China Data Protection, Privacy, and Security Alert
Multinational entities with operations in or having business with the People’s Republic of China (PRC) should take note of the PRC’s new Personal Information Protection Law (PIPL), which took effect on 1 November 2021 and is extraterritorial in scope and effect.
According to Article 3 PIPL, offshore entities or individuals who are processing the personal information of individuals residing within the territory of the PRC (PRC Personal Information Subjects) are subject to the PIPL, provided that the activities concern the processing of personal data of any PRC Personal Information Subjects for the purposes of:
- Providing products or services to PRC Personal Information Subjects;
- Analyzing and assessing PRC Personal Information Subjects’ behaviors; or
- Other circumstances as stipulated by laws or administrative regulations.
Offshore personal information processors must either establish a special agency or appoint a representative in the PRC, whose name and contact information must be submitted to regulatory authorities (Article 53 PIPL). The term personal information processor under the PIPL is generally equivalent to the term “data controller” under the EU General Data Protection Regulation 2016/679 (GDPR).
In addition to the representative requirement under Article 53 PIPL, both onshore and offshore personal information processors must appoint a personal information protection officer (PIPO) (Article 52 PIPL), under certain circumstances.
This alert first lays out the differences between the requirements under Article 52 PIPL (PIPO appointment) and Article 53 PIPL (PRC-based representative appointment / establishment of an agency in the PRC). Next, it examines statutory obligations under PIPL upon designated personnel, and then concludes by highlighting important sector-specific regulations and local practices of provincial and municipal governments.
WHAT IS REQUIRED?
In the wake of PIPL’s entry into force, there was uncertainty about what Article 53 PIPL required, specifically whether it requires an offshore entity to appoint in the PRC something similar to the notion of a “data protection officer” (DPO) under the GDPR.
Under the PIPL, each personal information processor must appoint a PIPO if the amount of personal information it processes reaches a threshold prescribed by the Cyberspace Administration of China (CAC) (Article 52 PIPL). The PIPO is responsible for supervising the processing activities and protection measures taken by the personal information processor. The personal information processor is required to publicize the PIPO’s contact information and submit the PIPO’s name and contact information to the regulatory authorities.
Article 53 PIPL requires offshore personal information processors that are subject to PIPL to appoint a PRC-based representative or establish an agency in the PRC for personal information protection purposes. A similar notion exists under Article 27 of the GDPR, whereby offshore data controllers or processors are required to appoint an EU-based representative.
Thus, Article 53 PIPL generally requires offshore personal information processors to appoint a PRC-based representative or establish an agency in the PRC if their activities fall within the scope of activities stipulated in Article 3 PIPL, regardless of the amount of personal information processed (Article 53 PIPL). In addition, Article 53 PIPL does not apply to onshore personal information processors in the PRC.
On the other hand, Article 52 PIPL requires both offshore and onshore personal information processors to appoint a PIPO but only when the amount of information they process exceeds certain thresholds. Thus, the essential factor to assess when determining whether a PIPO is required is the amount of information being processed.
THE KNOWNS AND UNKNOWNS
Presently, there is no clear guidance on how an offshore personal information processor can appoint a PRC-based representative or establish an agency in the PRC under Article 53 PIPL.
It also remains to be seen if the requirement for a PRC-based representative or agency can be waived for certain offshore personal information processors. Under the GDPR, the EU-based representative requirement can be waived. Under Article 27 GDPR, an EU-based representative will not be required, if the following conditions are met:
- The processing is occasional;
- The processing does not include, on a large scale, processing of special categories of personal information, such as genetics information and biometric information for the purpose of specifically identifying a natural person; and
- The processing is unlikely to result in risks to the rights and freedoms of a natural person, taking into account the nature, context, scope, and purposes of the processing.
Due to the “occasional” requirement, the EU-based representative waiver under GDPR is rarely available.
It remains to be seen if a similar waiver may be found under the PIPL implementation rules and regulations when available.
As noted above, PIPL defers to the CAC to prescribe the relevant thresholds to determine whether an offshore or onshore personal information processor must appoint a PIPO. As of the date of publication, the CAC has yet to stipulate any threshold generally applicable to personal information processors.
However, we are perhaps not totally in the dark. For instance, the National Standard of Information Security Technology – Personal Information Security Specification (PIS Specification), as amended and effective from 1 October 2020, has specific thresholds for a personal information processor to appoint a PIPO and set up a personal information protection department. While not mandatory, the PIS Specification is viewed as national best practice for personal information security in the PRC. The PIS Specification may serve as a good benchmark or reference point on this issue. Additionally, the PIS Specification may be informative as to when a PRC regulator would launch an enforcement action against a personal information processor under the PIPL.
The specific thresholds under the PIS Specification are:
- An entity whose main business involves the processing of personal information and the number of employees exceeds 200;
- An entity processing the personal information of more than one million individuals or estimated to process the personal information of more than one million individuals; or
- An entity processing the sensitive personal information of more than 100,000 individuals.
In the context of an offshore personal information processor, for the first threshold mentioned above, it is unclear whether the number of employees is calculated on a worldwide basis, or it will be limited to employees working on the businesses within the PRC.
In addition, certain industry sectors already have their own industry-specific threshold. For example, Several Provisions on Vehicle Data Security Management (for Trial Implementation), effective from 1 October 2021, require all vehicle data processors to submit the name and contact information of their vehicle data privacy officers in their annual report to the regulatory authorities if it processes, among other things:
- Video or image data collected outside of a vehicle, including human facial information, license plate information, etc.; or
- Personal information of more than 100,000 individuals.
Certain provincial and municipal governments have also formulated their local regulations, draft rules or policies in this regard. For example, governments in Jiangsu and Shanghai encourage local enterprises to appoint chief data officers in their respective policies or draft rules. The Jiangsu government has even announced a list of pilot local entities for the appointment of chief data officers. While these local rules and draft regulations are presently on a trial basis or considered “best practice”, they are useful clues and prompts on how the mandatory data protection regime in the PRC may take shape moving forward. Thus, they should be considered and examined when assessing how to adapt your business operations to remain PIPL-compliant.
PRACTICAL INSIGHTS
The CAC likely will issue guidelines on the PRC-based representative appointment or agency establishment procedures, as well as the relevant PIPO appointment thresholds, among other things. We also expect additional important developments with respect to PIPL in the months to come and will keep monitoring them.
Should you have any questions on the issues discussed in this alert or any other data privacy-related issues, the firm’s Global Data Protection team, comprising data privacy lawyers across our Greater China region offices, remain available to assist you in achieving your data protection compliance needs.