China’s new Personal Information Protection Law takes effect today, Nov. 1, just over two months after its adoption, with companies seeking to figure out how to best comply and regulators working to answer remaining questions.
The Standing Committee of the National People’s Congress passed the law in August to “protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.” The law includes provisions requiring any cross-border data transfers to be submitted first to the Cyberspace Administration of China, the cyber and data protection regulator in China, and states violations could lead to fines ranging between $7.7 million or up to 5% of a company’s previous year’s business revenue.
“PIPL is coming into effect after a remarkably short period,” Morrison & Foerster Partner Paul McKenzie said. “Companies and regulators alike are scrambling to figure out what should be done in what order to get ready for the Nov. 1 date PIPL comes into effect. A number of PIPL requirements lack the implementing rules that companies need to see in order to be able to comply. It’s a challenge.”
Fangda Partners' Gil Zhang, CIPP/A, CIPP/E, CIPM, FIP, noted unanswered questions about how companies should comply with a PIPL provision stating data handlers must notify individuals and receive separate consent for controller-to-controller forms of data sharing, which he said, could cause issues for the advertising technology industry.
“There are lot of issues like this that each company in a sector is faced with and calls for sector-specific solutions,” he said.
Zhang said implementation measures were expected from regulators in mid-October but have been delayed. Compliance is “not so straight forward,” and companies and counsels are eagerly awaiting guidance, he said.
“There are certainly a lot of things that will be clarified after the first of November. Many companies were working anxiously towards compliance with PIPL by Nov. 1, but in the end, they realize they just cannot get all of the answers, and look for answers from the law per se, when they are faced with the nitty gritty,” he said.
Many companies started working towards compliance in the early fall, Zhang said, and should continue those efforts. He and McKenzie said it may take some time after Nov. 1 for Chinese authorities to be in sync with the changes in data protection rules that are introduced by PIPL.
While some requirements of PIPL are “actionable today,” McKenzie said others, like key elements of the regulatory framework for restrictions on cross-border data transfers, have yet to be announced. He added enforcement of new requirements is “unlikely to be aggressive for some time.”
“Companies can be reviewing their privacy policies and related disclosures regarding data handling practices and checking the adequacy of consents, including instances where ‘separate consent’ rather than standard consent is mandated by the law,” he said. “Look at where you are sharing personal information with other parties and check to make sure that appropriate contractual terms with those parties are in place and that disclosures to individuals about those personal information sharing arrangements have been made. Understand the rights individuals have in their personal information, including rights of access, rectification, and portability, and make sure mechanisms are in place for individuals to request exercise of those rights and for the company to respond to those requests on a timely basis.”
Zhang suggested companies monitor regulatory developments that might bring clarity, as well as trends in the market, and document compliance, and “get a solid legal analysis.”
“These sorts of things will help them design next steps to compliance,” he said. “I’ve seen some wrong interpretations and commentary, so it makes sense for companies to get their analysis checked again. Starting at the bottom, planning and designing a holistic solution, will help a company stand scrutiny of regulators.”
McKenzie said a key area of focus for companies preparing for PIPL should be securing reliable sources of accurate information, so they are aware of implementing rules and interpretations as they are available. They should also monitor changes other companies are making, and take steps like completing a data mapping exercise, identifying the personal information the company encounters and how that data is classified under PIPL. International companies should also consider whether aspects of their business outside of China trigger PIPL requirements, McKenzie said, as PIPL in some instances applies to companies outside of China that handle personal information of Chinese citizens.
While questions remain around certain details and enforcement of PIPL, McKenzie said it’s clear the regulation “is likely to have significant influence well beyond China’s borders.” He pointed to Article 12, which calls for active participation “in the formulation of international rules for personal information protection,” promoting “international exchanges and cooperation in personal information protection,” and “mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.”
“It looks likely that China wants to have a central role in international standard setting in the privacy space,” McKenzie said.
Photo by Macau Photo Agency on Unsplash