Recent Chinese privacy laws have transformed China’s digital playing field into one of the strictest data governance landscapes in the world. It’s not surprising that the China privacy law pivot left many organisations confused – both within and outside the country. In fact, when the key Personal Information Protection Law (PIPL) came into effect in 1 November 2021, it even caused shipping disruptions. Local data providers shut off the flow of data, effectively taking ships off the grid. We’ve answered some of the most frequently asked questions to help you make China digital marketing easier.
Get the lowdown on Chinese privacy laws
My website is hosted outside of China. Does the PIPL apply to me?
If you’re gathering or processing data on people within China, yes. So, for example, universities with a China-optimised website hosted outside of China will still need to be compliant with the law when they are gathering lead information or processing applications.
What counts as personal information (PI)?
Personal information (PI) includes any information related to an identified or identifiable person that is recorded electronically or by other means (excluding anonymized information).
How is the PIPL enforced, and who is responsible?
At a national level, the Cyberspace Administration of China (CAC) and the Ministry of Public Security oversee the PIPL. Each of these bodies has state-level and local organisations that can have rulemaking and enforcement powers. In addition, other government agencies such as the Ministry of Public Security, which leads broader data security efforts, Ministry of Industry and Information Technology, and Ministry of Science and Technology, can also enforce the PIPL.
How can I make sure I get “explicit” consent to use someone’s data?
Data handlers must get an individual’s explicit consent to collect, process, or store their personal data. Details on what specific conditions need to be met to constitute clear consent are light. However, Article 14 outlines that it is essential that the individual is fully informed, and consent is given freely and unambiguously. So, for instance, you must not withhold a service or product from an individual because they don’t share PI, unless the information is critical to deliver the service. It’s critical you avoid coercing or pressuring clients into giving consent. You should also integrate a check box into personal information submission forms. This helps ensure someone must actively agree to your data activity, helping establish “unambiguous” consent.
What is “separate consent”, and when do I need it?
Data handlers must seek the individuals “separate consent” if:
- they are providing the PI to a third party.
- publicly disclosing the PI.
- collecting the PI by devices in public places for any other reason than public security
- processing sensitive personal information (more on this later).
- exporting the PI to a party outside of China.
The PIPL does not offer guidance on what constitutes ‘separate consent’, as opposed to the explicit consent required by more general personal information collection, but some law firms anticipate a separate check box or pop-up window will be needed to meet the additional requirements on how ‘sensitive personal information’ is handled.
Has there been much enforcement of the PIPL to date?
Chinese authorities have stepped up their enforcement in the last several months. Most enforcement has centred on unlawful data collection and data leakage, with a focus on websites and apps. Since 2021, there have been numbers instances when Chinese authorities have made apps change data procedures. Several education apps have been issued violations.
What risk do I face from the PIPL?
Organisations need to seek legal expertise to help understand their own exposure, and to help ensure they are compliant with Chinese law.
Penalties for businesses who violate the PIPL include fines of up to RMB 50 million or 5% of revenue; a suspension of a business’s operation, and a reduction in the company’s social credit score. Individuals who are held liable for these violations face fines of up to RMB 1 million and additional discipline to be determined by a legal authority.
Is Sinorbis compliant with the PIPL?
As a SaaS company, Sinorbis must be compliant with a number of global data privacy and security laws, including China’s PIPL. To do this we have:
- Introduced a mandatory consent check box into the design of our leads generation forms for China websites and digital platforms.
- Committed to deleting all personal information associated with a client account after seven days of the account closing.