The Personal Information Protection Law (PIPL), along with the Data Security Law and the Cybersecurity Law, will have a significant impact on business operations in China. Foreign companies should familiarize themselves with these new regulations, effective from November 1, 2021, to be compliant and update the functionalities of their existing IT systems.
Similar to the European Union’s General Data Protection Regulations (GDPR), the new law will affect the way companies do business in China with regards to security and privacy management.
Foreign firms operating in the country may face new challenges. To be compliant with the PIPL, companies need to make many technical considerations, especially for IT infrastructure and system application and design.
In general, the GDPR and the PIPL are basically the same, though there are still some minor differences.
Article 40 of the PIPL requires that personal data collected and generated by “critical information infrastructure (CII) operators and personal information processors who process personal information reaching an amount designated by the Cyberspace Administration of China” must be stored in China. This data localization requirement means foreign companies must consider deploying standalone IT infrastructure for their business in China.
Although the PIPL indicates that passing “a security assessment organized by the Cyberspace Administration of China” can act as a green light for cross-border personal information transfer, there is still no operation guide or procedure publicized yet.
If data stored in China is accessed remotely by a user outside of the country, it would still be treated as cross-border transfer of data. It is critical that a company’s IT department understands this before designing the IT infrastructure.
The PIPL grants several rights to people for the use of their personal information, some of which will require companies to make special considerations when designing and applying their IT systems.
Users have the right to refuse the use of their personal characteristics for marketing and push information through automated decision-making mechanisms. The system should be able to receive recipients’ feedback and exclude certain users from automatic decision-making mechanisms.
Individuals have the right to ask about what personal data is being collected and stored by the data processor. They can also request a copy of their personal data, correct any inaccurate personal information, and delete their personal information when withdrawing consent or terminating the use of the product or service.
Companies need to consider how to quickly locate each user’s personal information within the IT system and find ways of making each user’s record ‘independent’ to ensure that the deletion will not impact other existing data.
Sensitive personal information should be separated into different systems or databases, or at least into different tables in the same database, to reduce the risk that full and complete records of personal information are shared or accessed when the purpose for processing the data may only require access to a portion of it.
An employee in the marketing department may not need access to a customer’s entire record. They should only be able to see the information needed, such as phone number or email, but not the customer’s address or credit card information.
Data masking is another good way of hiding sensitive information while still allowing staff to access other non-sensitive data. Both data masking and separation of personal information are methods that should be considered when designing an IT system.
To protect a user’s rights, a friendly privacy interface is crucial. This makes the data transparent and allows users to control what information is being used and how it’s processed and collected. The PIPL’s stipulations require companies to take special consideration when designing privacy interfaces.
The PIPL stipulates that the data processor must obtain the user’s explicit consent, and even requires separate consent in special situations. This means the privacy interface should use the opt-in strategy and submit the choice and control to the individual for consent.
Article 16 states that if a user does not consent to the use of their personal information or withdraws consent, the data processors may not refuse access to the product or service, unless the processing of the personal information is necessary to provide the product or service.
Mobile applications often request excessive privileges, such as access to a smartphone’s microphone and camera, GPS, address book, and even messages, even though only one or two basic privileges would be required to deliver the core service.
The new laws establish that mobile apps cannot refuse a user access to core services if they do not consent to the use of additional personal information that is not required to fulfill the core service.
According to the regulations, data processors must obtain a user’s “separate (nonbundled) consent” before it can share the personal data with a third party, as well as when processing sensitive personal information.
The scope of ‘sensitive personal information’ in the PIPL is much broader than in the GDPR – financial information, transaction records, and location tracking are all regarded as sensitive personal information. Separate consent is also required when sharing personal information to a party outside of China.
The data processor must also “provide a convenient way to let the user withdraw their consent”. It should offer a clear and easy way for users to withdraw their consent, such as letting the user easily de-register their service account. Many mobile apps have been asked to make corrections or even forced to withdraw from app stores because of no compliance.
Since it is considered sensitive personal information, biometric data, such as facial and fingerprint recognition, should be specially protected. The data processor should take special considerations when implementing surveillance measures.
In particular, facial recognition is an area of huge importance in China. Companies that use this type of technology must “disclose rules for the processing of facial information and expressly indicate the processing purpose, method, and scope”. The use of “bundling consent (for processing the user’s facial information) with any other authorization” is prohibited.
Compared to facial recognition, the use of fingerprints for authentication has a much broader scope and is widely used for entrance into buildings and offices. As with facial recognition, fingerprint information falls under the category of sensitive personal information and is therefore subject to the same measures and considerations as facial recognition.
Monitoring data from CCTV cameras in the workplace should be well managed, with access authorization given only to a limited number of people. More importantly, data collected from CCTV cameras should only be used for express purposes, such as security, and not other purpose, such as marketing.
The Data Security Law (DSL), effective on September 1, 2021, requires data processors to be responsible for the legitimacy of the data obtained from a third party.
Companies often ‘call-up’ or integrate existing SDKs from other parties into their own Android mobile application to provide better services to users, such as using third party authentication SDKs to enable single sign-on (SSO). This practice leaves open the risk that the third-party SDK collects personal information and transfers it out, sometimes without the user or app operator even knowing.
The PIPL greatly limits many of the data misuses that have plagued Chinese consumers for years and goes to great lengths to protect user’s rights to privacy and control of their personal information.
Chinese authorities will enforce these new laws, which will make compliance critical. Having fair and transparent data practices will as well help develop a strong relationship with customers.