A new privacy law came into effect Nov. 1, but it wasn't a new state law or a much needed federal U.S. law. It was from China. Earlier this year the Personal Information Protection Law of the P.R.C. (PIPL) was passed. Is this GDPR Part 2?
Some are saying yes, the two consumer data privacy laws are similar in many ways. The GDPR, the European Union’s comprehensive data privacy law, took effect in 2018. For the most part, the compliance mechanisms brands have in place for GDPR will be the same for PIPL, according to Kristina Podnar, data privacy and digital policy expert.
“GDPR is a good place to start in terms of compliance because the Chinese law is very, very similar to GDPR especially when it comes to things like right to information and rights to access,” Podnar said. “Where it starts to differ are things like the right to portability. Under the Chinese law it’s slightly different because you have that government angle on it. The government wants to be able to control what data is leaving the country, especially, if it’s what they deem as sensitive information or critical information.”
The Chinese data law is the second such major law set this year by Earth’s most populated country: China passed the Data Security Law of the P.R.C (DSL), which came into effect on Sept. 1. China also has its Cybersecurity Law (CSL), passed in 2017.
Who Is the PIPL Applicable To?
So if you’re a marketer in North America, we're pretty sure that the first thing you are asking regarding the Chinese PIPL data regulation, does this apply to me and my organization?
Here are the people and organizations that need to be on tp of this.
Those who process personal information of Chinese citizens within China.
Those who carry activities outside China to process the personal information of Chinese citizens within China under any of the following circumstances:
- Where the purpose is to provide products or services to domestic Chinese citizens
- Where the purpose is to analyze and evaluate the activities of Chinese citizens
- Other circumstances provided by laws and administrative regulations
“This allows them to critically control the data at the end of the day and get access to data,” Podnar said. “And so they want to be able to control 100% of the market. There are no exemptions for small businesses. If you're a circus performer versus a $70 million company, it doesn’t matter. It’s all the same to them. If it's a private business you're in the scope; if you're a government entity you are out of the scope.”
The penalty for noncompliance? It can include things like business suspension and fines of up to nearly $8 million.
Related Podcast: Helping Marketers Sift Through Data Privacy Law Haze
Rights for Covered Citizens
Under PIPL, an individual has the right to know and make decisions on the processing of his/her personal information, and the right to restrict or refuse others to process his/her personal information.
An individual is also entitled to consult or copy his/her personal information from a personal information processor. Where an individual finds that his/her personal information is inaccurate or incomplete, he/she is entitled to request the personal information processor to make corrections or supplements.Where an individual requests for corrections or supplements to his/her personal information, the personal information processor shall make verification and make corrections or supplements to such information in a timely manner.
Factoring in those consumer data rights, you can take some immediate steps to get ready for compliance, according to Polsinelli Law Firm:
- Review all data processing activities to decide whether PIPL applies: Are you outside of China and target behavioral patterns or sell products or services to those within China?
- Find a lawful basis, described in PIPL, for each of your data processing activity: Is the data processing expressly consented to by data subjects?
- Establish a mechanism to respond to data subjects' requests: This includes the right to consult and copy their personal information.
- Set up a mechanism to legally transfer data out of China: Getting data out of China isn't easy. It will need to pass a security review by the Chinese government, among other requirements.
Is Your Business Covered If You’re Complying With GDPR?
Can it be easy as complying with GDPR means you’re good for PIPL in China? Not quite, according to Podnar. “I think just mapping it out to the current systems you have in place, you can't just say things like, ‘I'm good with GDPR, so I'll be good with PIPL,’” Podnar said. “Because if you were good with GDPR, and you had things like data storage in the EU, you weren't worrying about adequacy rules necessarily for transfers to the US. That's not going to fly with China. You're going to have to actually store a lot of your data in China.”
You may have a sound process and the infrastructure because of GDPR, Podnar said, but you have to apply that to a different set of data. “You have to take the same practices and the same rules and apply it to the silo that's sitting over there known as China,” she said.
Related Article: What if You Just Ignored the GDPR?
The Key Differences Between GDPR and PIPL
Although PIPL is similar to GDPR, it does differ from the GDPR in several ways, according to Dr. Alan Tang, principal research director at enterprise IT analyst firm Info-Tech Research Group. Some of those ways include the following.
This is the area that GDPR and PIPL differ significantly, Tang said. The GDPR does not require data localization.
However, the PIPL clearly and deliberately articulates Critical Information Infrastructure operators (CIIO) shall store personal information collected and generated within China. The detail is set forth in Article 40: “Critical information infrastructure operators and personal information processors whose processing of personal information reaches the number prescribed by the State cyberspace administration shall store the personal information collected and generated within the territory of the People’s Republic of China within the territory of China. If it is indeed necessary to provide such information and data to overseas parties, it shall be subject to the security assessment organized by the State cyberspace administration.”
According to Dezan Shira & Associates, the regulations define CIIOs as companies engaged in “important industries or fields,” including:
- Public communication and information services
- Public services
- E-government services
- National defense
- Any other important network facilities or information systems that may seriously harm national security, the national economy and people’s livelihoods, or public interest in the event of incapacitation, damage, or data leaks.
Unlike GDPR and many other privacy regulations, the PIPL does not provide “legitimate interests” as a lawful basis for processing personal information. The “legitimate interests” lawful basis is broadly used in business scenarios such as employment environment, etc.
Data Subject Rights
The PIPL provides similar rights to data subjects in terms of personal information processing. “Unlike GDPR’s requirement to respond to requests within one month with possibly another two-month extension, the PIPL only vaguely requires organizations to "timely" respond to the requests rather than providing a specific timeline for responding,” Tang said.
Although both GDPR and PIPL are trying to stipulate the requirements from adequacy decisions, appropriate safeguards and derogations/other situations, below are some key differences:
- Adequacy decisions: GDPR’s mechanism worked very well and encouraged more countries (i.e., Japan and South Korea) to join the mix. An adequacy decision is a decision taken by the European Commission establishing that a third country provides a comparable level of protection of personal data to that in the European Union. The PIPL doesn’t articulate a clear path for adequacy recognition.
- Appropriate safeguards: The GDPR does not require security reviews for CIIOs, but PIPL does require. Security reviews are intended to give the authorities more control over the CIIOs.
- Derogations/other situations: The GDPR provides clearly defined scenarios for derogations in terms of personal data cross-border transfers, such as consent, etc. However, the PIPL leaves room for future interpretation; Article 38(4) stipulates that cross-border transfer is permitted if it meets the requirements of “Laws, administrative regulations or other conditions prescribed by laws, administrative regulations, or the State cyberspace administration.”
Marketer Reality: First-Party Data Collection Is Future
What's the bottom line on this new global regulation? It's a direct call for marketers and brands to implement first-party data strategies that are both compliant with the new regulations and are in the interest of protecting consumer data, according to Charles Farina, head of innovation at Adswerve.
“The regulations are a result of more consumers becoming frustrated with the mass collection of their data, meaning advertisers must come up with new ways to provide consumers with a more transparent, two-way relationship,” Farina said. “By following these new regulations and doing so transparently, advertisers have the opportunity to develop strong, mutually beneficial relationships with their customers that are based on trust.”
If brands and marketers haven’t been paying attention to all the new legislation occurring in the US and globally, they absolutely must do so now, especially since China influences one of the largest markets in the world, Farina added.
Establish and Operationalize Holistic Privacy Program
Tang suggested brands establish a privacy program that should cover at least the following areas:
- Designate a person in charge of personal information protection (if processing personal information more than the forthcoming number prescribed by the national cyberspace administration)
- Establish designated agency or representative if engaging in analysis or evaluation of behaviors of individuals within China territory
- Policies and Procedures
- Personal information classification
- Operational permission and awareness training
- Security controls (i.e., encryption and de-identification)
- Incident response
- Regular compliance audit
- Perform personal information impact assessment
“Until now, China has been a little bit of a wild wild west in terms of data collection and what marketers are doing in China,” Podnar said. “And so I think that the one thing that (PIPL) will actually do is it'll harmonize a lot more of the work you're doing around data privacy. If I'm going into China or if I'm targeting a German market, I have to do roughly the same thing in terms of data. … You'll be able to use the same infrastructure which I think is really critical. And that'll actually be a benefit for marketers.”