On August 20, 2021, the Standing Committee of the National People’s Congress passed the Personal Information Protection Law (PIPL), which became effective on November 1, 2021.
Since its first version was revealed in October 2020, the PIPL in China has gotten a lot of attention as a basic law that is equivalent to the European Union’s General Data Protection Regulation (GDPR).
According to the PIPL, multinational businesses (MNCs) that move personal information out of the country will also be required to get data protection certification from professional institutes.
Individual consent is the primary legal basis for processing personal data under the Personal Information Protection Law. It states that personal data must be processed in accordance with the principles of legality, fairness, good faith, minimum necessity, openness, and transparency. There must be specific and justified processing purposes as well.
What Are the PIPL’s Fundamental Components?
The PIPL applies to all individuals and organizations managing the personal data of people within China’s borders, both public and private.
Notably, the PIPL broadens the scope of Personally Identified Information to Personally Identifiable Information. PII is defined as a company’s ability to create identification through profile stitching of non-identified data.
For example, a person’s purchasing habits and locations, together with other behavioral data, can be triangulated using third-party-appended data to profile the actual identified user – that is, even when their email or phone number was not collected.
In the processing of personal information, the PIPL refers to the following Basic Principles:
- The principle of lawfulness, legitimacy, necessity, and good faith: Personal information processing must not be misleading, fraudulent, or coercive. Furthermore, it requires a specific purpose for information.
- Clear and reasonable purpose: Information processing must be directly tied to a valid purpose, and data collecting must be limited to only that which is required for that purpose.
- In the processing of personal data, transparency is essential in terms of the norms, purpose, method, and extent.
- Accuracy – Information must be collected and stored in an accurate, comprehensive, and up-to-date manner.
- Security – Personal information handlers must ensure that all personal information they process is secure and take all necessary precautions.
How Does the PIPL Manage User Consent?
The type of data and the intended use of that data determine how to obtain the requisite consent. If the data is classed as Sensitive Personal Information, or if it will be used for:
- Operations i.e. transaction fulfillment,
- Subscriptions i.e. a memberships,
- Marketing, for example, sending promotional communication,
- Profiling, for example, personalization. Sensitive Personal Information, as defined by the PIPL, includes a person’s specific identity and location, as well as other factors. This category includes the following types of information:
- specifically designated status
- religious beliefs
- medical/health
- biometrics
- financial
- personal information relating to minors under 14
Before sensitive personal information can be processed, separate consent (rather than “bulk” consent) is necessary. Furthermore, there must be a particular, essential, and reasonable reason to process the data. Companies must make protective steps to ensure the security of such data (which may require requisitioning a Personal Information Protection Impact Assessment). Also, they should inform individuals affected by the processing of such data of the need for it and how it affects their rights and interests.
What Does This Mean for International Brands in China?
Most significantly, the PIPL eliminates the binary nature of consent. For example, a user may have agreed to market but not to profiling (which means they will no longer receive personalized adverts). Furthermore, a brand’s consent levels from the same consumer on different platforms are likely to be varied. Each platform, from WeChat to Tmall to JD, might be unique.
Brands must ensure that every activity it does in the future is consent-compliant. Everything about a transaction, everything about marketing, and everything about profiling. To ensure that any action they’re conducting is genuinely compliant, brands must check at a user’s current consent status across these three criteria.
Furthermore, obtaining maximum consent from each user is not simple. Brands that aim to obtain full express consent, including cross-border, get roughly 2% of the market.
Consent A/B testing will be required by brands to determine which consents individuals are willing to give. Consider consent in every software solution used by brands.
Personal information handlers – especially international brands with offshore headquarters – must now obtain and assess consent at a much more granular level, and consent must play a central role both in their customer interactions and tracking, as well as in their back-end data handling, ensuring security control and DSR compliance.
User Consent
Last, but not least, when asking for consent from users the following information must be highlighted:
- Data receiver – is data for internal brand processing only? Does it involve a third party (third parties include brand headquarters outside of Mainland China)?
- Data usage – how the data will be used? For marketing purposes or personalization content?
- Data duration – how long the data will be kept precisely.
- Data location – location of the content storage and additional cross-border consent.
The last point is especially important for international companies which intend to move or store the data they collect in China abroad – this will be particularly complex as it will require several steps including but not limited to registering the data transfer with the government or completing an assessment certified by a third party; implementing technical security measures to prevent foreign-government access to the data, and tracking onward transfer to other entities. Companies should think of local-based solutions first.
Conclusion
The PIPL is a major piece of legislation that has far-reaching consequences. There are parallels to the General Data Protection Regulation of the European Union.
It is vital that enterprises take the required actions to prepare for the PIPL’s implementation, as it applies to data handling activities both in China and beyond China.
If you wish to know more about the PIPL, please contact our team. We use our knowledge and expertise to help businesses build meaningful partnerships and develop their network among Chinese customers. For additional information, please contact us by phone – Shanghai or Hong Kong.