Best of 2022: China’s Personal Information Protection Law – What does the "Beijing Effect" mean for your company?

The Personal Information Protection Law, or PIPL, is China’s most recent data protection law which took effect November 2021. It was inspired by the GDPR and is the first holistic data protection law in China. The PIPL, Cybersecurity Law, and the Data Security Law form the three pillars of data protection and security in the country.

Since these laws have been passed, researchers have dubbed their influence as the "Beijing Effect", which is analogous to the "Brussels Effect" seen after the GDPR was adopted in 2016. Some have labelled these new China laws as "restrictive". Like them or not, companies around the world, regardless of whether they have a presence in China, have to change their practices to conform with Chinese law in order to work with Chinese companies.

On 17 December 2021, Straits Interactive and DPEX Network hosted a webinar to give a brief introduction to China’s PIPL. Since the PIPL has several implications for companies doing business in China, a live Q&A was also conducted to address the participants’ most pressing concerns. One of the most common issues that emerged was the transfer of data outside of China for HR management purposes. Snippets of the live Q&A discussing the implications of the PIPL on this issue are transcribed below.

The panellists for the webinar included:
• Sarah Wang Han, Head of Research at Straits Interactive and PhD Candidate for Data Protection, specialising in Chinese Data Protection
• Lyn Boxall, Director of Lyn Boxall LLC, a Singapore law firm specialising in data protection/privacy, co-author of the "99 Privacy Breaches to Beware of"
• Celine Chew, Head of Learning and Development at Straits Interactive

To watch the evergreen webinar in full, please sign up to be a DPEX Network community member, register to watch via this link. To learn about data protection principles in China and Taiwan, please sign up for this course.

Below, we have three commonly asked questions that our experts answered:

Q: Is a Data Protection Impact Assessment (DPIA) required for transfer of personal data from a China subsidiary to an overseas holding company?

Sarah Wang Han
Usually, it is mentioned that if transferring personal information outside of China, a DPIA is required. Because the regulators’ thinking is that anything that is outside of China may bring huge impact on the individuals, you need to think about the DPIA.

The good news is in terms of the content of the DPIA – what to assess, how to assess, what might be some of the typical scenarios – there is a national standard that talks about that. And, in our course, we will examine the scenario case study, how it can be done, for different industries on different occasions.

Lyn Boxall
I don't see why not. I think one of the things that might come out of that DPIA is that actually there's no need for me to transfer the data of 100% of my employees. I came across this when I was doing due diligence for a thing in the US. They said to me, “We want every employment contract in Asia Pacific.” I said, “You’re not having them. For this $20 billion IPO you do not need the employment contract of the receptionist in Bangladesh.” I can well imagine if all the employment records are going to be kept in HQ, the question is why. And it might well be because it's a habit, and that’s what will be coming from the DPIA.

Celine Chew
The concept of the DPIA under the China data protection laws is that of the organisation demonstrating accountability in that “I have done my due diligence, and I have done my assessments for what are the risks to the data that the company holds when it's transferring it overseas to another entity in a different country.” This is, in many ways, very similar to the Singapore Personal Data Protection Act’s (PDPA) transfer limitation.

Q: If there is cross border transfer of employee personal data to our overseas holding company for HR administration purposes, does a separate consent have to be obtained?

Sarah Wang Han:
Some of the prerequisites for you to transfer personal data outside of China. First, it depends on what kind of role you are, for example, if you are considered as the CIIO, or Critical Information Infrastructure Operator. For the CIIOs, because they're processing personal data, they will be a little bit more sensitive. So, for the CIIOs, they cannot transfer the personal data outside of China. But if it is necessary for the business, they will undergo the security assessments conducted by the Cyberspace Administration of China (CAC). They won't need to undergo the assessment, although right now we're not 100% clear about what the assessment will be. China’s Government is working decisively to have a clear guidance on what will be in the security assessment, so we can expect more clarification from the regulators. For the non-CIIOs, that depends on some of the thresholds, if you have reached the thresholds stipulated by the CAC.

One of the criteria or factors that we can borrow actually is the cross-border data transferring. It does mention that if you are processing the personal information of over 1 million individuals, likely, you cannot transfer outside of China. But again, if it's definitely necessary to undergo the security assessments by the CAC. If you are not in any of these situations, then you look at the other two alternatives. One is, if you have the certification authorised by the special agency, and that special agency there will be authorised by the CAC. The second is, if you have the SCC, or standard contractual clauses, that should also be formulated by the CAC.

In the law itself, it does not tell you that on certain occasions you don't need to get separate consent when you're transferring outside of China. But you always look at the purpose…when you're transferring the personal data outside of China, is it in line with the original purpose that you're collecting. Is it for HR management? Because I will say that if you stick to the original purpose, why do you need to get a separate consent?

The Chinese Government is working very diligently and decisively to come out with more clarification, more national standard, regulations to talk about how you can operationalise it in your daily activities. And as we observed in the last few months, almost every month, there's some national standard, some regulations coming out. So, we can expect by the time we're having the course that there will be more clarity in terms of the cross border and other matters.

Celine Chew
The only complication is that there are different types of entities that will have to comply, because they meet the threshold described or specified in each of the different laws for different sections.

So, for the folks who are asking about cross border transfers, you will have to ask yourself the questions: what your purpose is, what sort of organisation you are, and are you a CIIO, what sort of business do you do, does data localisation apply to you, etc. Do these different certifications apply to you? Once you have this information, it will be a bit clearer for you. The regulators themselves will be providing more clarity in the coming months. So, by February, if it gets announced, we will be able to share them with you during the course.

Q: If a Chinese company’s overseas subsidy’s leave application system (hosted outside China) contains only employee English names, does this constitute data being transferred outside China, with the onset of the PIPL?

Celine Chew
It sounds like the understanding may be that the law is only pertaining to data in Chinese or data pertaining to Chinese citizens, Chinese nationals. Most times data protection laws are not just about the data of the citizens of the country. It's about the origin of that data and what the organisation is doing with the data within the country.

Sarah Wang Han
First, I will say that the law itself, you can refer back to the GDPR when they talk about whether it's protecting the European citizens or the residents. They do not use those terms, the residents or the citizens in China’s case. So, you look at that and you compare with the GDPR’s case, the logic is similar. It does not just confine to the Chinese citizens. It is any individual right now in China. You are processing their personal information, they will be protected. But of course, in terms of these parts, we can expect more justification or clarification from the government.

Lyn Boxall
If I was to get on a plane and fly to Frankfurt, when I get off the plane, when I go to the rental car, or I go to the hotel, or I go to the restaurant, whatever I do when I get there, I'm going to get the GDPR. So if a foreigner was operating any of those things that I'm going to require when I'm in Frankfurt, or if I’m a German living in Frankfurt, it makes sense that I’m going to get the same protection.

To watch the evergreen webinar in full, please sign up to be a DPEX Network community member, register to watch via this link.

First published on 26 Jan 2022.