Privacy and Cybersecurity Update
Get Prepared for Data Privacy Compliance Under China PIPL
On August 20, 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL), which will become effective starting November 1, 2021.
As an overarching law in China with respect to data privacy, PIPL shares many similarities with the EU General Data Protection Regulation (GDPR). If a company has already been GDPR compliant, its data privacy compliance system can basically work in China, while certain localizations are necessary in response to unique requirements under PIPL. In particular, a company should pay attention to the following differences between PIPL and GDPR:
- Data localization. PIPL requires a controller1 of large-scale personal data2 or a critical information infrastructure operator (CIIO)3 to store personal data within China, and cross-border transfer thereof shall be subject to a security assessment by Cyberspace Administration of China (CAC). Other data controllers may do the cross-border transfer in reliance on one of legitimate approaches recognized under PIPL, including entering into a standard contract (following a template to be issued by CAC) with overseas data recipients. Further, a controller shall obtain standalone consent of data subjects (to the extent that the consent is the lawful basis for the data processing) and conduct the data protection impact assessment (DPIA, as defined below) prior to the cross-border transfer.
- Standalone consent of data subjects. Standalone consent is a unique concept under PIPL. The law requires a controller to obtain standalone consent of data subjects under certain circumstances, for example, processing sensitive personal data and cross-border transfer of personal data. Although PIPL does not define the “standalone consent,” it is commonly believed that such consent shall be obtained through a separate affirmative action by data subjects (e.g., a separate signature or clicking of a separate checkbox).
- Rights of data subjects. Rights of data subjects under PIPL are similar to those under GDPR except that the “right to be forgotten” under GDPR is not provided under PIPL.
- DPIA. Both GDPR and PIPL require the DPIA under certain circumstances, for example, automated decision-making and processing sensitive personal data. However, PIPL further requires a controller to conduct the DPIA in the following cases (which are not required under GDPR): cross-border transfer of personal data, contracting a third-party data processor, providing personal data to another controller, and making personal data publicly available.
- Data breach notification. Unlike GDPR, PIPL does not set forth a specific timeline (e.g., within 72 hours) for a controller to notify a data breach to a government authority.
If a company needs to set up its PIPL compliance system from scratch, it may consider taking the following actions:
- Policy drafting. The company shall formulate data privacy policies and procedures, which shall cover issues such as general rules about data processing, responding to requests from data subjects, technical measures to protect personal data, employee communication and training, compliance audit, DPIA, protocol for data breach response and notification, or data cross-border transfer.
- Document readiness. The company shall prepare or review the following documents to ensure they will be PIPL compliant: (i) notice and consent form for obtaining consent of data subjects (particularly for standalone consent), (ii) service contract with third-party data processors (if applicable), and (iii) standard contract with overseas data recipients for data cross-border transfer (if applicable).
- Technical measures. The company shall take technical measures to protect personal data, for instance, data classification, encryption, and deidentification.
- Communication and training. The company shall communicate with employees about data privacy compliance policies and provide trainings on a regular basis.
- Audit. The company shall regularly conduct audits on its data processing activities to ensure their compliance with PIPL.
- DPIA. The company shall conduct the DPIA in circumstances required under PIPL.
- Data breach notification. The company shall notify data breach to government authorities and data subjects following PIPL.
- Data cross-border transfer. Unless it is a CIIO or a controller of large-scale personal data, the company may do the cross-border transfer by (i) obtaining stand-alone consent of data subjects (to the extent that the consent is the lawful basis for the data processing), (ii) conducting the DPIA of the cross-border transfer, and (iii) signing a standard contract with overseas data recipients.
- Data Protection Officer (DPO). The company shall designate a DPO, if it is a large-scale personal data controller, while the threshold for such “large-scale” is to be further clarified by CAC.
1Note that the term “controller” is defined as “个人信息处理者” in Chinese under PIPL.
2The threshold for such “large scale” will be determined by the government authority separately.
3The CIIO is required by relevant laws to perform enhanced obligations in terms of cybersecurity and data security protection. Generally speaking, a company will not be regulated as a CIIO if the company does not receive a notice from the competent authority that the authority identifies the company as a CIIO.
弁護士広告—Sidley Austin LLP はグローバルな法律事務所です。当事務所の所在地および連絡先情報は、www.sidley.com/en/locations/offices に掲載されています。
Sidley は、本情報をクライアントおよび関係者の皆様へのサービスとして、教育目的のみに提供しています。本情報は、法的助言として解釈または依拠されるべきものではなく、また弁護士と依頼者の関係を生じさせるものでもありません。読者は、専門家の助言を求めることなく本情報に基づいて行動すべきではありません。Sidley および Sidley Austin とは、www.sidley.com/disclaimer に記載のとおり、Sidley Austin LLP およびその関連パートナーシップを指します。
© Sidley Austin LLP
お問い合わせ
この Sidley Update に関してご質問がある場合は、通常ご担当されている Sidley の弁護士、またはご連絡ください。
得意分野
Suggested News & Insights
- Stay Up To DateSubscribe to Sidley Publications
- Follow Sidley on Social MediaSocial Media Directory