Passed in August, the Personal Information Protection Law takes effect on November 1, spelling out rules around data collection, use, and storage, as well as what international companies must do when they transfer data out of the country.<\/b>
\nChina’s Personal Information Protection Law (PIPL) is now in force, laying out ground rules around how data is collected, used, and stored. It also outlines data processing requirements for companies based outside of China, including passing a security assessment conducted by state authorities. Multinational corporations (MNCs) that move personal information out of the country also will have to obtain certification on data protection from professional institutions, according to the PIPL. The legislation was passed in August, after it went through a couple of revisions since it was first pitched in October last year. Effective from November 1, the new law was necessary to address the \u00ab\u00a0chaos\u00a0\u00bb data had created, with online platforms over-collecting personal data, the Chinese government then said. Personal information is defined as all types of data recorded either electronically or other forms, which relates to identified or identifiable persons. It does not include anonymised data. The PIPL also applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers. They also will have to establish designated agencies or appoint representatives based in China to assume responsibility for matters related to the protection of personal data. The new legislation encompasses a chapter that applies specifically to cross-border data transfers, stating that companies that need to move personal information out of China must first conduct \u00ab\u00a0personal information protection impact assessments\u00a0\u00bb, according to Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD). They also will need to obtain separate consent from individuals pertaining to the transfer of their personal information and meet one of several requirements. These include agreeing to a \u00ab\u00a0standard contract\u00a0\u00bb issued by authorities overseeing cyberspace matters and fulfilling requirements outlined in other laws and regulations established by the authorities, the PCPD said. These MNCs also would have to implement necessary measures to ensure other foreign parties involved in processing the data adhere to data security standards stipulated by the PIPL. Leo Xin, senior associate with law firm Pinsent Masons, described the legislation as a \u00ab\u00a0milestone\u00a0\u00bb in China’s data protection legal regime and urged MNCs to pay special attention to the rules on cross-border data transfers. Leo said in a post: \u00ab\u00a0There are still certain areas that remain unclear and require detailed implementation rules, such as how the security assessment should be handled, what the model clauses for data transfer formulated by the China Cyberspace Administration look like, what the approval procedure shall be [if] there is request for personal information by overseas judicial organs or law enforcement agencies.\u00a0\u00bb The legislation further called for the handling of personal data to be clear, reasonable, and limited to the \u00ab\u00a0minimum scope necessary\u00a0\u00bb to achieve their objectives of processing the information. The lawyer recommended that MNCs begin evaluating the potential impact of PIPL on their IT infrastructure and data processing activities. According to the PCPD, the new legislation also encompasses \u00ab\u00a0automated decision-making\u00a0\u00bb data processing, in which IT systems are used to automatically analyse and make decisions about consumer behaviours as well as consumers’ habits, interests, financial, and health. Here, companies will have to ensure such decision-making processes are transparent and fair. Consumers also must be provided the option to opt out of receiving personalised content. Security impact assessments must be carried out and these reports retained for at least three years. Companies that breach PIPL rules may be issued an order for rectification or warnings. Chinese authorities also may confiscate any \u00ab\u00a0unlawful income\u00a0\u00bb, according to the PCPD. Violators that fail to comply with orders to rectify the breach face fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fine between 10,000 yuan ($1,500) and 100,000 yuan ($15,000). For \u00ab\u00a0serious\u00a0\u00bb cases, Chinese authorities also dish out fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover for the previous fiscal year. In addition, its business operations may be suspended or business permits and licences revoked. The Beijing administration last month told local media it would take \u00ab\u00a0targeted measures\u00a0\u00bb to address problems it deemed to persist within the digital economy, such as poor data management. According to South China Morning Post, the Ministry of Industry and IT was pushing ahead with its scrutiny of the internet sector as part of six-month campaign that began in July. The ministry recently intructed 43 apps to make rectifications after they were found to have illegally transferred user data. The Cyberspace Administration of China (CAC) in July ordered Chinese ride-sharing platform Didi to remove its app from local app stores, after it breached regulations governing the collection and use of personal data. Did was instructed to rectify \u00ab\u00a0existing problems\u00a0\u00bb and \u00ab\u00a0effectively protect\u00a0\u00bb users’ personal data. In May, the CAC called out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which included Baidu and Tencent Holdings, also were told to plug the gaps. Tencent said last month said it was forming a committee to assess its user data protection and privacy policies. This team would comprise technical, legal, and media professionals as well as member of the public, the Chinese tech giant said. The committee then would make recommendations on improvements, if and where necessary, to better safeguard user privacy.<\/p>\n