China’s new data privacy law, the Personal Information Protection Law (PIPL), was passed on Aug. 20 and will go into effect on Nov. 1. It’s the latest in a series of laws designed to protect the personal data of individuals and increase data security in China. Companies, especially multinationals, should make sure they are in compliance with the new law when it goes into effect.
“The key takeaway of the Personal Information Protection Law is to lay out the comprehensive framework regarding how companies, both inside China and also outside of China—given its extraterritorial jurisdiction—should collect and process personal data, including also the cross-border transfer of data,” said Todd Liao, an attorney with Morgan Lewis in Shanghai. “It’s a comprehensive legal framework to regulate the processing and collection and cross-border transfer of personal information.”
HR Included in New Law
Unlike previous iterations of similar laws, Article 13 of the PIPL includes employees and HR management under the scope of protected personal information. This means personal information related to employment and HR, including compensation and performance review information, cannot be sent out of China unless it is anonymized or informed consent has been given by the employee. This has implications for companies that might have a parent company and an HR department based outside of China.
“We’ve seen situations where clients are looking to put their regional HR outside of China,” said Lesli Ligorner, an attorney with Morgan Lewis in Beijing and Shanghai. “And now they’re actually thinking, because China is their biggest market with their biggest employee population, that they should put that person in China, because it’s easier to have that person review everything in China than to have that person be external to China.”
One way companies can prepare for this change is to update their employee handbooks and consent forms to make sure informed consent is covered in these situations.
PIPL vs. GDPR
The PIPL is similar to the General Data Protection Regulation (GDPR) in the European Union but differs in important ways. Like the GDPR, the PIPL has broad extraterritorial jurisdiction, so even companies with no presence in China could be affected by the new law if they are collecting data from people who are in China.
“Some of the big differences is that GDPR is a little bit more forgiving, in that if the recipient country, for example, has a robust data protection regime, there is the ability to transfer the data without adding in additional protections,” Ligorner said. “China doesn’t have that. … If you are going to send data outside of China, that’s personal data and there are prerequisites before the transfer can legally take place.”
One other difference is that the PIPL “doesn’t do a great deal in terms of restricting government access to information,” said Lester Ross, an attorney with WilmerHale in Beijing. “There are clear provisions which state that government departments cannot go beyond their bounds, but there are exceptions for public security and national security, which lack the requirements for warrants found in the United States or other liberal democracies.” Also, companies cannot transfer personal information that pertains to law enforcement or judicial matters without obtaining consent from the Chinese government.
Certain organizations will be required to appoint a designated specialized organization to handle personal information-related matters. “The law requires those foreign companies without a presence in China to designate a local representative, almost like an agent, to handle issues regarding personal information collected in China,” Liao said.
However, these organizations do not remove the responsibility for compliance from companies. The companies “still remain responsible if something goes wrong. The liability essentially extends to the original collector of personal information,” Ross said.
Little Time to Prepare
With limited time to adjust to the provisions in the new PIPL, there is hope that there will initially be flexibility with the application of the law. “Some trust that there will be a soft enforcement planned for some period of months, giving companies time to adjust as necessary their procedures,” Ross said.
Ultimately, the PIPL is a way to protect personal information of individuals in China without limiting the government’s ability to access that data. “The government would like to have the data, and it would like to limit the capacity of private companies to control data,” Ross said. “This particular law is likely to have a bigger impact on foreign companies, because it will raise costs and complicate the ability to manage subsidiaries in China.”
Katie Nadworny is a freelance writer in Istanbul.