Navigating China’s PIPL Law

The Personal Information Protection Law (PIPL) is a groundbreaking piece of legislation introduced by China in November 2021. This legislation follows the global trend of increased focus on data protection and privacy, with PIPL being compared to the European Union’s General Data Protection Regulation (GDPR). As businesses operating in Hong Kong and China grapple with the implications of this law, it is crucial to understand its key aspects, how it affects data storage and management, and the potential consequences for non-compliance.

Key Aspects of the PIPL

The PIPL sets out various principles that govern the processing of personal information in China, including:

1. Consent: Personal information must be collected with the consent of the individual, and businesses must provide clear notice about the purpose, scope, and method of data collection.
2. Legitimate Purpose: Data must only be processed for a legitimate purpose, and the processing must be necessary and proportional to the purpose.
3. Data Minimisation: Data processing must be limited to the minimum extent necessary to achieve the stated purpose.
4. Security Measures: Businesses must implement necessary security measures to protect personal information from unauthorised access, disclosure, or damage.
5. Cross-border Transfers: Personal information can only be transferred outside of China under specific circumstances, such as obtaining the individual’s consent and ensuring the receiving country has adequate data protection measures.

Implications for Data Storage and IT Management

1. Data Localisation: The PIPL encourages businesses to store personal information within China’s borders. While there is no absolute requirement for localisation, storing data in China may facilitate compliance with the law, given the strict cross-border data transfer requirements.
2. Data Processing Agreements: Businesses must ensure that data processing agreements with third parties are compliant with the PIPL. These agreements must set out the purpose, scope, and method of data processing, as well as the rights and obligations of both parties.
3. Privacy by Design: Companies should integrate privacy considerations into their product and service design processes. This includes implementing robust security measures, limiting data collection, and providing clear notices to users about how their personal information is being used.
4. Data Protection Officer: Businesses should consider appointing a data protection officer responsible for overseeing compliance with the PIPL. This officer would manage data protection initiatives and act as the primary point of contact for regulatory authorities.
5. Incident Response Plans: Companies must establish incident response plans to address potential data breaches or security incidents. These plans should include procedures for identifying, assessing, and mitigating risks, as well as notifying affected individuals and relevant authorities.

Cloud Storage and Data Localisation

As businesses increasingly rely on cloud storage for data management, ensuring compliance with the PIPL becomes even more critical. To guarantee that cloud storage is located within China, companies should take the following steps:

1. Choose a reputable cloud service provider (CSP) with data centres in China: When selecting a CSP, businesses must verify that the provider has data centres physically located within China. This can typically be confirmed through the provider’s website or by contacting their support team.
2. Specify data storage location in contracts: When entering into a contract with a CSP, businesses should explicitly state that personal information must be stored within China’s borders. This requirement should be clearly outlined in the service agreement to ensure compliance with the PIPL.
3. Regular audits and monitoring: Companies should conduct regular audits of their CSP to verify that the data is indeed being stored within China. This may include reviewing data logs, conducting site visits, or working with independent auditors.
4. Data transfer restrictions: Businesses should implement technical measures to restrict the transfer of personal information to data centres located outside of China. This can be achieved through configuring access controls, implementing data encryption, and closely monitoring data flows.
5. Backup and redundancy strategy: To ensure data security and business continuity, companies should establish backup and redundancy strategies within China’s borders. This may involve using multiple data centres within the country or partnering with different CSPs that have a local presence.

Key Definitions

• “Personal information” and “processing of personal information” are defined similarly under both the PIPL and the GDPR.
• Sensitive personal information, as defined by the PIPL, includes biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, and personal information of minors under the age of 14 (Article 28).
• Anonymised information is not deemed as personal information under the PIPL, and “anonymisation” refers to the process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing (Articles 4 & 73).

Territorial Scope:

• Similar to the GDPR, the PIPL extends its territorial scope to the processing of personal information conducted outside of China under specific circumstances (Article 3).
• The PIPL requires offshore “personal information processing entities” subject to the PIPL to establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes (Article 53).

Cross-border Transfer of Personal Information:

• The PIPL shares several elements with the GDPR regarding cross-border transfer of personal information, but also includes additional requirements for operators of Critical Information Infrastructure or those processing a large amount of personal information (Article 40).
• In general, a processing entity that plans to transfer personal information outside of China must provide individuals with specific information about the transfers, obtain separate consent (Article 39), adopt necessary measures to ensure the same level of protection as required under the PIPL (Article 38), and carry out a personal information protection impact assessment (Article 55).

Conclusion

The PIPL has significant implications for businesses operating in Hong Kong and China, particularly in relation to data storage and IT management. Companies must familiarise themselves with the key aspects of the law and take proactive steps to ensure compliance. By doing so, they can mitigate potential risks and avoid the costly penalties associated with non-compliance, which can include fines of up to 50 million RMB or 5% of the company’s annual revenue. Additionally, adhering to the PIPL demonstrates a commitment to user privacy, which can enhance customer trust and brand reputation.

Ensuring data localisation when using cloud storage is a critical component of compliance with the PIPL. By choosing reputable CSPs with data centres in China, specifying data storage location in contracts, regularly auditing CSPs, implementing data transfer restrictions, and establishing a backup and redundancy strategy within China’s borders, businesses can successfully navigate the challenges posed by the PIPL and safeguard their operations.

(Please remember that the information provided in this article is not legal advice and should not be taken as such. We strongly recommend consulting with a qualified legal professional for specific guidance on this matter.)