China has reset the rules of its digital economy over the past year, following the introduction of several new data laws. China privacy law has extraterritorial scope, which means you need to follow the rules when you’re handling personal information from someone in China whether you’re operating in the country, our outside it. So what do you need to now about China privacy laws if you’re planning to engage with Chinese clients, customers and prospects, or run a digital marketing campaign? We break down some of the key points below.
Key China privacy law
China enacted a suite of new data privacy and cyber security laws in 2021 and 2022 that radically alter the digital landscape. The Personal Information and Protection Law (PIPL) in 2021 and the Recommendation Algorithm Regulations in 2022, are particularly relevant to international student recruiters and marketers. The algorithm regulations clarify the user's right to opt out of algorithmic recommendations, demands transparency over how algorithms are functioning, and bans certain targeting. Some of its requirements are included in the comprehensive PIPL.
The PIPL restricts and regulates the use and collection of personal information. It has a particular focus on user notification and consent and shares some similarities with Europe’s General Data Protection Regulation, the so-called GDPR. Personal information (PI) includes any data that can be linked to a specific individual.
It’s core principles, summarised, are that so called “data handlers”:
- Minimize data collection and use to only what’s needed.
- Deploy openness and transparency, clearly indicating the purpose, method, and scope of PI use.
- Operate with lawfulness, propriety, necessity, and sincerity.
- Ensure the accuracy and quality of PI.
- Be accountable to your PI handling, ensuring appropriate governance and security is in place.
Limit PI activity to a clear and reasonable purpose.
Consent is key
Data handlers must get an individual’s explicit consent to collect, process, or store their personal data. Details on what specific conditions need to be met to constitute clear consent are light. However, Article 14 outlines that it is essential that the individual is fully informed, and consent is given freely and unambiguously. As examples of what ‘freely’ given consent may mean in how you relate to your clients: you must not withhold a service or product from an individual because they don’t share PI (unless the information is critical to deliver the service), to avoid coercing or pressuring clients. Or, as another example, you should integrate a check box into personal information submission forms so that the individual actively agrees to your data activity, and gives ‘unambiguous’ consent.
Additionally, data handlers must seek the individuals ‘separate consent’ if:
- they are providing the PI to a third party.
- publicly disclosing the PI
- collecting the PI by devices in public places for any other reason than public security
- processing sensitive personal information (more on this later).
- exporting the PI to a party outside of China.
The PIPL does not offer guidance on what constitutes ‘separate consent’, as opposed to the explicit consent required by more general personal information collection, but some law firms anticipate a separate check box or pop-up window will be needed to meet the additional requirements on how ‘sensitive personal information’ is handled.
‘Sensitive’ personal information restrictions
The law places further restrictions on how ‘sensitive personal information’ (SPI) is processed. SPI includes the sort of information that, if leaked or used illegally, may easily lead to the infringement of an individual’s personal dignity or harm to personal or property. The definition of SPI includes biometrics, religious beliefs, medical health, financial accounts and individual location tracking. SPI also includes all personal information of children under the age of fourteen, as well as information on “specific identity”, which is a term that is understood to cover gender identity and sexuality. If handling SPI, you must, in addition to PI regulations:
- state why you’re processing the data and explain the impact on the individual
- be able to demonstrate a clear purpose and sufficient need for its collection and processing
- obtain ‘separate consent’ from the individual, or their guardian
Rights of the individual
The PIPL also gives Chinese citizens more rights over their own data. Under the law, individuals have the right to edit, remove, or restrict the use of their data, or withdraw consent to its use –and it’s the data handlers’ responsibility to have systems in place to respond to these demands. They also have the right to limit or refuse the processing of their data—as well as automated decisions relating to their data. Additionally, personal data must now be deleted after the stated purpose for collection has been completed (although there’s no information yet on how this requirement will be enforced).
The PIPL includes mandatory security requirements to be applied when storing and processing personal information, as well as compulsory training for the responsible personnel. It also details a faster response to data security incidents.
Companies that could be described as a “major internet service platform” or having a “large number” of users or “engaging in complex business activities” face additional restrictions.
When is personal information handling lawful?
At least one of the following conditions must apply for the processing of personal information to be considered legal under the PIPL:
- consent is given by the data subject;
- its processing is a necessary to execute on a contract or perform HR (in accordance with labour laws)
- you are responding to a public health emergency, or protecting people’s safety and property during an emergency.
- the PI is already public, and its processing is in accordance with the requirements of the PIPL.
- you are carrying out news reporting and public opinion monitoring for public interest
- other circumstances permitted by laws and regulations.
If a business violates the PIPL it faces significant penalties, including:
- fines of up to RMB 50 million or 5% of revenue.
- suspension of a business’s operations.
- a reduction in the company’s social credit score, which can impact access to finance.
Individuals who are held liable for these violations face:
- fines of up to RMB 1 million
- additional discipline to be determined by a legal authority, potentially including prison time.
So, with jurisdiction and industry-specific guidelines still pending, what can companies do to make sure they aren’t getting on the wrong side of the law in China?
What do you need to do to be compliant?
Each organisation is unique, and there is no one size fits all approach to compliance. In general, and with the disclaimer the below does not, under any circumstances, offer specific legal advice, companies need to:
- Audit their data activities and security.
- Identify where Chinese data laws are relevant.
- Build procedures and policy to comply with the laws.
- Ensure they can demonstrate how they are complying with the laws.
With the full scope of the PIPL is yet to be determined – regulation from governing departments is still pending – initial enforcement is likely to be inconsistent. There is likely to remain a degree of “grey space” around how exactly it’s enacted, but there are simple steps institutions must take now to start their journey to compliance.
Organisations are adapting to the new laws by:
- Assign responsibility and building procedure to ensure data subjects can receive a copy of their PI, alter, or delete it.
- publishing a contact for anyone who wants to exercise their PI rights, like altering, deleting, or withdrawing consent to the PI in an easy-to-find location online.
- Building a mandatory checkbox into websites that must be actively ticked before data is collected.
- Appointing an individual in charge of PIPL compliance and monitoring the Cyberspace Administration of China website for guidance.
- Auditing third parties (including agencies, as well as your software and tech), and training staff to ensure they're compliant.
- Storing any “large” quantities of PI on the mainland.
- Deleting the PI after the agreed retention period, its purpose has been achieved, or at the request of the data subject.
- Halting PI processing if it is technically difficult to delete.
How Sinorbis helps
Sinorbis is committed to compliance with applicable Chinese data laws, and to performing as a trusted data processor and 3rd party in our clients China marketing efforts, but it is important for institutions to understand and act on their responsibilities in the space.
China’s new data privacy law makes it even more critical that organisations have transparency and control across their digital activity in China. You are responsible for your activity, including the activity performed by an agency on your behalf.