China’s new Personal Information Protection Law (PIPL) came into effect on November 1 and is now one of the strictest in the world governing what businesses can do with Chinese people’s personal information. So what do China’s new data privacy laws mean for your company in practice? And how can you make sure you’re compliant with the new regulations?
In this article, first published in China Briefing, Thomas Zhang, Dezan Shira & Associates’ Group IT Director, introduces the PIPL and explains several key considerations for companies to build a roadmap for compliance.
PIPL states that a company should appoint “a person in charge of personal information protection” when processing personal information on a large scale based on the criteria specified by the CAC. Is the appointment of a Data Protection Officer (DPO) mandatory under the PIPL?
No, it is not mandatory; however, for companies that don’t have an office in China and still want to provide services in China, a DPO or representative is necessary. In general, in cases where the company has an office in China and they can find a local person to play the role of representative, there is no need to have a DPO. Nevertheless, many companies don’t have enough internal resources to support this, so an external DPO can be very helpful.
Can a company send aggregated information derived from personal information across borders, especially if it doesn’t contain any specific personal information on Chinese citizens?
Yes, because we are talking about aggregated data – which doesn’t have any specific personal information of individuals. This means that it will be “abstract” data that cannot be tracked to one single individual. In this case, the data will not be treated as personal information or as sensitive personal information, and you are allowed to transfer it outside of China.
A company is exchanging data with its headquarters via SAP. Will this be deemed a cross-border transfer and require a Data Protection Impact Assessment (DPIA)?
If your IT system is located in the UK, but your business operations in China are processing personal information, you will need a DPIA. Whether you are allowed to transfer personal information out of the country or not is based on the scale of the personal information. The Cyberspace Administration of China (CAC) will specify the criteria about which kind of personal information will not be allowed to be transferred out, but for now, we will need to wait for more details from the government.
Many international schools store student data. What about the protection of data for children under 14 years old? Are there special protections under the PIPL?
Yes. Information from people under 14 years of age will also be regarded as sensitive information. If you are going to process sensitive personal information, you must collect separate consent and conduct a DPIA.
Are employee names and mobile phone numbers in an active directory considered personal information?
Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual. Names are also a kind of personal information. Although a name can be common and used for multiple people, under the PIPL it is still considered personal information.
Yes. The definition of personal information is very wide under the PIPL. Any information that can be tied to one single individual is considered personal information. For example, mobile phone numbers in China are tied to real names and can be connected to an individual.
Are security logs (e.g., firewalls and active directories) considered personal information (as they are usually linked to an IP address or account name and not directly linkable to the user)?
Yes. Under the GDPR, IP addresses are defined as personal information, and this is the same for the PIPL. We know that IP addresses are dynamic, but from an IT perspective, we can still trace an individual to their IP address most of the time with certain efforts, making IP addresses one kind of personal information under the PIPL.
If processed personal information is stored by a third-party vendor such as Google Drive, does it fall to the vendor to formulate proper information protection that complies with the PIPL?
Similar to GDPR, under PIPL, it is the information controller – the one who makes decisions on how to collect and store the data – that assumes the responsibility for personal information protection. Therefore, if you are the information controller, and you make the decision to collect personal information and make the decision to transfer it out to save in Google Drive, you are responsible for everything. Of course, you can make a service agreement with your vendor to specify what kind of measures should be taken to protect the personal information.
If an IP address is a company private IP address, for example, 10.0.0.1, is it considered personal information?
From a technical perspective, yes. For example, in China, the cyber police require companies to set up a firewall or security device, which can allow the company to track the website access logs for users. This means that even if you are using a private IP of your company, your firewall or security can still track these records, and IT can use these records to trace back to the individual using this IP address. In practice, however, at the current stage, IP address information is really a minor consideration for the authorities. There are other more significant issues for the authorities to pay attention to.
This article was first published by China Briefing, which is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in China, Hong Kong, Vietnam, Singapore, India, and Russia. Readers may write to info@dezshira.com for more support.
