No Match Found
China has enacted a number of significant pieces of data protection legislation in recent years, which greatly strengthen its previous data regime. The new legislation comprises the Cybersecurity Law (CSL), Data Security Law (DSL), the Personal Information Protection Law (PIPL) and 100 other administrative rules and standards. The introduction of extraterritorial provisions, the restriction of cross-border data transfers and the imposition of considerable revenue-based fines for non-compliant behaviour are all part of China’s new regulatory framework for the protection of personal information. This means that consent is not sufficient for data collection and handling. Additional requirements must be complied with, including obtaining the Chinese Government’s prior approval in the case of the outbound transfer of personal data above the prescribed volume.
The CSL came into effect on 1 June 2017. All Irish businesses operating in China must comply with the CSL, in addition to other European and US companies operating in China. The CSL provides general requirements for multi-level cybersecurity protection, the protection of essential information infrastructure, cybersecurity reviews and inspections, and the certification of important network equipment and specialised cybersecurity goods. It also sets out specific requirements, such as the need to preserve network logs for no less than six months and grade cybersecurity and data risks. China is amending the CSL to increase the penalties for non-compliance.
The DSL governs all aspects of data processing to ensure data security. Importantly, the DSL introduces the new requirement that domestic organisations and individuals (including Irish companies and individuals operating in China) shall not provide any data—personal data or business data—stored in China to any foreign judicial or law enforcement agencies unless they have prior approval from the Chinese Government.
The PIPL, which has often been called China’s GDPR, is structurally similar to GDPR but has important differences. For example, the legitimate interest rationale that businesses often rely on is not available under Chinese law. The Chinese Government’s prior approval is also needed to transfer personal data from China, even to Irish parent companies or affiliates, if the volume of data exceeds the prescribed amount. The individual’s consent is not sufficient. In addition, under Chinese law, individuals involved may be fined and blacklisted from serving in important positions for a certain period of time. Importantly, similar to GDPR, Chinese law has extraterritorial application and hence, would apply to Irish companies not operating in China, but selling to Chinese individuals.
Organisations and businesses that collect, use or disclose personal information must comply with these laws. By March 2023, all businesses will need the Chinese Government’s approval for certain data transfers, including data transfers to headquarters or affiliates in Ireland, the rest of Europe or the US. This can only be secured after undergoing a mandatory security assessment—even if the organisation doesn’t have a presence in China. Nearly every multinational company that sells goods or services to customers in China stands to be affected.
Overall, the risks associated with the PIPL in China can be significant for companies. It is important for them to be aware of these risks and to take steps to mitigate them.
Overall, the new data protection laws in China present both opportunities and challenges for Irish businesses operating, or serving customers, in China. While the law provides greater protection for the personal data of individuals in China, it also imposes new obligations on businesses operating in the country. Irish businesses will need to carefully consider how they can comply with these new regulations and ensure that they are able to continue to operate effectively in China while also protecting the personal data of their customers and employees.
To prepare for the Personal Information Protection Law (PIPL) in China, companies should take the following steps:
With a compliance deadline of March 2023, companies operating in China must prepare now to mitigate the risk of fines and legal issues arising from possible non-compliance with a raft of new legislation. We can help you to carefully consider how you can comply with the PIPL and ensure that you are able to continue to operate effectively in China while also protecting the personal data of your customers and employees. Contact us today.