Practical Compliance for Foreign Businesses Under China’s New Personal Information Protection Law

Moye White has been a part of Ally Law for over 15 years. This membership allows us to use the expansive network of more than 70 firms across the globe to provide our clients with local intelligence with a global breadth. In 2022, we are partnering with fellow Ally Law member firms across the globe for our International Insights blog series. Every other month, one of our Ally Law partner firms will share insights and tips for doing business in their home country.

Our first guest blog comes from R&P China Lawyers in Shanghai. Founded in 2010, R&P is a foreign-oriented Chinese law firm and has become one of the most trusted sources of legal support for international business in China. They provide a full range of legal support to international companies investing, operating, or doing business in China.

- Paul Franke, President of Ally Law

For over a decade, we have written client alerts on data privacy in China starting with the sentence: China does not have a comprehensive set of data privacy laws. Well that is finally no longer the case. There are now 3 foundational laws which make up a data regulatory framework – the 2017 Cybersecurity Law which primarily governs network security, the Data Security Law effective 1 September 2021 focusing on national security and non-personal data, and the most recent Personal Information Protection Law (PIPL) passed effective 1 November 2022 addressing personal information protection more akin to Europe’s GDPR (General Data Protection Regulation). The PIPL in particular is setting new standards for foreign businesses in China.

Practical Compliance Steps

A list of the key provisions to the PIPL is easy to find, but what steps do you as a foreign business with a subsidiary in China, actually need to take to be compliant? 

1. Review and revise your current privacy policy with external users and your employment contract, handbook and other employment related policies.

  • Transparency is the key principle that should be reflected across your policies. 
  • Even before the PIPL, this was the trend we saw with specific data privacy regulations, for example with mobile phone applications, requiring clear and detailed explanations at every step on how data was to be used.

2. Incorporate specific, separate consents upon customer intake – done via separate pop-up windows or one interface with multiple check-the-box buttons.  

  • The latter option can be a more user-friendly way to still obtain multiple separate consents on use, transfer to third party, or export, for example.  
  • Also remember that not all transfers to third parties may require consent – for example where the transfer is to an outsourced “entrusted party” processing the information on behalf of your company (as opposed to themselves) and there is a data processing agreement in place with them.
  • In these cases, you may not need to list them for purposes of obtaining a separate consent of the user.

3. Incorporate similar specific, separate consents for employee onboarding either online via check-the-box buttons or offline via one page stand-alone consent forms.  

  • Also mirror the same language in your employee handbook or other employee policy directly as an argument that processing the information is necessary and covered under employee work rules no matter what (for which consent is not required in the first place, so cannot be withdrawn!).
  • Amending the employee handbook will require a consultation and de facto approval by employees, so best to do it in tandem with other changes you have been meaning to make anyway.

4. Develop an internal management system with internal controls.

  • Individual information that is easy to locate and remove for withdrawn consents, copies, or corrections,
  • Where the system is robust to survive in cases of data removal or if automated decisions are unacceptable to users.
  • Data access is limited to and data separated/masked in database fields from people without access privileges (e.g. someone providing routine technical support not needing to see all your personal payment/billing information for example)
  • Retention policies that are necessary to perform the service.
  • A system to secure (using encryption/de-identification, etc.) data and respond to data breaches. 
  • Adequate training of staff to properly identify and inventory different types of data on the front end and to be able to respond to data breaches.
  • And where you have a central hub to implement all of this. Remember many policies are written by lawyers but breakdown when they get to IT implementation and business operations.

5. Ensure contracts with data transferees (including internally with affiliates) include relevant PIPL terms.

Conclusions for Implementation

Realistically it will take some time for foreign companies with a presence in China, to put this all in place. Remember that the primary regulator here, the Cybersecurity Administration of China (CAC) is an overstretched regulatory agency at the moment and may not be knocking on your door anytime soon. The key therefore is to make a good faith effort towards building a compliance system as soon as practicable, not as soon as possible.

As you are not likely to be randomly audited by government authorities, any inquiries into your compliance system will instead be as a result of a complaint by a disgruntled customer or employee with another agenda to settle – just as we see play out in so many other compliance domains.

Finally, bear in mind that as with all major pieces of legislation in China, a lot of the specific details for how to fully comply are yet to come in the form of implementing rules to be issued in the next year and beyond. We will continue to follow the rollout of these implementing rules and keep you informed with timely client alerts.

By Robin Tabbers and Art Dicker of R&P China Lawyers.


Moye White