China’s New Personal Information Protection Law: How Will It Impact Foreign Businesses?
With mobile apps now a hallmark of daily life in China, user permission requests are becoming ever more ubiquitous—whether for accessing a user’s contacts, location, and photo albums or getting them to scan QR codes to order food at restaurants. Oftentimes, users end up getting bombarded with customized ads based on their searches and purchase history.
To counter this, China’s government has continually strengthened the privacy rights of its citizens—most of which regulate how companies collect, use, and interact with data gleaned from Chinese citizens and businesses.
One such policy enactment is the Personal Information Protection Law of the People’s Republic of China, which comes into effect on November 1, 2021. Several articles in particular regulate the cross-border provision of personal information—how will these impact foreign companies that operate their sites through non-Chinese servers without ICP licenses, despite having visitors from Mainland China?
Here, we’ve summarized the key policy takeaways for foreign companies relating to the cross-border provision of personal information between China and abroad. Let’s dive deeper!
Chapter 2: Personal Information Processing Rules
Personal information processors shall not refuse their products or services (in particular, gated content like whitepapers and demo videos) to customers who:
- Do not agree to the processing of their personal information, or
- Withdraw their consent
The only exemption to this rule is if the processing of personal information is necessary for the transaction of a product or service to take place.
Personal information handled by state bodies must be kept within borders of the People’s Republic of China (PRC). If it is truly necessary to provide it abroad, a security assessment shall be undertaken. Relevant authorities may be requested to support and assist with this assessment.
Chapter 3: Rules on the Cross-Border Provision of Personal Information
If you need to provide personal information beyond Mainland China for business or related reasons, you must meet one of the following conditions:
- Pass a security assessment issued by the State Cybersecurity and Informatization department, as per Article 40.
- Get certified with a personal information protection certification from a specialized body assigned by the State Cybersecurity and Informatization department.
- Agree to a standard contract for the rights of both parties (including the foreign recipients of the information) presented by the State Cybersecurity and Informatization department.
- Aside from the above conditions, you must adhere to any other conditions or regulations stipulated by the State Cybersecurity and Informatization department.
- Wherever applicable, treaties or international agreements that the PRC has acceded to concerning the provision of personal data outside of China remain in effect.
- You must adopt necessary measures to ensure that the data handling procedures of your foreign receiving parties adhere to the data protection policies under this law.
If you provide personal information outside Mainland China, you must notify the relevant individual about the foreign party receiving his/her name, details, and contact method. You shall also state your data collection purposes and the procedure for them to retain personal information from the foreign receiving party, which is a right protected by this law.
Critical information infrastructure operators and personal data processors with data storage that surpasses a threshold set by the State Cybersecurity and Informatization department must store these domestically within the PRC. This applies exclusively to information that was collected within Mainland China.
If you need to provide personal data abroad, you must pass a security assessment issued by the State Cybersecurity and Informatization department. The only exception to this rule is an agreement—between the foreign country in question and the State Cybersecurity and Informatization department—that does not necessitate this security assessment.
If foreign bodies or individuals engage in personal data usage that either (a) violates the personal information rights and interests of PRC citizens or (b) threatens the national security or public interest of the PRC, the State Cybersecurity and Informatization department may enact one of the following restrictions:
- Place policy offenders on a blacklist that limits or outright bans their provision of personal information.
- Issue warnings to policy offenders and adopt measures to limit or prohibit the transfer of personal information to them.
If located outside the PRC, you must establish a dedicated entity or appoint a representative within Mainland China to oversee matters relating to the personal data under your jurisdiction—and report the name and contact details of your entity or representative to the PRC’s Ministry of Industry and Information Technology.
If your data collection practices align with one of the following scenarios, you must conduct an impact assessment in advance and submit a record of how you use the personal information:
- You handle sensitive personal information.
- You use personal information to automate decision-making (in your business operations).
- You either (a) disclose personal information or (b) entrust its handling to other personal information processors.
- You provide personal information abroad.
- You handle personal data that is highly sensitive to individuals.
With these policies in mind, companies should insert clauses on their website informing visitors about data collection and giving them the option to consent.
Remember to update your site before Nov 1, 2021 to avoid any policy infringements.