BR +55 11 3069 3925 | USA +1 469 620 7643

China has Published Its Specific Law for the Protection of Personal Data. What Are the Implications?

by | Sep 27, 2021 | BLOG

Global efforts to ensure data protection have increased dramatically over the years. Governments around the world have been concerned with creating laws and regulations that ensure the security of circulation and processing of information from citizens and users, especially by companies, respecting people’s privacy and operating within the specific laws of the country.

After the European Union General Data Protection Regulation (GDPR), which seeks to guarantee citizens greater control over their own data, governments in several countries also started to invest in their own regulation with the same purpose. 

PIPL Construction Route

The most recent regulation was from China, which, after several revisions since October 2020, has officially approved its PIPL (Personal Information Protection Law) in August of this year. The first draft was presented at the National People’s Congress of China on October 13, 2020, and opened for public review on October 21 of the same year. 

A month later, the reviewed document was closed for internal assessment. In August 2021, the proposal was approved and is expected to take effect on November 1st.

The Chinese data protection law is similar to the European law, but with a stricter structure, especially for “Big Techs”. The goal is to further strengthen the current protection regime, regulating the collection, processing, and use of Chinese citizens’ data, including rules that avoid the monopoly and over-enrichment of some companies through population data. 

The China Consumer Association strongly criticized this type of behavior by companies, saying that the algorithms are becoming a “technical intimidation” to consumers.

How does PIPL impact organizations?

The data is seen by the Chinese government as a basic strategic resource and belonging to the country, and its use by third parties should be kept to a minimum, monitored, and for well-defined purposes. Therefore, with PIPL’s approval, the activities of organizations and individuals working with personal information will be heavily impacted. 

European entities fear that Chinese regulations will jeopardize trade between companies in the bloc and China, putting at risk the privacy of their businesses, as it is necessary to be subject to protection demands different from the European LGPB. 

For multinationals, the situation is no different, as they consider an uncertain business scenario and an invasive behavior by the Chinese government when auditing companies. In short, this uncertain scenario ends up generating concern for companies due to the following requirements:

  • Users are given more control over their data: Users can request/control the editing, removal, and restriction of the distribution, processing, and use of their data. In addition, prior consent can be changed or canceled by the user.
  • More rigorous requirements for data sharing and transfer: An organization or any other parties involved in data control need to pass assessments related to the legal use of data. 
  • Penalties and fines in cases of data breaches: The value of fines can reach up to 50 million RMB (Yuan Renminbi), the equivalent of 40 million reais or 7 million dollars, deduction of annual revenue percentage, or even termination of business.
  • Mandatory security controls: The processing of personally identifiable, sensitive, or critical information must be subject to strict mandatory security controls and personnel responsible for handling it must receive appropriate training. 
  • Mandatory location of data: The processing of personally identifiable information is limited to the boundaries defined by the China Cybersecurity Administration – CAC. If a company exceeds these limits, it must provide the location of this data.

Key Points of the Chinese Law

The law presents requirements and regulations on the legal form of handling personally identifiable information, which is those that somehow identify the user in electronic media, including critical state security information and sensitive information involving religion, beliefs, ethnicities, financial information, user tracking, and others. 

Thus, some key points can be highlighted that must be observed by companies in operations that deal with information of this nature.

User Consent

Before any operation with personal data, companies or interested parties must request the consent of the users, who must be explicitly notified about any matter related to the processing of their data, including the identity and contact information of those responsible for handling it. (Article 24)

Organizational Management 

Those responsible for handling the data must adopt security measures that ensure protection against intrusion, leaks, or theft during data collection, distribution, and processing. Some of these measures involve data encryption and proper training of those responsible for operations and/or overseeing operations. (Articles 50, 51, 52)

Individuals’ Rights

Users must have the right to access their own data, being able to modify them, delete them, decide when their information can or cannot be processed, or request an explanation about the processing. (Articles 44, 45, 46, and 48)

Data Transfer Borders

The transfer of data outside China can only be done with the explicit consent of the subjects, who must be notified when their information is transferred outside Chinese territory. When processing crosses borders, an organization undergoes a security assessment, which must be approved to proceed with operations. (Articles 39 and 40)

Data Location

When organizations reach the limit of data volume defined by CAC, they must maintain the storage of the information already collected and generated on the premises of the Chinese territory. Article 40)

What Can We Expect as Next Steps?

The approval of the Law affected various sectors of the economy and raised concerns for Chinese companies and European multinationals, especially the ‘Big Techs’. In this sense, companies that deal with the distribution, collection, and processing of data, as well as the development of software and related activities must work ethically and morally, paying attention to all the requirements established by the law, if they want to ensure the smooth running of their business and a good reputation.

Are you enjoying this post? Join our Newsletter!

11 + 14 =

We will send newsletters and promotional emails. By entering my data, I agree to the Privacy Policy and the Terms of Use.

Applying Zero Trust to PAM

The implementation of the Zero Trust-based security model has gained space in recent times, promoting the default approach of never trusting, and always checking before granting access to a company's perimeter. This practice is extremely important to ensure...

How to Apply Account Lifecycle Management?

In this article, we will show you how account lifecycle management works through best practices and what are the advantages of investing in the senhasegura PAM solution.  Our text is divided by topics. They are as follows: What Is Account Lifecycle and Its Management?...

Password Vault: A Complete Guide

The use of many credentials to access various services often causes people to opt for weak passwords or the reuse of passwords, making loopholes for the action of malicious agents.  Moreover, the explosion in the number of connected devices due to technologies such as...

Secrets of Cyber Resilience

In recent years the world has considerably evolved, with organizations increasingly adopting digital initiatives, like Cloud, IoT, Big Data, Artificial Intelligence and Machine Learning. And the Covid-19 pandemic has forced organizations to accelerate the adoption of...

Gartner Identity & Access Management Summit Why should you consider attending

Cybersecurity is an increasingly present topic at meetings at all levels of an organization. And with the increase in digitalization and connectivity of companies, cyber risks are increasingly associated with business risks and are not limited only to large...
Copy link
Powered by Social Snap