22 Sep China Continues to Strengthen its Regulatory Framework for Data Protection
These past few years have shown the determination and efforts of Chinese authorities in improving the cybersecurity and data protection related regulatory environment. The successive adoption of two new laws, one on data security and the second on personal data, is just the latest installment of this aggressive regulatory strategy: the Data Security Law (DSL), adopted in June and in force since the 1st of September 2021, and the Personal Information Protection Law (PIPL), adopted in August and taking effect on the 1st of November 2021.
The very short period between their adoption and their effective date further showcases how seriously Chinese authorities regard data security and data privacy.
Even if these two new laws are specific to data, data-related regulatory provisions are far from new to China. Indeed, they only supplement and strengthen the famed, omnibus and overarching Cybersecurity Law (CSL) in force since June 2017, regulating the security of Information networks and systems of operators in China.
What does the PIPL look like?
The PIPL is considered as the Chinese equivalent of the European GDPR (General Data Protection Regulation) since both lay out a comprehensive set of rules for data privacy.
Still, the PIPL contains China-specific provisions and diverges from the GDPR. For example, the absence of legitimate interests as a legal basis, a different right to data portability, and additional requirements for cross-border data transfer, among others for CIIOs (Critical Information Infrastructure Operators) or beyond a certain volume of data to be later specified by the Cyberspace Administration of China.
In the meantime… How should businesses get prepared?
Companies handling Chinese consumers’ data are facing challenges that come with the law: rising corporate compliance costs, new requirements of risk management and the potential influences on their current business models. Therefore, they should take actions to make sure that their business activities are in compliance with the DSL, the PIPL and related regulations.
International companies should further evaluate their activities in China related to data storage and cross-border data transfer. For example, Companies are required to meet specific conditions in order to provide personal information outside the territory of PRC, including passing a security assessment, undergoing personal information protection certification or concluding a contract with the overseas receiving party.
Stay tuned for our upcoming white paper, for analysis on how to leverage your GDPR program and on how to adjust your digital strategy for different business scenarios to simplify, speed up and achieve compliance with the new data framework in China.
This article is written by Isabelle HAJJAR from TEKID, a Digital Risks and Security firm focusing on protecting the interests of its customers operating in the Cyberspace. Co-authored with Sophie Zhang, Analyst, Fabernovel China.