Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

China: PIPL implementation challenges and best practices

Following the Personal Information Protection Law ('PIPL') coming into effect, most organisations, especially those international companies who conduct business in China, have enthusiastically complied with the PIPL. However, some articles of PIPL are very high level and general, which may need to be supplemented by further guidance from legislators or data protection authorities in China. For example, some requirements seem impractical, such as those regarding data localisation, data transfers, and data protection officer ('DPO') requirements, which may cause misunderstanding or difficulty for compliance efforts. Dehao Zhang, Counsel at Fieldfisher, provides some practical advice to help organisations stay compliant.

gionnixxx / Signature collection / istockphoto.com

Data localisation

Most organisations have these questions: do we need to locally store personal information in China? Do we need to build up or buy a data centre or a server in China?

To answer these questions, at first, we must be clear that data localisation requirements in China do not mean that data transfers are prohibited. The data localisation requirements only require the original data to be stored in China first, and under data transfer requirements of the PIPL, such data can be transferred outside of China, even if the organisation is subject to data localisation requirements.

For most organisations, the answers to the two questions should be no. The only two types of organisations in China to whom such requirements apply are (a) critical information infrastructure operators ('CIIOs') and (b) organisations who meet the threshold set by the Cyberspace Administration of China ('CAC'). These two types of organisations will have legal obligations to locally store the data in China, as mentioned above that does not means they are prohibited from transferring data outside of China, as the PIPL has also provided a mechanism for them to do so.

Regarding CIIOs, according to Article 2 of the Regulations on the Security Protection of Critical Information Infrastructure ('the CII Regulations'), critical information infrastructure ('CII') refers to the key network facilities and information systems in important industries and sectors such as public telecommunication and information services, energy, transport, water conservancy, finance, public service, e-government and science, and the technology industry for national defence, which may seriously endanger the national security, national economy, people's livelihoods, and public welfare if they are subject to any destruction, loss of function, or data leakage. This indicates that the concept of CII under the CII Regulations is very similar to the concept that exists under the EU Network and Information Security Directive. Under the CII Regulations, the competent authorities have the duty to inform the relevant companies when their information infrastructure is designated as CII. In practice, if companies have not received any CII notice or confirmation from the competent authority, it is most likely that they are not considered CIIOs.

Regarding those organisations who meet the threshold of the CAC, the CAC has released its Draft Measures for Security Assessment of Cross-border Data Transfer (Draft for Comments) ('the Draft Measures') on 29 October 2021. The Draft Measures can serve as a reference to assess whether the company is subject to the data localisation obligation under the PIPL, although it is not effective yet and only a draft for comment. Under the Draft Measures, there are three thresholds:

  • processing 1 million data subjects' personal data, based on the limited information;
  • transferring 100,000 data subjects' personal data outside of China; and
  • transferring 10,000 data subjects' sensitive personal data outside of China.

Under the PIPL, sensitive personal information includes biometric data or data relating to religious belief or specific identity, medical data, financial data, personal location tracking data, and personal information of a minor under the age of 14.

From a practical perspective, these thresholds seem not to be a very good choices for organisations who have a number of users or data subjects in China. It seems the threshold is a total number rather than an annually or monthly threshold, which enterprises in China have questioned since such threshold is easy to achieve, especially for the third of these, since bank account data is a kind of sensitive personal information under the PIPL. In addition to the Draft Measures, some sectors have also used the threshold of 1 million data subjects' personal data, such as the education sector in China, however the Draft Measures are unlikely to become effective soon. 

Data transfer requirement

Most organisations will not have solutions associated with the data transfer mechanisms required by the PIPL, since data authorities in China have not officially released any guidance on the same to date. We can see some draft measures regarding this, such as the Draft Measures on 29 October 2021, and the Practice Guidelines for Cybersecurity Standards - Technical Specifications for Certification of Cross-Border Processing of Personal Information (Draft for Comment) ('the Draft Cybersecurity Guidelines'). The Draft Cybersecurity Guidelines provide useful guidance for the organisations' compliance under the PIPL, since they are much more detailed than the law requires. Please note that the Draft Cybersecurity Guidelines are not enforceable, which means that if organisations follow such draft measures, they may need to pay attention to the changes and updates to such draft measures.

There are three mechanisms for data transfers provided by the PIPL, as detailed below.

Risk assessment organised by the CAC

This is the mechanism for data transfers conducted by CIIOs and organisations who meet the threshold of the CAC. According to Draft Measures, when CIIOs and the qualified organisations apply for such a risk assessment, they must provide the Standard Contractual Clauses ('SCCs') signed between the data exporter and data importer, which means they must both have in place the SCCs and also conduct the required risk assessment. Before the data transfer, according to Article 55 of the PIPL, a Personal Information Protection Assessment ('PIPA') must be completed and the organisation must have a record of the processing i.e. data transfers. Although CAC has not announced the Draft Measures as enforceable, organisations will still have to firstly conduct the self-risk assessment, as well as prepare the PIPA and record the processing in detail. The self-risk assessment can follow the requirements of a Data Transfer Impact Assessments under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), resulting from the judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) i.e. researching the data protection framework of the country or region the data importer is located in, as well as the data protection compliance status of the data importer.

Certification of qualified agencies according to guidance of CAC

According to the Draft Cybersecurity Guidelines, if organisations want to get ready for the certification, they will need to prepare documents regarding the data importer's DPO, the DPO's responsibilities, how the data importer processes data and protects the data to be transferred, the PIPA for the data transfer, and how they protect the rights of data subjects, namely the responsibilities and obligations of the data importer and data exporter.

SCCs adopted by the CAC

This is likely the best solution for most organisations, but unfortunately there is no official and effective set of SCCs right now. Although the CAC has indicated that the SCCs under the GDPR cannot be used for data transfers outside of China, it is still helpful for organisations to have the EU/UK version of SCCs in place with minor changes. This can be useful in order to comply with the requirement, even though there is no official guidance for this. 

DPO requirement

The PIPL only requires personal information processors (similar to data controllers under GDPR) who meet the threshold to have a person in charge of the personal information protection (similar to a DPO under GDPR), and requires that such DPO in China must supervise personal information processing and security measures organisations have taken. However, it does not require what organisations must have a DPO, who can be a DPO, and the responsibilities of the DPO.

What organisations must have a DPO?

From my personal understanding of the law, it seems the thresholds should not be very large. According to the National Recommendation Standard Information Security Technology - Personal Information Security Specification (2020) ('the Specification'), organisations that meet one of the following conditions shall establish the position of a DPO and a department responsible for personal information security:

  • the core business involves the processing of personal information, and the number of employees is larger than 200;
  • the organisation processes the personal information of more than 1 million people, or expects to process the personal information of more than 1 million people within 12 months; or
  • the organisation processes sensitive personal information of more than 100,000 people.

Who can be a DPO?

In China, although the PIPL is enforceable right now, awareness of it is low. While some Chinese universities and colleges have begun offering PIPL and data protection related courses, there is no time to for DPOs to become qualified. Because of this situation, the PIPL will not require much regarding the experience and educational background for a DPO, but after a period of time, such requirements may be put in place.

From a practical perspective, if an organisation wants to choose a DPO, they can require the DPO to have some knowledge of personal data protection laws, management, and information security, or at least have experience of such area.

What is the responsibility of a DPO in an organisation?

Article 52 of the PIPL requires that the DPO supervise the data processing activities and data protection measures in its organisation.

According to the Specification, the DPO and the department of data protection should be responsible for the following work:

  • comprehensively implementing the personal information security work within the organisation, and taking direct responsibility for personal information security;
  • organising the formulation of personal information protection work plans and supervising their implementation;
  • formulating, issuing implementing, and regularly updating personal information protection policies and related procedures;
  • establishing, maintaining, and updating the records of personal information processing activities held by the organisation (including the type, quantity, source, recipient, etc) and authorised access policies;
  • carrying out the PIPA, putting forward countermeasures and suggestions for personal information protection, and making suggestions for the rectification of potential security risks;
  • organising personal information security training;
  • conducting testing before the product or service is released online to avoid unknown personal information collection, use, sharing, and other processing behaviour, which is also known as Privacy by Design;
  • announcing complaints and whistleblowing methods, and accepting complaints and reports in a timely manner;
  • conducting personal information protection audits; and
  • maintaining communication with supervisory and management departments, and reporting on personal information protection and incident handling.

Although this seems very challenging, it is very similar to what DPOs under the GDPR must do.

Please note, there is no requirement to ensure the DPO's independent role in an organisation, which may impact the work of DPO. To this end, organisations should nevertheless ensure the DPOs independence, to allow them to supervise data protection matters responsibly.

How to understand 'specific identity'?

Many international organisations may be confused about the term 'special identity' under Article 28 of the PIPL. Article 28 of the PIPL defines sensitive personal information:

Sensitive personal information refers to personal information that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the physical or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any personal information of a minor under the age of 14.

Most Chinese speakers will consider specific identity as a identity/position/group which may lead to different interests or different rights in a contract or under certain laws, such as women, elderly/senior people, individuals of important status in regard to the conclusion of a contract between companies and data subjects, or characteristics that may easily cause the infringement of dignity or any other significant impacts, such as single-parent families or those with a criminal record.

In China, political opinion or ethnic minority status will not infringe the dignity or vital interests of a person and thus it cannot be regarded as sensitive information; however, specific identity may also be used as the miscellaneous provisions.

Conclusion

Some articles under PIPL are still unclear and in need of clarification by the authorities. Although we know that the data authorities are drafting some guidance for the PIPL, it is not clear when such measures or rules will become enforceable. At this time, it is best for organisations to try and enthusiastically comply with the PIPL, as it is better that such organisations to do their best and what they can do to comply with the unclear requirements.

Dehao Zhang Counsel
[email protected]
Fieldfisher China, Beijing