Privacy and Cybersecurity Update
Get Prepared for Data Privacy Compliance Under China PIPL
On August 20, 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL), which will become effective starting November 1, 2021.
As an overarching law in China with respect to data privacy, PIPL shares many similarities with the EU General Data Protection Regulation (GDPR). If a company has already been GDPR compliant, its data privacy compliance system can basically work in China, while certain localizations are necessary in response to unique requirements under PIPL. In particular, a company should pay attention to the following differences between PIPL and GDPR:
- Data localization. PIPL requires a controller1 of large-scale personal data2 or a critical information infrastructure operator (CIIO)3 to store personal data within China, and cross-border transfer thereof shall be subject to a security assessment by Cyberspace Administration of China (CAC). Other data controllers may do the cross-border transfer in reliance on one of legitimate approaches recognized under PIPL, including entering into a standard contract (following a template to be issued by CAC) with overseas data recipients. Further, a controller shall obtain standalone consent of data subjects (to the extent that the consent is the lawful basis for the data processing) and conduct the data protection impact assessment (DPIA, as defined below) prior to the cross-border transfer.
- Standalone consent of data subjects. Standalone consent is a unique concept under PIPL. The law requires a controller to obtain standalone consent of data subjects under certain circumstances, for example, processing sensitive personal data and cross-border transfer of personal data. Although PIPL does not define the “standalone consent,” it is commonly believed that such consent shall be obtained through a separate affirmative action by data subjects (e.g., a separate signature or clicking of a separate checkbox).
- Rights of data subjects. Rights of data subjects under PIPL are similar to those under GDPR except that the “right to be forgotten” under GDPR is not provided under PIPL.
- DPIA. Both GDPR and PIPL require the DPIA under certain circumstances, for example, automated decision-making and processing sensitive personal data. However, PIPL further requires a controller to conduct the DPIA in the following cases (which are not required under GDPR): cross-border transfer of personal data, contracting a third-party data processor, providing personal data to another controller, and making personal data publicly available.
- Data breach notification. Unlike GDPR, PIPL does not set forth a specific timeline (e.g., within 72 hours) for a controller to notify a data breach to a government authority.
If a company needs to set up its PIPL compliance system from scratch, it may consider taking the following actions:
- Policy drafting. The company shall formulate data privacy policies and procedures, which shall cover issues such as general rules about data processing, responding to requests from data subjects, technical measures to protect personal data, employee communication and training, compliance audit, DPIA, protocol for data breach response and notification, or data cross-border transfer.
- Document readiness. The company shall prepare or review the following documents to ensure they will be PIPL compliant: (i) notice and consent form for obtaining consent of data subjects (particularly for standalone consent), (ii) service contract with third-party data processors (if applicable), and (iii) standard contract with overseas data recipients for data cross-border transfer (if applicable).
- Technical measures. The company shall take technical measures to protect personal data, for instance, data classification, encryption, and deidentification.
- Communication and training. The company shall communicate with employees about data privacy compliance policies and provide trainings on a regular basis.
- Audit. The company shall regularly conduct audits on its data processing activities to ensure their compliance with PIPL.
- DPIA. The company shall conduct the DPIA in circumstances required under PIPL.
- Data breach notification. The company shall notify data breach to government authorities and data subjects following PIPL.
- Data cross-border transfer. Unless it is a CIIO or a controller of large-scale personal data, the company may do the cross-border transfer by (i) obtaining stand-alone consent of data subjects (to the extent that the consent is the lawful basis for the data processing), (ii) conducting the DPIA of the cross-border transfer, and (iii) signing a standard contract with overseas data recipients.
- Data Protection Officer (DPO). The company shall designate a DPO, if it is a large-scale personal data controller, while the threshold for such “large-scale” is to be further clarified by CAC.
1Note that the term “controller” is defined as “个人信息处理者” in Chinese under PIPL.
2The threshold for such “large scale” will be determined by the government authority separately.
3The CIIO is required by relevant laws to perform enhanced obligations in terms of cybersecurity and data security protection. Generally speaking, a company will not be regulated as a CIIO if the company does not receive a notice from the competent authority that the authority identifies the company as a CIIO.
律师广告—Sidley Austin LLP 是一家全球性律师事务所。我们的地址及联系方式可在 www.sidley.com/en/locations/offices 查阅。
Sidley 提供本信息仅作为向客户及其他友好人士提供的服务,且仅供教育目的使用。本信息不应被解释或依赖为法律意见,亦不构成律师与客户关系。读者在未寻求专业顾问意见之前,不应依据本信息采取任何行动。Sidley 和 Sidley Austin 指 Sidley Austin LLP 及其关联合伙实体,详见 www.sidley.com/disclaimer。
© Sidley Austin LLP
联系我们
如果您对本次 Sidley 更新有任何疑问,请联系您平时合作的 Sidley 律师,或
Capabilities
Suggested News & Insights
- Stay Up To DateSubscribe to Sidley Publications
- Follow Sidley on Social MediaSocial Media Directory