.
- When an individual requests corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.
Article 47
- Under any of the following circumstances, a personal information processor shall delete personal information on its own initiative; if the personal information processor has not deleted it, the individual concerned shall have the right to request deletion:
- (I) where the purpose of processing has been achieved, unable to achieve, or is no longer necessary to achieve;
- (II) where the personal information processor stops providing products or services, or the agreed storage period has expired;
- (III) where the individual withdraws his/her consent;
- (IV) where the personal information processor processes personal information in violation of laws, administrative regulations, or the agreement; or
- (V) any other circumstance as prescribed by laws and administrative regulations.
Article 48
- An individual is entitled to request the personal information processor to explain the rules on the processing of personal information.
Article 49
- In the event of the death of a natural person, his/her near relatives may, for their own lawful and legitimate interests, exercise the rights of consulting, copying, correcting, and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless the deceased had otherwise arranged before his/her death.
Article 50
- A personal information processor shall establish a convenient mechanism for accepting and processing applications for exercising personal rights by individuals. Where an individual’s request for exercising personal rights is rejected, the reasons shall be stated.
Step 6: Do you have a robust data management system?
YES: This will be very important moving forward, as more users begin to interact with your company about how their data is handled.
NO: You must do a massive update of your CMS and data management systems to be able to handle a high volume of data requests by users. Your data management system should be able to:
- Searchable to access certain users’ data quickly and efficiency
- Allow automation of certain operations (such as scheduled or end or term deleting)
- Provide comments to provide historical background on certain users
- Identity verification to verify that the user has the right to access the data
Your Website/APP Needs A Proactive Solution
These two new data protection laws will definitely give more users greater control over their data. It also shows that China is willing and able to use its legal apparatus to enforce these new laws. Currently, the laws are very new and many experts are still guessing as to how many of the provisions will affect companies. Data protection policies are expected to be updated on a regular basis.
For companies that want to do business in China, we suggest you be proactive. If you feel that you do not have answers to the questions above or you need someone to help you navigate these new laws, we strongly encourage you to reach out to a legal expert in China. They will let you know if you need to update your privacy policies, website, and APP designs, or migrate your web hosting to China.