China's Data Privacy Law: Impact on US Tech Companies

China's New Data Privacy Law: The PIPL

On August 20th, China implemented a comprehensive new law concerning data privacy, which will significantly alter the operational landscape for technology companies within the nation.

Formally known as the Personal Information Protection Law of the People’s Republic of China (PIPL), this legislation represents China’s inaugural national statute dedicated to data privacy.

PIPL: A Framework Inspired by GDPR

The PIPL draws heavily from the European Union’s General Data Protection Regulation (GDPR). It establishes both safeguards and limitations regarding the collection and transmission of data.

These stipulations apply to organizations operating within China, as well as those based internationally. Particular attention is given to applications that utilize personal data for targeted advertising or variable pricing strategies.

A key objective of the PIPL is to prevent the unregulated transfer of personal information to nations with less robust data security measures.

Implementation Timeline and Compliance

With an effective date of November 1, 2021, the PIPL presents companies with a compressed timeframe for preparation.

Organizations already adhering to GDPR principles, especially those with global implementations, will find compliance more manageable. However, those lacking GDPR frameworks will need to swiftly adopt comparable strategies.

Furthermore, U.S.-based companies must evaluate the new restrictions governing the transfer of personal data from China to the United States.

Key Implications for Tech Firms

• Data Collection Restrictions: The PIPL places strict controls on how personal information is gathered and utilized.
• Cross-Border Data Transfers: Transferring data outside of China is now subject to heightened scrutiny and specific requirements.
• User Consent: Obtaining explicit and informed consent from users regarding data processing is paramount.
• Data Security Obligations: Companies are obligated to implement robust security measures to protect personal information.

Understanding and adapting to the PIPL is crucial for any tech firm operating in, or interacting with, the Chinese market.

Failure to comply could result in substantial penalties and reputational damage.

Understanding New Data Handling Regulations

The Personal Information Protection Law (PIPL) establishes a comprehensive and rigorous framework for data privacy, arguably the most demanding globally. While specific provisions concerning governmental agencies are beyond the scope of this discussion, the law generally applies to all information – whether recorded electronically or otherwise – that identifies or could identify individuals, excluding anonymized data.

Several key changes to personal information management in China will significantly impact technology businesses. These are outlined below.

Extraterritorial Reach of Chinese Law

Traditionally, Chinese regulations applied solely to activities conducted within the country’s borders. The PIPL maintains this principle regarding personal information processing within China. However, mirroring aspects of the General Data Protection Regulation (GDPR), it extends its jurisdiction to the handling of personal information outside of China under specific circumstances:

• Providing goods or services to individuals located in China.
• Analyzing or evaluating the behaviors of individuals within China.
• Other scenarios defined by laws or administrative regulations.

For instance, a company based in the United States that sells products to Chinese consumers may be subject to Chinese data privacy regulations, even without a physical presence in China.

Principles Guiding Data Handling

The PIPL emphasizes transparency, purpose limitation, and data minimization. Organizations may only gather personal information for explicitly defined, reasonable, and disclosed purposes, collecting only the minimum amount necessary to achieve those objectives. Data retention is limited to the period required to fulfill the stated purpose. Furthermore, all data handlers must ensure the accuracy and completeness of the information they manage to safeguard individual rights and interests.

The Necessity of Consent

With limited exceptions, obtaining consent is mandatory before processing personal information. Individuals retain the right to revoke their consent at any time. Companies cannot deny services if an individual withholds or withdraws consent, unless data processing is essential for service provision.

Exceptions to the consent requirement include: (a) fulfilling or concluding a contract where the individual is a party, or managing human resources; (b) complying with legal duties or obligations; (c) responding to public health emergencies or protecting life, health, or property; and (d) activities in the public interest, such as news reporting or public oversight, within reasonable limits.

Information already publicly disclosed by the individual or lawfully obtained is also exempt from consent requirements, provided it is within a reasonable scope. Separate consent is needed for sharing information with third parties, along with notification of the recipient’s details and handling practices.

Protection of Sensitive Personal Information

Heightened protections apply to sensitive personal information – data that poses a significant risk to dignity, property, or personal security. This includes biometric data, religious beliefs, designated status, medical records, financial details, location tracking, and information pertaining to minors under 14. Companies must conduct data protection impact assessments when handling such data.

Handling sensitive personal information generally requires a specific purpose, demonstrated necessity, and robust security measures. Individuals must be informed of the purpose and necessity, and their explicit consent – and parental/guardian consent for children under 14 – is required. No exceptions to consent apply to sensitive personal information.

Notification Obligations

Similar to GDPR and other privacy laws, data handlers must provide individuals with clear, accurate, and comprehensive notice before processing their personal information. This notice must include: (a) the handler’s name and contact details; (b) the purpose, methods, categories, and retention period of data handling; and (c) procedures for exercising individual rights under the law. Further regulations will likely specify the exact content of these notices.

Individual Rights Granted

The PIPL grants individuals several rights, including: (a) the right to know and control the use of their personal information, and to limit or refuse its handling; (b) the right to access and copy their data; (c) the right to transfer their data to a designated handler; (d) the right to request correction or completion of their information; and (e) the right to request an explanation of data handling practices.

The law also mandates proactive data deletion once the purpose is fulfilled, the data is no longer needed, the retention period expires, consent is withdrawn, or the handling violates laws or agreements. Individuals can also request data deletion.

Handlers must establish accessible mechanisms for individuals to exercise their rights and provide explanations for any rejected requests.

Notably, unlike many U.S. privacy laws lacking a private right of action, the PIPL allows individuals to file lawsuits in People’s Courts if handlers deny their rights requests.

Data Security Measures

The PIPL requires personal information handlers to implement robust data protection measures, including: (a) establishing internal management protocols and operating rules; (b) categorizing and managing personal information; (c) employing technical security measures like encryption and de-identification; (d) defining operational limits for data handling; (e) providing regular security training to employees; and (f) developing and implementing incident response plans.

Critical internet platform service providers with large user bases and complex operations must establish independent oversight bodies composed primarily of external members to supervise personal information protection.

Impact on Mergers and Acquisitions

The PIPL will influence corporate transactions like mergers, separations, dissolutions, and bankruptcies. The transferring party must notify individuals about the receiving party’s identity and contact information. The receiving party must continue fulfilling the transferring party’s obligations and cannot alter data handling practices without notifying individuals and obtaining consent where necessary.

Automated Decision-Making Restrictions

Similar to GDPR, the PIPL allows individuals to refuse automated decision-making if it significantly impacts their rights and interests. The law does not define covered activities, but it likely includes decisions regarding loans and credit approvals. No exceptions to this right of refusal are currently provided, and further regulation is expected to clarify this area.

Prohibition of Targeting and Price Discrimination

Regulators are concerned about companies misusing personal data to engage in unfair practices, such as price discrimination. The PIPL prohibits unreasonable differential treatment in trading conditions. App developers using targeted advertising or automated sales must offer a targeting-free option or a convenient opt-out mechanism.

Data Protection Officers and Representatives

Organizations handling substantial amounts of personal information exceeding a threshold set by the national cyberspace authority must appoint a data protection officer. Companies subject to the PIPL’s extraterritorial jurisdiction must establish a dedicated agency or appoint a representative in China to handle data protection matters.

Cross-Border Data Transfer Regulations

The PIPL restricts the transfer of personal information outside of China. To transfer data, companies must: (1) pass a security assessment by the national cybersecurity authority; (2) obtain personal information protection certification from a designated body; (3) enter into a contract with the foreign recipient based on a standard contract formulated by regulators (similar to the EU’s Standard Contractual Clauses); or (4) meet other conditions specified by laws, regulations, or the national cybersecurity authority.

The transferring party must ensure the foreign recipient’s data handling practices meet the PIPL’s protection standards. Individuals must also be notified about the recipient’s details, handling practices, and their rights, and their separate consent must be obtained.

Data Localization Requirements

Companies must consider whether they need to store personal information collected in China locally. The 2017 Cybersecurity Law only required critical information infrastructure operators (CIIOs) to store data within China. The PIPL expands this requirement to handlers of large volumes of data.

Data stored in China cannot be transferred abroad without approval from the national cybersecurity authority or a statutory exception. Data handlers cannot provide information stored in China to foreign judicial or law enforcement bodies without authorization.

Navigating Compliance and Challenges for U.S. Businesses

U.S. companies engaged in commerce within China, or those conducting business with Chinese entities, must promptly evaluate the implications of this new legislation on their operations. For instance, a firm specializing in autonomous vehicle technology seeking market entry into China will be obligated to adhere to all stipulations outlined in the new law. This includes providing requisite notifications during sales transactions and securing necessary consumer consent.

Entities offering financial support for purchases must assess whether their lending decisions utilize automated processes. If so, they are required to furnish consumers with the option of a personalized review. Marketing efforts directed towards Chinese citizens necessitate the inclusion of a clear mechanism for opting out of targeted advertising practices.

The collection of data directly from vehicles may trigger specific notification and consent requirements, potentially classifying this information as sensitive personal data. Furthermore, regulations may mandate the storage of such data within China, particularly if it surpasses established regulatory thresholds. Security evaluations or certifications may also be necessary to facilitate data transmission to the United States.

Biotechnology and hardware manufacturers operating facilities in China should prioritize data pertaining to their workforce and contractors. While explicit consent may not be needed for much of this data due to the human resources management exception, providing notice remains crucial. Consent is, however, required for handling sensitive employee information.

Disclosure of employee data to external parties, like payroll administrators, may also necessitate obtaining prior consent. Companies already aligned with GDPR principles should concentrate on adapting to the nuances of the Chinese law, securing appropriate consents, and ensuring seamless cross-border data transfer.

For cross-border data transfers, determining whether the company qualifies as a Critical Information Infrastructure Operator (CIIO) or processes substantial data volumes requiring governmental authorization is essential. Implementing compliance presents a considerably larger undertaking for organizations that haven't yet adopted GDPR principles.

A systematic approach is recommended, beginning with a comprehensive data inventory and mapping exercise. This should detail the types of personal information gathered in China and the specific purposes for which it is collected.

Based on this assessment, companies should then evaluate the following key areas:

• Determining consent requirements and establishing methods for obtaining it.
• Developing comprehensive notices detailing disclosures and data subject rights.
• Establishing procedures for addressing data subject requests.
• Implementing data deletion protocols upon obsolescence or expiration of retention periods.
• Verifying consent for disclosures to third-party entities.
• Ensuring third parties adhere to the security and privacy standards of the PIPL.
• Assessing the need for localized data storage and implementing transfer mechanisms (certifications, contracts, or governmental approval).
• Evaluating the necessity of appointing a Data Protection Officer and designating a representative within China.

Initiating this process proactively will streamline the transition and minimize potential disruptions to business operations in China.

Note: The perspectives presented herein are solely those of the author and do not necessarily represent the official stance of O’Melveny & Myers, LLP.