Understanding the implications of China’s PIPL data protection law

25 January, 2023

China has enacted a number of significant pieces of data protection legislation in recent years, which greatly strengthen its previous data regime. The new legislation comprises the Cybersecurity Law (CSL), Data Security Law (DSL), the Personal Information Protection Law (PIPL) and 100 other administrative rules and standards. The introduction of extraterritorial provisions, the restriction of cross-border data transfers and the imposition of considerable revenue-based fines for non-compliant behaviour are all part of China’s new regulatory framework for the protection of personal information. This means that consent is not sufficient for data collection and handling. Additional requirements must be complied with, including obtaining the Chinese Government’s prior approval in the case of the outbound transfer of personal data above the prescribed volume.

A photo of someone on a tablet in a data technology room

CSL

The CSL came into effect on 1 June 2017. All Irish businesses operating in China must comply with the CSL, in addition to other European and US companies operating in China. The CSL provides general requirements for multi-level cybersecurity protection, the protection of essential information infrastructure, cybersecurity reviews and inspections, and the certification of important network equipment and specialised cybersecurity goods. It also sets out specific requirements, such as the need to preserve network logs for no less than six months and grade cybersecurity and data risks. China is amending the CSL to increase the penalties for non-compliance.

DSL

The DSL governs all aspects of data processing to ensure data security. Importantly, the DSL introduces the new requirement that domestic organisations and individuals (including Irish companies and individuals operating in China) shall not provide any data—personal data or business data—stored in China to any foreign judicial or law enforcement agencies unless they have prior approval from the Chinese Government.

PIPL

The PIPL, which has often been called China’s GDPR, is structurally similar to GDPR but has important differences. For example, the legitimate interest rationale that businesses often rely on is not available under Chinese law. The Chinese Government’s prior approval is also needed to transfer personal data from China, even to Irish parent companies or affiliates, if the volume of data exceeds the prescribed amount. The individual’s consent is not sufficient. In addition, under Chinese law, individuals involved may be fined and blacklisted from serving in important positions for a certain period of time. Importantly, similar to GDPR, Chinese law has extraterritorial application and hence, would apply to Irish companies not operating in China, but selling to Chinese individuals.

Organisations and businesses that collect, use or disclose personal information must comply with these laws. By March 2023, all businesses will need the Chinese Government’s approval for certain data transfers, including data transfers to headquarters or affiliates in Ireland, the rest of Europe or the US. This can only be secured after undergoing a mandatory security assessment—even if the organisation doesn’t have a presence in China. Nearly every multinational company that sells goods or services to customers in China stands to be affected.

PIPL general requirements

  • Organisations and businesses that collect, use or disclose personal information must comply with the law.
  • Personal information must be collected, used and disclosed in a manner that is fair, transparent, and in accordance with the law.
  • Organisations must obtain the consent of the individual before using their personal information for certain purposes.
  • Personal information must be stored and processed in a secure manner and must be protected against unauthorised access, use or disclosure.
  • Organisations must provide individuals with certain rights, including the right to access their personal information and the right to request its correction or deletion.
  • Organisations must comply with the rules and regulations set out in the PIPL and must be prepared to cooperate with relevant authorities to ensure compliance.

Risks to your business

Overall, the risks associated with the PIPL in China can be significant for companies. It is important for them to be aware of these risks and to take steps to mitigate them.

  • Difficulty obtaining consent: the PIPL requires companies to obtain the consent of individuals before using their personal information for certain purposes. This can be difficult for companies to do, especially if they are collecting personal information from a large number of individuals.
  • Potential for fines and legal issues: if a company violates the PIPL, it could be subject to confiscation of income, a fine up to RMB 50mn or 5% of the previous year’s turnover, business suspension and revocation of business licences. Damages and criminal prosecution are also possible. This can be a significant risk for companies, especially if they are not familiar with the law or are not properly complying with it. China has been very aggressive with enforcement. China penalised Didi, which is a taxi hailing company, for USD$1.2bn last summer. The Chinese criminal authorities reported that they arrested 17,000 people last year alone for data violation. Hence, companies doing business with China are rushing to comply.
  • Reputational damage: if a company is found to have violated the PIPL, it could face negative media coverage and damage to its reputation. This could harm the company's ability to attract and retain customers, and could ultimately have a negative impact on its bottom line.
  • Increased compliance costs: complying with the PIPL can require companies to invest in new processes, systems and personnel. This can be a significant cost for companies, especially if they are not prepared for the requirements of the law.

Overall, the new data protection laws in China present both opportunities and challenges for Irish businesses operating, or serving customers, in China. While the law provides greater protection for the personal data of individuals in China, it also imposes new obligations on businesses operating in the country. Irish businesses will need to carefully consider how they can comply with these new regulations and ensure that they are able to continue to operate effectively in China while also protecting the personal data of their customers and employees.

The five key actions to take now

To prepare for the Personal Information Protection Law (PIPL) in China, companies should take the following steps:

  1. Understand the requirements of the law: it is important for companies to familiarise themselves with the requirements of the PIPL, including the rules for collecting, storing and using personal information.
  2. Develop a compliance plan: companies should develop a plan for how they will comply with the PIPL, including any necessary changes to their processes, systems and personnel.
  3. Obtain consent: the PIPL requires companies to obtain the consent of individuals before using their personal information for certain purposes. Companies should develop a plan for how they will obtain this consent and ensure that they are doing so in a compliant manner.
  4. Train employees: all employees who handle personal information should be trained on the requirements of the PIPL and how to comply.
  5. Review and update policies and procedures: companies should review their existing policies and procedures related to personal information and update them as necessary to ensure compliance with the PIPL.

We are here to help you

With a compliance deadline of March 2023, companies operating in China must prepare now to mitigate the risk of fines and legal issues arising from possible non-compliance with a raft of new legislation. We can help you to carefully consider how you can comply with the PIPL and ensure that you are able to continue to operate effectively in China while also protecting the personal data of your customers and employees. Contact us today.

Contact us

Pat Moran

Partner, PwC Ireland (Republic of)

Stephen O'Keeffe

Director, PwC Ireland (Republic of)

Tel: +353 87 716 2225

Garrett Keogh

Senior Manager, PwC Ireland (Republic of)

Follow PwC Ireland