China PIPL Data Localization: A Detailed Overview
As a country with the biggest world population and the second-largest global economy, China’s economic influence is huge.
Today, more and more businesses are being opened and processing Chinese resident data. With this in mind, the People’s Republic of China introduced the Personal Information Protection Law (PIPL) to better control how businesses handle data and protect their citizen’s sensitive information.
In this article, we’ll discuss China PIPL data localization and give you a better insight into their rules.
- The Personal Information Protection Law applies to any business with or without a physical presence in China if it collects, stores, uses, shares, and sells personal or other sensitive information of Chinese residents
- China PIPL data localization requirements are specified in Chapter 3 of the law, under articles 38-42
- A personal information processor must fulfill the following conditions when it comes to data localization: pass a CAC-organized security assessment, get CAC certification, obtain a CAC-formulated contract explaining the rights and duties of each participant, and fulfill other conditions set in law.
China PIPL Explained
The first draft of China’s PIPL was introduced to the National People’s Congress on October 13, 2020, and later enacted on August 20, 2021, before becoming effective on November 1 of the same year.
Prior to PIPL, businesses operating in China had few restrictions on how they could process personal data. For one, they didn’t have to obtain the data subject’s consent, and misuse of consumer data was a normal occurrence.
This often ended up hurting Chinese citizens, so the Chinese government introduced the Personal Information Protection Law (PIPL) to protect its citizen’s personal data from being misused.
Who Must Follow China’s PIPL?
China’s PIPL applies to any business or organization that collects, stores, uses, sells, or shares personal data from individuals in mainland China.
The law applies to both small and big companies, whether they are physically located in China or outside, as long as they handle Chinese residents’ data.
Finally, this law doesn’t only apply to a business if they own the data but to those that handle PII for them (data processors) as well.
China PIPL Data Localization Explained
Data localization laws, or data residency laws, demand that, before any data transfer overseas, data must first be collected, processed, and stored within that country.
The type of information that must follow data localization requirements will vary depending on the law or regulation you are looking at, but in general, the following types of data are subject to it:
- Personal data
- Financial data
- Health data
- Intellectual property
- Customer and e-Commerce data
- Education data
- Employee data
- Critical infrastructure data
- Government data
On the other hand, information that includes non-personal and non-sensitive data, data that is already publicly available, stored abroad, or has been anonymized, is part of international agreements or treaties or specific exemptions and is not subject to data localization requirements.
China PIPL Data Localization Requirements
The PIPL has several cross-border data transfer restrictions.
The data localization and cross-border transfer are regulated by the Cyber Security Law, Data Security Law, and the Personal Information Protection Law.
These requirements state that any personal data collected and/or generated in China must be stored locally and cannot be transferred outside Chinese borders before a security assessment and unless there is a legitimate business demand for it.
Article 38 states that a personal information processor must meet at least one of the following data localization requirements:
- It has passed security checks by the State's cyberspace administration outlined in Article 40.
- A CAC specialist who ensures the protection of personal data certified it.
- There is an agreed contract with a foreign recipient that follows the rules set up by the Cyberspace Administration.
- The transfer complies with other regulations established either lawfully, administratively, or as stated again by the state’s internet authorities.
In addition to the above China PIPL data localization requirements, Article 39 also specifies the information that the data processor must provide to the individual when processing their data overseas.
- The name of the recipient overseas
- Contact information
- Purpose of processing
- Processing method
- The type of personal information that is processed
- How the individual can exercise their data privacy rights
How to Implement Data Localization?
When it comes to successfully implementing China PIPL data localization requirements, it is first necessary to understand Articles 38 and 39, which outline the requirements for organizations in general.
However, Article 40 also sets the obligations for data localization and cross-border transfer for CIIO (critical information infrastructure operators).
Furthermore, Article 41 specifies that PI cannot be given to overseas public authorities, while Article 42 gives CAC the authority to limit PI transfers if this can:
- Damage to Chinese citizens’ privacy rights or
- Infringe on the national security or public interest
These requirements are not fully covered in articles 38-42. As such, before transferring data from China overseas, organizations should:
- Identify what data is being transferred and analyze its nature, purpose, method of processing, scope, etc.
- Assess if there are any additional data transfer limitations (i.e., the country is on the CAC’s restricted or prohibited list)
- Assess the legal basis/reason for the data transfer to another country
- Where consent is the legal basis for data transfer, it must be in a uniform consent form and provide detailed information to the data subject, including the name of the data recipient and their contact info, processing purpose, method and types of personal information, and the methods and procedures for the individual to exercise their data privacy and security rights.
- Where consent is not the legal basis, the above information is provided in the privacy notice to the individuals.
- Regardless of the legal basis, the following must be accomplished before the data transfer: security risk assessment, CAC certification, signing the SCCs formulated by the CAC, and other conditions according to the CAC rules, laws, and regulations.
- Also, similar to GDPR’s DPIA, PIPL requires conducting a Personal Information Protection Impact Assessment under Article 55.
Penalties for PIPL Non-Compliance
With PIPL, China has introduced some of the most severe penalties for non-compliance globally.
The consequences for non-compliance with PIPL can be:
- 1 million yuan ($150,000) for minor violations for the business
- 10,000 to 100,000 yuan ($1,500 to $15,000) for minor violations by individuals
- Up to 50 million yuan (around $7 million) or up to 5% of the business last year’s revenue
- Up to 1 million yuan (about $130,000) for individuals
- A low social credit score (this can prevent the business from taking loans or credits or operating in general)
- Criminal and civil penalties (with no limit to the liabilities the business can face)
- Suspension of the business
- Disciplinary actions
- Imprisonment of up to 7 years
Data localization is essential for several reasons. Mainly, it improves the data privacy of Chinese residents by requiring their data to be processed in a way that protects their privacy adequately.
So, if you are processing the personal information of Chinese residents, learn about China PIPL data localization requirements, as it is very important.
Now that you have all this information, you might be wondering how to apply all this in the real world. Well, that’s where we come in.
Captain Compliance is a dedicated team of compliance experts that can take all your compliance burdens off your shoulders. Get in touch with Captain Compliance today.
Does China have data localization laws?
Yes, China’s data localization laws are specified in Chapter 3 of the Personal Information Protection Law (PIPL) through articles 38 to 42.
Who Does PIPL Apply to?
The Personal Information Protection Law or PIPL applies in China or outside, provided the data processed belongs to Chinese residents.
What is the data localization requirement in China?
Chapter 3 of PIPL outlines data localization and cross-border data transfers in China in articles 38-42.
Article 38 specifies data localization requirements, which include:
- Passing a security assessment organized by the CAC
- Obtaining a CAC certification
- Getting a contract formulated by the CAC
- Following other CAC regulations, laws, and rules
Article 39 outlines the information the data handler must provide before processing the individual’s data overseas:
- Name and contact information of the recipient
- Purpose and processing method
- Type of PI processed
- Ways the individual can exercise their rights
What is the difference between China PIPL and GDPR?
China’s PIPL is based on the EU’s GDPR. Still, the two data privacy laws have some differences.
- PIPL applies to companies and data processors that are processing the personal information of Chinese residents, while GDPR applies to EU citizens’ data.
- China’s PIPL defines the role of a personal information handler, which is the equivalent of GDPR’s data controller. However, it has no equivalent for the data processor defined.
- Unlike GDPR’s data protection officer (DPO), PIPL defines this role as “the person in charge of PI protection” and makes it liable for the performance of its duties.