02.11.21 Compliance
3 min to read

Preparing for the Personal Information Protection Law (PIPL) and the Data Security Law (DSL): 5 key questions for any data operation in China

If your operation involves personal data from China, it is critical to assess to exposure, your liabilities and next steps to continue doing business. Leaf has selected the 5 key first questions to ask yourself to be prepared for the changes ahead

With entry in force on November 1, 2021, the Personal Information Protection Law (PIPL) takes the highest place in the Chinese regulation applicable to data privacy and cybersecurity – together with the 2017 Cybersecurity Law and the newly effective Data Security Law (September 1st, 2021). The PIPL should not be mistaken with a Chinese version of the EU GDPR, but rather be understood as the reference law for organisations handling personal information from the PRC.

If your operation involves personal data from China, it is critical to assess to exposure, your liabilities and next steps to continue doing business. Leaf has selected the 5 key first questions to ask yourself to be prepared for the changes ahead

1. Know you data

What part of your data is subject to PIPL or DSL? Did you conduct a data inventory and data flow diagram?

One of the most efficient way to understand if a piece of regulation is applicable or not to your operation is to sort out your data and have a precise picture of the kind of data you collect.

Through a data inventory, identifying a phone number, a date of birth, maps of public infrastructure, human genetic data – to name but a fraction of possible datapoints – will provide you with their legal qualification: if and how regulated the data is.

A data flow diagram represents the dynamic view of your data mapping. Using Einstein’s thought experiment to follow a particle of light, you would be able to follow a packet of data from its conception (e.g. collection) through its processing (e.g. machine learning algorithms), sharing (e.g. sale to third party), retention (e.g. archive in offsite datacenter) and death (e.g. destruction by periodical wipe of storage).

Thanks to these static and dynamic views of your data, you will know what data is regulated, how it flows especially across borders and towards third parties – and thus what laws are applicable to what step of the data lifecycle.

2. Know your law

What legal basis do you use to collect/process PI from the PRC?

The PIPL clarifies what lawful basis are acceptable for the handling of data in China. With similarities with the GDPR, companies operating in the European Union can leverage existing data compliance work. Indeed, consent, performance of contract, legal duties are among these legal grounds. It is however key to note that “legitimate interest” (as understood under GDPR) is not a lawful basis. We’ll keep an eye out on a possible inclusion of the latter in future pieces of regulation – or if cases of enforcement will exclude it from legal thinking in China.


3. Obtain your passport

If you transfer Personal Information out of China, do you have either:

> Passed a security assessment by the authorities?

> Obtained a data protection certification? or

> Concluded a contract with recipient including standard clauses from authorities?

Although applicable regulations do not provide specific technical guidelines on the modalities of the assessment, or the standard clauses to include in contractual documentation, understanding which requirement applies will give you a head start. You will then be prepared to:

> Monitor the relevant regulatory development;

> Identify the technical criteria and how they apply to your operation;

> Update your process – in case of an assessment or certification, or your contractual documentation – in case of data transfer to third parties.

4. Protect yourself

Did you perform a protection impact assessment on Personal Information from the PRC?

> A “personal information protection impact assessment” becomes mandatory under the PIPL for organisation handling sensitive PI, using AI for decision making, providing PI to third parties, transferring PI overseas.

Data protection impact assessment are a well-known practice in the EU thanks to GDPR. Although little technical detail is known from the Chinese side, we observe from experience that Chinese regulators often seek inspiration from other jurisdictions’ work. A DPIA as conducted in the EU might therefore be of use for data operation in China. This might prove cost-effective for MNC with process and tools already available in the EU, to reuse these in China.

5. Localize your business

Do you have a representative or entity in China?

> Mandatory if you handle PI from China. Why? Because Chinese regulators will need a local entity in case of inspection or violation to enforce applicable regulations.

What does it mean for your corporate structure? It is critical to understand the personal and corporate liabilities the Cybersecurity Law, PIPL, and DSL may cause. Structuring your business in China should not only be about operations, but also to deal with the regulator – especially in case of an audit, or a dawn raid. Furthermore, the legal representative will become the key figure the authorities will target in case of violations of the law. Measures should therefore be put in place to protect the legal representative – with adapted Director & Officer insurance for example.