New Data Protection Legislation in China
Following the guidelines of GDPR in the EU, China has made new updates to the draft of the Personal Information Protection Law (PIPL) for processing and transferring personal information across Chinese borders. This new legislation will regulate personal information processing and transfers to regulate entities across borders as well as within China.
Privacy law is an important component of China’s international engagement with other countries, and this new legislation will apply to organizations and individuals that process personal information of Chinese nationals regardless of where they currently reside. Personal data can only be handled by an organization or individual when consent has been given or to fulfill statutory obligations.
A Personal Information Processor (PIP) has specific obligations to protect data outlined in the new PIPL. Proper security protocols must be adhered to in order to ensure data security for personal information. This includes PIPs located outside the borders of China, who must appoint a Chinese representative or create a dedicated entity related to security of personal data being managed. Before processing information or using for automated decision-making, all PIPs must perform risk assessments to ensure compliance.
The new PIPL guidelines are requiring PIPs to meet specific measures before transferring or processing personal information including but not limited to; obtaining security assessment from National Cyberspace Administration (NCA), acquiring personal information protection certification from NCA, or following other conditions regulated by the NCA (subject to change).
China reserves the right to prohibit the transfer of personal data if there are sanctions imposed by other countries, which is listed in the PIPL as a “sovereignty provision”. The PIPL does not explicitly say consent is the basis for cross-border transfers of data, so it is vital to ensure the organization has completed the security assessments before processing or transferring data.
If a company violates the PIPL legislation, there are fines up to RMB 1 million for companies and up to RMB 10,000-100,000 for individuals who are not in compliance. Based on the type of violation, fines can be as high as RMB 50 million or 5% of annual revenue for companies and up to RMB 1 million for individuals.
The new PIPL will be the first personal information security law enacted in China. As the law continues to evolve, companies will have to adhere to updated guidelines to ensure compliance with data transfer or processing. To learn more about payroll regulations in China, click here