Implications of the Personal Information Protection Law for U.S. Businesses

Image Credits: @flyd2069 on Unsplash (Unsplash License)

Share

Image Credits: @flyd2069 on Unsplash (Unsplash License)


On August 20, 2021 the National People’s Congress of the People’s Republic of China passed the Personal Information Protection Law of the People’s Republic of China (PIPL). The PIPL is the first national privacy statute passed in the country and took effect on November 1. The statute is comprised of eight chapters and seventy-four articles. In general, privacy and data protection laws are related to protecting an individual’s personal information from major organizations like corporations and governments. This type of legislation is becoming especially relevant in today’s technologically advanced and data driven society. Conditions for the lawful processing of information under the PIPL include: consent from the individual; constructing a legal contract where the individual is a party; performing legal duties/obligations; responding to a health emergency; reporting news reports, if in the benefit of the general public; processing information that has already been made public by individual or other lawful methods, and other scenarios highlighted in the regulation. It is interesting to note that consent from the individual is not required if any of the other conditions are met. The PIPL was passed as part of the Chinese government’s efforts to have stricter regulations for their tech companies when it comes to personal data privacy and security. However, according to Karman Lucero, a fellow at the Yale Law School Paul Tsai China Center, nothing about the statute suggests, “anything resembling legal limits on government surveillance”.  

For any foreign company, there are other requirements that must be met for data to be transferred across the Chinese border. First, the transferred information can only be used for business purposes. Second, there must be a legal basis and consent from the data subject. For the legal basis of these data transfers, several processes must be approved by the Cyberspace Administration of China (CAC). In addition, the individual must give separate consent to the data transfer, be informed of who the cross-border recipient is along with the purpose, method, type of information being transferred, and how their information will be protected outside of China in compliance with the PIPL. Even if all these conditions are met, it is possible for the Chinese authorities to prevent cross-border data transfers if they believe it is not appropriate. 

The PIPL is being compared to the European Union’s General Data Protection Regulation (GDPR). The GDPR is considered to be one of the world’s strictest regulations involving personal data protection and privacy and was passed in 2018. Since these two regulations are similar in regard to their restrictions on corporations, Alexa Lee, senior manager of policy at the Information Technology Industry Council, states that companies who are already in compliance with the GDPR “are going to be fine complying with the Chinese privacy law”. This should be a relief to many companies because Fortune 500 companies alone had spent a total of about $7.8 billion and each company spent an average of $16 million on GDPR compliance when the law was first enacted. However, companies who are not compliant with the GDPR should expect their costs to increase in order to avoid fines as high as ¥50 million (approximately $7.7 million) or 5% of their annual revenue with the introduction of the PIPL. Due to the high penalties and strict regulations, the International Association of Privacy Professionals (IAPP) VP and Chief Knowledge Officer, Omer Tene, stated that “[i]f you’re doing business in China, get legal advice. They’re not playing around”.

Essentially, any organization that is selling products or services to citizens in China will have to comply with the PIPL. In 2020, China was the third largest importer of U.S. goods. The U.S. exported $164.9 billion to China that year. This means that a large portion of American businesses will be significantly impacted by the PIPL. The statute specifically states that any company outside of China that processes personal information of Chinese citizens will have to comply with the law if the information processed is used for: supplying these individuals with products or services, analyzing these individuals’ behaviors, or other scenarios specified in the PIPL. Companies that fall into the categories mentioned previously will be required to designate an institution or representative within China’s borders to manage affairs related to the PIPL. Such companies will also be required to give the Chinese government contact information about the institution or representative. With the establishment of this condition in the PIPL, all companies will have to establish a physical presence in China regardless of if they were already compliant with the GDPR. 

Similar to the GDPR, under the PIPL, if a company fell victim to a cyber-attack or data breach and failed to protect its customer’s information, the customer has the right to take action against the company for compensation. In general, the customer also has the right to know, prohibit, delete, correct, copy information that the company is processing about themselves. They may also ask the organization to explain how their information is being processed. 

In addition to complying with demands customers make under their individual rights, companies must make sure that they implement the appropriate technical measures to ensure the information being processed is secure, determine what the limits are for handling personal information so that their methods are in compliance with the regulation, create response plans in case of a breach, and meet other standards provided in the PIPL. If a complaint is submitted against the company, the Chinese government is permitted to conduct audits to investigate the issue and the company must comply. 

The PIPL is a major data privacy and protection regulation that will affect businesses around the world. Any company that has a market in China must comply with its regulations. Doing so may cost many companies several hundreds of thousands or even millions of dollars. Otherwise, they may face an even greater number of fines. Although there has not been much time to see the effects of the PIPL, the strict standards make it apparent that many companies will have to put in an effort to ensure that they do not violate any aspect of the statute. The implementation of the PIPL and the GDPR may be the start of a major movement for countries to begin passing their own privacy and data protection laws. This should not be a surprise to anyone based on the exponentially increasing number of cyber attacks everyday. Companies should be prepared to comply with many more data regulations and invest in resources to prevent breaches and attacks.