Kia ora koutou.

In this week’s intro, I’d like to continue the discussion Stephen Bolinger started last week about China’s new Personal Information Protection Law, due to come into force 1 Nov. As Stephen noted, this is big news. The PIPL significantly alters the regional and global privacy landscape. My feeling is the gravity of this news has not been fully considered in New Zealand.

We’ve only just come out the other side of the readiness panic generated by the commencement of the EU General Data Protection Regulation in May 2018. The GDPR created a frenzy of activity to ensure compliance with a European law that, in many cases, had little to no real impact on NZ agencies. China is NZ’s largest trading partner, with which we have significant business, education and tourism connections. According to the NZ Ministry of Foreign Affairs and Trade, our two-way trade (exports and imports of goods and services) with China exceeds NZ$33 billion. This means the PIPL may have a real impact on NZ agencies that provide products and services to people in China or “analyze or assess” people's behavior in China. Despite this, there has been little local discussion of the potential impact of the PIPL on NZ. Given the PIPL’s fines and penalties regime, which at 5% annual revenue is comparable to the GDPR approach, NZ agencies will need to take notice.

Unsurprisingly, the PIPL shares many similarities with the GDPR and the NZ Privacy Act. The definition of personal information is similar; the law reflects global privacy principles such as data minimization, use limitation, data protection and accountability; and the law gives individuals similar privacy rights. Further, like the GDPR, the PIPL requires agencies caught by its extra-territoriality provisions to appoint a dedicated representative in China.

However, the PIPL differs in a few important ways that could catch agencies out. Stephen already identified the law’s stronger reliance on consent as the lawful basis for processing personal information and the lack of any ground, similar to the GDPR’s “legitimate interests” ground. He’s also noted the PIPL requires the immediate notification of data breaches. The PIPL also contains a rather alarming data localization requirement. Any agency processing a large amount of personal information (and note China has yet to reveal what the threshold will be for this) must store the information locally. This requirement could impact agencies that operate any significant online retail activities within the Chinese market.

Agencies in NZ will now need to assess whether they fall within the extraterritorial scope of the PIPL. If they do, they will also need to assess the extent of their personal information processing, as this may determine what obligations they must comply with. Agencies that have already put meaningful efforts into lifting their privacy maturity to meet the requirements of the NZ Privacy Act or GDPR will be better placed to comply with the PIPL, subject to ensuring they understand the additional or different requirements summarized above. Agencies still at the beginning of their privacy journey may need to take immediate steps to ensure their business practices comply.

All this means privacy professionals in NZ will also need to ensure they understand the PIPL and the impact it may have on their clients. We are starting to see commentary on the PIPL in various channels and networks, including an