Multinational entities having operations or business with the People’s Republic of China (PRC) should take note of the PRC’s new Personal Information Protection Law (PIPL), which came into force on November 1, 2021 and has a extraterritorial scope and effect.
According to Article 3 PIPL, offshore entities or individuals who process the personal information of persons residing in the territory of the PRC (RPC Personal Information Subjects) are subject to the PIPL, provided that the activities relate to the processing of the personal data of any PRC. Data subjects for the purposes of:
- Provide products or services to individuals affected by PRC Personal Information;
- Analyze and evaluate the behaviors of individuals affected by CPR Personal Information; Where
- Other circumstances as stipulated by laws or administrative regulations.
Offshore personal information processors must either establish a special agency or appoint a representative in the PRC, whose name and contact details must be submitted to regulatory authorities (Section 53 PIPL). The term personal information processor under the PIPL is generally equivalent to the term “data controller” under the EU General Data Protection Regulation 2016/679 (GDPR).
In addition to the representation requirement under Section 53 PIPL, onshore and offshore personal information processors must appoint a Personal Information Protection Officer (PIPO) (Section 52 PIPL), in certain circumstances.
This alert first outlines the differences between the requirements of PIPL Section 52 (PIPO appointment) and PIPL Section 53 (PRC-based representative appointment/PRC agency establishment). Next, it examines the legal obligations under PIPL on designated personnel, then concludes by highlighting important industry regulations and local practices of provincial and municipal governments.
What is required?
Following the entry into force of PIPL, there was uncertainty as to what Section 53 PIPL required, particularly whether it required an offshore entity to name in the PRC something similar to the notion of ” Data Protection Officer (DPO) under the GDPR.
Under the PIPL, each personal information processor must appoint a PIPO if the amount of personal information it processes reaches a threshold prescribed by the Cyberspace Administration of China (CAC) (Article 52 PIPL). The PIPO is responsible for overseeing the processing activities and protective measures taken by the controller of personal information. The Personal Information Controller is required to publish PIPO’s contact information and submit PIPO’s name and contact information to regulatory authorities.
Section 53 PIPL requires offshore personal information processors that are subject to the PIPL to appoint a PRC-based representative or establish an agency in the PRC for personal information protection purposes. A similar notion exists under Article 27 of the GDPR, whereby offshore data controllers or processors are required to appoint an EU-based representative.
Thus, Section 53 PIPL generally requires offshore personal information processors to appoint a PRC-based representative or establish an agency in the PRC if their activities fall within the scope of business stipulated in Section 3 PIPL, regardless the amount of personal information processed (Article 53 PIPL). Further, Section 53 PIPL does not apply to onshore personal information processors in the PRC.
On the other hand, Section 52 PIPL requires offshore and onshore personal information processors to appoint a PIPO, but only when the amount of information they process exceeds certain thresholds. Thus, the critical factor to assess in determining whether a PIPO is necessary is the amount of information processed.
Known and unknown
At present, there is no clear guidance on how an offshore personal information controller may appoint a PRC-based representative or establish an agency in the PRC under Section 53 PIPL.
It also remains to be seen whether the requirement for a PRC-based representative or agency can be waived for some offshore personal information processors. Under the GDPR, the EU-based representative requirement can be waived. Under Article 27 of the GDPR, an EU-based representative will not be required if the following conditions are met:
- Treatment is occasional;
- Processing does not include, on a large scale, the processing of special categories of personal information, such as genetic information and biometric information for the purpose of specifically identifying a natural person; and
- The processing is unlikely to result in risks to the rights and freedoms of a natural person, taking into account the nature, context, scope and purposes of the processing.
Due to the “occasional” requirement, the EU-based representative waiver under the GDPR is rarely available.
It remains to be seen whether a similar waiver can be found in the rules and regulations implementing the PIPL when it becomes available.
As noted above, PIPL relies on the CAC to prescribe the relevant thresholds for determining whether an offshore or onshore personal information processor must appoint a PIPO. As of the date of publication, the CAC has not yet established a generally applicable threshold for personal information processors.
However, we may not be completely in the dark. For example, the National Information Security Technology Standard – Personal Information Security Specification (PIS Specification), as amended and effective October 1, 2020, provides specific thresholds for a controller to personal information appoints a PIPO and creates a personal information protection service. Although not mandatory, the PIS specification is considered national best practice for personal information security in the PRC. The PIS specification can serve as a good benchmark or reference point on this issue. Additionally, the PIS specification may be informative as to when a PRC regulator would initiate enforcement action against a personal information processor under the PIPL.
The specific thresholds under the PIS specification are:
- An entity whose principal activity is to process personal information and whose number of employees exceeds 200;
- An entity processing the personal information of more than one million people or purporting to process the personal information of more than one million people; Where
- An entity handling the sensitive personal information of over 100,000 people.
In the context of an offshore personal information processor, for the first threshold mentioned above, it is unclear whether the number of employees is calculated on a worldwide basis, or whether it will be limited to employees working for businesses within the PRC.
Additionally, some industry sectors already have their own industry-specific threshold. For example, several provisions on vehicle data security management (for implementation on a trial basis), effective October 1, 2021, require all vehicle data processors to submit the name and the contact details of their vehicle data privacy officers in their annual report to regulatory authorities if this processes, among other things:
- Video or image data collected outside of a vehicle, including human face information, license plate information, etc. ; Where
- Personal information of over 100,000 people.
Some provincial and municipal governments have also formulated their local regulations, draft rules or policies in this regard. For example, the governments of Jiangsu and Shanghai encourage local companies to appoint data stewards in their respective policies or draft rules. The Jiangsu government has even announced a list of pilot local entities for the appointment of chief data officers. While these local rules and draft regulations are currently being tested or considered “best practice”, they are useful clues and indications as to how the mandatory data protection regime in the PRC might take shape in the future. ‘to come up. Thus, they should be considered and considered when assessing how to adapt your business operations to remain PIPL compliant.
The CAC will likely issue guidelines on procedures for appointing representatives or establishing PRC-based agencies, as well as relevant PIPO appointment thresholds, among other things. We also expect other important developments regarding PIPL in the coming months and will continue to monitor them.