Late last year the National People’s Congress of the People’s Republic of China (PRC) adopted a comprehensive new data privacy law, the Personal Information Protection Law (PIPL). The PIPL came into effect on 1 November 2021, and impacts the way that the personal information of almost one billion internet users in PRC is handled. You can read an English translation of the PIPL here.
In this article we consider the application of the PIPL to New Zealand businesses that do not have a presence in PRC and discuss some of the key provisions of the PIPL.
PIPL has extraterritorial effect
As well as applying to entities within PRC, the PIPL has extraterritorial effect, adding yet another law to many organisations’ international compliance efforts.
In a similar vein to Europe’s General Data Protection Regulation (GDPR), the PIPL extends its territorial scope to the processing of personal information conducted outside of PRC, where the purpose of the processing is:
- to provide products or services to individuals inside PRC;
- to “analyse” or “assess” the behaviour of individuals in PRC; or
- for other purposes to be specified by laws and regulations.
The scope of the first limb is not entirely clear. It seems similar to the extraterritorial provisions of the GDPR. However, the GDPR guidance indicated it is concerned with businesses that specifically provide products and services to Europe (i.e. Europe is the target), rather than merely because a person in Europe ordered a product or service from a global website. Our Privacy Act 2020 also has extraterritorial reach, applying to an overseas agency that carries on business in New Zealand. We have not found any guidance in relation to the breadth of this provision In the PIPL. However, the wording of the PIPL translation does suggest a similar limitation, as it refers to its application where the “purpose” is to provide the product or service to individuals inside PRC.
A further implication of the PIPL’s extraterritorial application is that foreign companies subject to the PIPL will have to establish designated agencies or appoint representatives based in PRC to take responsibility for issues related to the handling and protection of personal information. Unlike with GDPR, there does not appear to be any threshold for the application of this requirement.
Key obligations in processing under PIPL
There are a number of obligations under PIPL when collecting and processing personal information. We discuss a few key ones below.
The PIPL provides a number of grounds under which the processing of personal information is permitted, and is heavily focused on express notice and consent as the primary basis for processing personal information. Valid consent must be voluntary, explicit and given by the individual on a fully informed basis. If there is any change to the category of personal information or the purpose or method of personal information processing, consent must be obtained again. A separate consent is required if processing sensitive personal information (eg medical health status and financial accounts). Consent must be obtained to any disclosure of personal information. Individuals also have the right to withdraw their consent. These requirements go a bit further than what is required under our Privacy Act 2020.
Other authorised reasons for processing are similar to our Privacy Act 2020 and other international standards. For instance, the PIPL contemplates processing for purposes directly related to the consented purpose, for performing a contract with the individual, where necessary for responding to public health emergencies or to protect natural person’s lives and health, or their property in an emergency, and complying with applicable laws. However, from an international perspective, there is no “legitimate interests” category as there is in the GDPR.
While in New Zealand an exception applies to business sales, under PIPL there is a requirement for notification (rather than consent) where personal information is transferred for mergers, division, dissolution, and bankruptcy. In addition, the PIPL notes that if the purchaser wishes to change the original purpose and method of processing, it must first obtain the consent of the individual concerned.
Some other key points of note include:
- a privacy notice must be provided to individuals before processing (with additional details required where processing sensitive personal information)
- individuals have a right to have personal information deleted
- individuals may prohibit the processing of unsolicited information they provide
- a sub-processor must not process the personal information beyond the scope of the agreement for processing with the party that engaged the sub-processor
- individuals must be fully informed of and consent to any parties to whom personal information is to be provided for those parties’ own purposes
- privacy impact assessments are required in certain circumstances, such as prior to processing sensitive personal information
- compliance audits must be undertaken
- privacy breaches must be notified (and remedial measures undertaken).
The PIPL also introduces new rules relating to cross-border data transfers. In particular, companies wanting to transfer personal information out of PRC must meet one of a number of criteria before this is possible. One option is for an entity to pass an assessment or undergo certification as administered by the Cyberspace Administration of China (CAC). Another is for entities to sign a “standard contract” issued by the CAC agreeing the rights and responsibilities of both sides. This will have implications for any business outside of PRC that processes personal information on behalf of an entity inside PRC.
Implications
For New Zealand businesses and organisations carrying on business in PRC or processing the personal information of individuals in PRC, we recommend you carefully review the PIPL and determine its application to your operations. There are significant fines that can be imposed under the PIPL, being up to 5% of the previous year’s turnover or up to RMB 50m yuan (about NZ$11m) for serious violations. However, the PIPL does contemplate a warning in the first instance.
Although there are some similarities between the PIPL and the Privacy Act 2020, we recommend anyone with customers in PRC assesses whether their privacy framework complies with PIPL.
If you would like further information about the PIPL and what it may mean for your business, please get in touch. We are happy to give you some initial guidance from a New Zealand lawyer’s perspective. However, as we do not practice in the People’s Republic of China, we are not able to provide legal advice on the PIPL. Instead, we can put you in touch with legal counsel in PRC to provide any advice that you require.
Please note that this article has been written based on our interpretation of the English translation of the PIPL and does not constitute legal advice on the PIPL.