[ad_1]
China is eagerly awaited Privacy Act (Pipl) is most likely to pass this month after the close of the 30th meeting of the Standing Committee of the National People’s Congress, which is due to be held in Beijing from August 17 to 20. This follows the enactment earlier this year of the Data security law (ADSL), which will take effect on September 1, 2021.
The PIPL – which will add another layer of compliance obligations on personal information processors – will complement and further strengthen the developing regulatory regime, which includes the 2017 Cybersecurity law (CSL) and DSL once enacted.
PIPL will be China’s primary privacy and data protection law, despite the widespread misconception that DSL is China’s privacy law. Nonetheless, DSL and CSL can affect the way multinational companies in China conduct their business in China, including how they may or may not process personal information. Please click here to register if you would like to attend our webinar on China’s New Data Security Law to be held on August 18, 2021 (3:00 p.m. – 4:00 p.m. Hong Kong time).
Key points to note about the PIPL
The second version of the PIPL was released for public comment last April. The final version of the PIPL will likely incorporate most of the provisions of this draft, including, among others:
(i) Rules for collecting consent
Data subjects have various rights under the PIPL project, and processors must inform individuals of the specific ways in which they can exercise these rights. Sensitive personal information can only be collected if it is necessary to achieve legitimate purposes, and data subjects should be made aware of all consequences associated with providing such information. Separate and specific consents must also be obtained for certain processing activities (e.g. sharing of data with third parties, etc.).
(ii) Cross-border transfer rules
Data processors may only transfer personal information outside of China if at least one of the following conditions is met:
(a) a security review organized by the Cyberspace Administration of China has been adopted;
(b) a personal information protection certification from a professional body has been obtained;
(c) a standard data transfer agreement has been concluded between the processor and the foreign recipient; or
(d) other conditions prescribed by law.
(iii) Presumption of fault
According to the draft PIPL, the processor is presumed at fault if a person is harmed by the processing activities of the processor. The processor is responsible for proving that its processing activities are lawful and that it is not at fault. This raises the bar for data compliance and internal risk controls of data processors.
(iv) Extraterritorial impact
The PIPL should have an extraterritorial effect like the GDPR. The activities of foreign companies may be covered by the PIPL, in cases where personal information is processed outside of China for the purpose of analyzing the behavior of individuals in China. There is no definition of what constitutes a “behavior analysisâ€, so the application of this provision could be broad.
Impact of the new laws
As China’s data and privacy laws continue to evolve, the new regime means that organizations inside and outside of China will need to review their data management and transfer strategies, as well as policies and procedures in place for the collection and processing of personal data. .
[ad_2]
