Foreign companies the world over are still trying to comprehend the nuances and hidden meanings of China’s new data security laws that are in force for three months now. The Personal Information Protection Law (PIPL) lays out ground rules around how data is collected, used, and stored. Companies based outside of China have to get security clearance for their data processing requirements.
Multinational corporations wanting to move personal information from China will have to obtain certification on data protection from professional institutions as per the PIPL rules.
The new data law defines personal information as all types of data recorded either electronically or other forms, which relates to identified or identifiable persons.
According to media analysts, the PIPL “also applies to foreign organisations that process personal data overseas for the purpose of, amongst others, providing products and services to Chinese consumers as well as analysing the behaviours of Chinese consumers”. They also will have to “establish designated agencies or appoint representatives based in China to assume responsibility for matters related to the protection of personal data”.
The new legislation encompasses a chapter that applies “specifically to cross-border data transfers”, stating that companies that need to move personal information out of China must first conduct “personal information protection impact assessments”, to quote a statement of the Hong Kong Office of the Privacy Commissioner for Personal Data.
The PIPL which came into force on November 1is China’s first comprehensive data privacy law to fully protect hundreds of millions of Chinese consumers. However, the law will also reshape how companies in China do business because the law places “greater restrictions on what companies and individuals handling people’s personal information can do with that data”.
The PIPL is seen in the West as part of authoritarian China’s recent attempts to rein in private industry. This law aims to tackle the unchecked growth of the country’s tech giants.
What the foreign companies are wary of is the fact that while PIPL can help stop unauthorised data trading and data theft in China, it is closely linked to the government’s national security priorities. The foreign companies do not want to get caught in any security rigmarole. The PIPL rules clearly state that foreign companies can be blacklisted if they do not comply with the rules or “harm” China’s national security. The companies can even be banned from processing Chinese personal data at colossal losses to business.
Another issue that concerns foreign companies and human rights organisations is that the new data law cannot stop the Chinese State from accessing the personal data of its citizens. China is already considered among the most surveilled countries in the world. On top of that unbridled power to access data will mean a greater threat to personal privacy.
Among other grey areas in the law are things like how the security assessment should be handled, what are the model clauses for data transfer designed by the China Cyberspace Administration, and what is the procedure for foreign judicial bodies or law enforcement agencies applying for personal data of citizens.
Companies which hold personal information about millions of Chinese can no longer share data outside of China. They will have to submit themselves to a national security review.
There is an array of monetary fines the new law can make foreign companies pay for violating rules. Companies in the breach may be issued an order for rectification or warnings. Chinese authorities also may confiscate any “unlawful income”.
Violators that fail to comply with orders to rectify the breach will face “fines of up to 1 million yuan ($150,000), while the person responsible for ensuring compliance can be fined between 10,000 yuan ($1,500) and 100,000 yuan ($15,000)”. For “serious” cases, Chinese authorities also dish out “fines of up to 50 million yuan ($7.5 million) or 5% of the company’s annual turnover for the previous fiscal year”. Over and above this, “its business operations may be suspended or business permits and licences revoked”.
Foreign Policy in its review of the law says: “These new restrictions paint a complicated picture for the future of data governance, continuing a trend toward more complex regulatory regimes, competing legal frameworks, and increased restrictions on international data flows. Governments continual adoption of similar measures will increasingly disrupt an era of relatively restriction-free cross-border data flows that has been critical to the growth and expansion of many international businesses.”
According to the American news publication, the addition of new data classifications, legal jurisdictions, and data storage requirements imposes “another layer of regulatory complexity for businesses operating in China”.