
FlowBeijing
China has fully embraced the digital age. Almost every interaction and transaction with a company or product is done through an APP or web portal. Commerce has also moved into the digital space with many users using the various forms of electronic payments instead of cash. All these interactions have given companies access to more data about their users than ever before. It has also given rise to more scammers, intrusive sales calls, and lax data security within companies.
To combat this the China government has begun to roll out new laws and policies in order to better protect user data. The result is the two new data laws below.
Data Security Law
Effective September 1st, 2021, it outlines China’s plan on how data of its users will be handled internationally, and locally, and what businesses will be responsible for. It also sets the legal framework for personal data and gives legal avenues to punish companies and individuals for non-compliance.
An unofficial English translation can be found on China Law Translate.
Personal Information Protection Law (PIPL)
Effective November 1st, 2021, the next phase of the China government's plan was to create a user protection law that shares many similarities with the European Union’s General Data Protection Regulation. The result is the Personal Information Protection Law or PIPL. This law will be enforced by the Cyberspace Administration of China and local and state authorities and will be China's first comprehensive law designed to protect users’ personal information and regulate how companies can process data.
An unofficial English translation can be found on China Briefing
How Will It Affect You Business
The Chinese government is very serious about the new privacy laws. Many companies have already been audited and companies that are in non-compliance have been fined or their websites or APPs have been temporarily suspended. If your company is in China, or if your company processes a lot of mainland China user data you need to conduct a China Data Security law and PIPL compliance audit of your website or APP.
China Data Security Law and Compliance Self Audit
Step 1: Do you have mainland China customers
NO: These new policies should not affect you.
YES: These new will policies will affect you immediately and you should continue your internal audit.
Step 2: Do you collect personal data?
NO: These new policies should not affect you.
YES: PIPL guidelines allow the collection and processing of personal data under the following provisions:
Article 13 (Aged 14 or Above)
Article 31 (Below the age of 14)
You will also have to update your Privacy and Data collection policies on your APP or website and inform your users very clearly with simple language as specified in Article 14.
Article 14
*You must also be ready to update your policies as the government updates its own. This should happen with increased frequency as China builds more robust data laws.*
Step 3: Is this information stored outside of China?
NO: You must make sure that you keep all personal data stored in China, any breaches or large dumps of information sent abroad need governmental approval.
YES: Currently the PIPL doesn’t specify the threshold of overseas users' data that will require companies to store the data in China. Companies that deal with high volumes of China users' data, will have to move their web hosting or data storage solutions to China. Many countries, China included, are feeling less secure with companies that store mass amounts of user data outside of their country. To be perfectly safe, and avoid any business interruptions, it would be prudent to begin moving your China users' data storage solution to China. You can read more about it in Article 40 below.
Article 40
Step 4: Do third-party agents or partnerships have access to your customers' information?
NO: As long as you inform your current users clearly of your data policies you should not be affected.
YES: You will need to contact all third parties that process your users data and update your cooperation agreements to fulfill the following duties specified in (Article 21).
Article 21
You need to make sure that they understand your stance on personal information, any breaches on their behalf could affect your operations.
Step 5: Do you have a data protection role at your company?
YES: It’s great that you have been proactive and your company values data privacy. This person will have a more important role in your company as they will have more work volume as more and more users exercise their rights.
NO: You will have to hire or assign a role in your company to manage how your company manages user data and make sure it complies with the law. This role will have to respond to many more user requests to:
Article 44
Article 45
Article 46
Article 47
Article 48
Article 49
Article 50
Step 6: Do you have a robust data management system?
YES: This will be very important moving forward, as more users begin to interact with your company about how their data is handled.
NO: You must do a massive update of your CMS and data management systems to be able to handle a high volume of data requests by users. Your data management system should be able to:
Your Website/APP Needs A Proactive Solution
These two new data protection laws will definitely give more users greater control over their data. It also shows that China is willing and able to use its legal apparatus to enforce these new laws. Currently, the laws are very new and many experts are still guessing as to how many of the provisions will affect companies. Data protection policies are expected to be updated on a regular basis.
For companies that want to do business in China, we suggest you be proactive. If you feel that you do not have answers to the questions above or you need someone to help you navigate these new laws, we strongly encourage you to reach out to a legal expert in China. They will let you know if you need to update your privacy policies, website, and APP designs, or migrate your web hosting to China.
FlowBeijing