Is navigating PIPL ambiguity making you feel uneasy? Are you wondering if your organization has done enough to comply with the Personal Information Protection Law of the People’s Republic of China?
When PIPL went into effect in November 2021, there were still major gaps in the regulation leaving many organizations confused.
Thankfully there is new guidance to help you navigate through PIPL’s ambiguity and get your organization compliant.
PIPL Compliant Privacy Notice Requirements
The PIPL privacy notice requirements serve as guidelines for compliance. Use these as a starting point to navigate through PIPL’s ambiguity.
First, a specific procedure must be in place for companies when drafting their privacy notice. This includes a clear owner or department responsible for drafting the privacy notice.
Organizations will also need to have a complete personal information security management system.
Secondly, it requires identifying the scope of the data collection. Thus ensuring that the collection is fair, legal, and necessary.
PIPL specifies a detailed scope of what is considered essential data for different service types.
For example, if it’s a ride-hailing app what is considered necessary is the name, contact, address, and location. But if it’s a financial app, collecting people’s ID and ID number folder is considered necessary and allowed.
Thirdly, if the processing activity significantly impacts the data subjects’ interests companies should have a security assessment. Activities that significantly impact individuals’ rights of interest include:
- Processing sensitive information
- Automatic decision making processes
- Processing on behalf of another handler
- Externally disclosing personal information
- Cross-border data transfer
In the security assessment the purpose, scope, method of data collection, the individuals’ rights and interests, and how to protect them need to be identified.
A Data Processing Report is also required. This report needs to identify the data type collected, the storage of those data collected, a mapping of the data transfer, and the owner.
Based on the service type of your product or service, the data handler is required to list all necessary personal information collected, as well as unnecessary personal information collected, with an explanation of why they’re collected.
PIPL Privacy Notice Public Comment Period
Any updates or revisions to your PIPL privacy notice that creates a significant impact on individuals’ rights or interests should be made available for public comment.
The handler should publish a proposed revision on the official website for at least 30 days. Afterwards, the handler should provide an explanation of why public comments were considered or not.
Learn more about PIPL’s fundamentals, enforcement mechanisms and potential fines: China’s PIPL: Everything You Need to Know.
Understanding Certification Requirements for PIPL Cross-Border Data Transfer
PIPL has an extraterritortial effect. This means it applies to information about Chinese individuals processed both inside or outside of China.
A key challenge when navigating PIPL ambiguity is the regulation of international transfers of personal data from China.
When considering a cross-border data transfer, there are security assessment measures outlined in previous legislation and Article 38 of PIPL that should be used.
Under article 38, you need to follow at least one of the four procedures:
- Undergo a security review organized by the CAC
- Undergo PI protection certification by a professional institution
- Sign a contract with a foreign party stipulating the rights and obligations of each party
- Meet other conditions set by the CAC or relevant laws and regulations
The first procedure is to undergo a Data Export Security Assessment. Companies must undergo a security assessment if they want to export data under the following scenarios.
Scenario 1: A multinational company trying to process to a headquarters or office outside of China.
Scenario 2: A foreign information handler trying to either access information within China or process information about Chinese individuals.
Scenario 3: Data processors that have transferred the personal information (PI) of 100,000+ people or the sensitive PI of 10,000+ people overseas since January 1 of the previous year.
Sensitive PI includes but is not limited to biometric data, medical history, financial accounts, location, and any PI of minors under the age of 14.
The security assessment measures also adds a new article to define the scope of important data. Important data “may endanger national security, economic operation, social stability, or public health and safety once tampered with, destroyed, leaked or illegally obtained or used.”
Although, not all organizations will need to undergo a CAC security review and external audit to comply with PIPL cross-border data transfer.
If the company is not a CIIO (Critical Information Infrastructure Organization), or handles smaller volumes of data than set by the thresholds, it may be able to get clearance to transfer data or PI by signing a ‘standard contract’ with the recipient.
How is Certification Processed?
You will certainly find the draft technical specification of certification particularly helpful when processing the certification process.
There are a couple of basic requirements when assessing cross-border data transfers:
- You need to have legal binding documents or estate contracts that specify parties involved in the cross-border. Those transfer the category of the data processed and the process and the scope of the data involved.
- The purpose of the processing activities needs to be clarified and measured to protect individual rights and interests.
- You also need to share rules that the parties involved in the processing activity have agreed on. This is a lot like standard contractual clause and is considered a most promising route for how to process data transfer.
Should the DPO be Based in China?
Let’s answer the big question many companies have today!
Clearly, the best practice is to have a DPO based locally in China. This way, you’ll have boots on the ground, transfer information quickly, have easier access to Chinese authorities, and be able to respond to the regulators faster.
But it’s not mandatory. If you’re just starting a local representative who understands the language, is familiar with the culture, and responds to regulators in an effective way is sufficient.