TLDR; China introduced the Personal Information Protection Law (PIPL) in 2021 to regulate information-handling activities in China including transfers of personal information across the border.
So, what does this mean for your company? And does this mean you must host all information onshore? We think the answer depends.
Disclaimer: This article is intended more as a discussion and should not be construed as legal advice. Please consult with your legal counsel for the latest up-to-date laws and procedures regarding the handling of personal information.
When it comes to hosting websites in China, performance & information accessibility have been the first considerations for most foreign companies or entities.
That is – until China introduced the Personal Information Protection Law (PIPL) in 2021 - the first legislation in China to regulate handling activities of personal information of Chinese nationals and residents.
For context, PIPL outlines practices in processing personal information across the border including notes on onshore hosting or in using offshore providers, which begs the questions…
Does PIPL apply to you?
Can you still use offshore tools such as Google Analytics in China?
Should you host your data onshore? And how?
Best practices to follow PIPL?
As a conversation starter, we’ve gathered some pointers in PIPL and its supporting documents.
The Personal Information Protection Law (PIPL) stipulates an individuals’ consent as the principal legal basis for processing Personal Information.
It requires that the processing of Personal Information shall abide by the principles of legality, fairness, good faith, minimum necessity, openness, and transparency.
As of 2022, about 200 companies in China have been reported for non-compliance with PIPL and other related regulations.
Personal Information means all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, excluding information that has been anonymized 1
Personal Information that is irreversibly processed or processed in a way that it cannot be used to identify any natural persons 2
Processing of Personal Information includes the collection, storage, use, transform, transmission, provision, publication, deletion etc. of Personal Information 3
A processor of personal information refers to any organisation or individual that is able to make its own decision on the purpose, means of processing, and other matters relating to the processing of Personal Information
You collect names, phone numbers from Chinese residents. This information is stored onshore.
✅ Skip to “V. Actionables & Takeaways”
You collect identifiable information in China AND your overseas team will access it.
✅ Read on. Pay close attention to “III. Special Notes for Cross-border Processors”
You use Baidu Analytics to collect traffic data that cannot be used to identify individuals in China.
✅ Skip to “V. Actionables & Takeaways”
If you handle various kinds of information using infrastructure onshore or otherwise (e.g. tech platforms, banks)...
✅ Read on, esp. “III. Special Notes for Cross-border Processors” & “IV. Types of Information”.
The Law is applied to all processing activities of Personal Information within China, and elsewhere with specific use (more below) 4
Yes, PIPL applies to Information-processing activities outside of China 5
For the purpose of providing products or services to natural persons located within China
To analyze or assess the conduct of natural persons located within China
Under any other circumstance as provided by any law or administrative regulation
You collect names and email addresses from Chinese for marketing purposes. You also host the information with a form service provider hosted outside of China.
✅ By definition, that involves i) analyzing identifiable information & ii) outbound transfer of data. As such, you’ll need to refer to notes for cross-border Processors (more in the next section).
A few things. In short, you must observe regulations set forth by PIPL and meet requirements with respect to cross-border information-processing activities. Some organizations are also required to assign a local representative in China.
For one, Information Processors who transfer Personal Information out of China must inform the concerned individuals of the name of the overseas recipient, contact information, purposes, and ways of data collection, accompanied with individual consent6.
Secondly, foreign processors of Personal Information who analyze or assess the conduct of natural persons located within China are also required to appoint representatives in the Mainland for matters related to PIPL7.
The most important (and perhaps the most open-ended) part: How does one become vetted?
According to PIPL, you must fulfill any one of the following requirements8:
Pass Security Assessment organised by the Cyberspace Administration of China (CAC)
Be certified by a recognised institution in respect of the protection of personal information as required by the CAC
Entered into a contract with the overseas recipient, in a standard form formulated by the CAC, specifying the rights and obligations of each party
Other conditions required by the law, administrative regulations or the CAC
IMPORTANT: At the time of publication, no actionable information is available regarding the above requirements. The closest reference we’re able to identify thus far is the Draft Security Assessment of Outbound Data Transfers published in 2021.
In this supporting doc, CAC has attempted to clarify further a number of things.
To highlight, Security Assessment shall be made mandatory if Information Processing includes 9:
Personal Information and Important Information collected and generated by Critical Information Infrastructure (CII) 10
Personal Information about over one million individuals
Transferring Personal Information about over 100,000 individuals or Sensitive Personal Information to over 10,000 individuals
- You have an app that collects biometric data (e.g. Face ID) of over 10,000 individuals in servers outside of China.
- You run an analytic service solution company that stores a large volume of personal data in China (exceeding one million), some information will be accessed by clients overseas.
- You run a media company that reports public affairs in China.
✅ By definition, that involves i) Sensitive Personal Information & ii) Personal Information of over one million individuals and iii) Important Information.
Due to the nature of your information-processing activities, you’ll likely need to seek Security Assessment by CAC and follow other requirements (more below)
The *working* scope of Security Assessment includes an account of:
The purpose, scope, and ways information is transferred out of China, and their corresponding legality, necessity, and appropriacy
Relevant local regulations and any impacts thereof pertaining to the overseas recipient. The level of information security will be assessed on the basis of PRC laws and regulations
The type, amount, coverage, and sensitivity of outbound data, and their risks of illegal use, damage, tampering, loss, and transfer when processed overseas
Whether Data Security and Personal Information Rights are sufficiently protected
Whether responsibility and obligations are clearly stated and mutually agreed to between Information Processors and Overseas Recipient
Compliance with China laws and regulations
Any other relevant information deemed necessary by CAC 11
*Editor’s note: Any information regarding Security Assessment of Outbound Data Transfers is subject to changes depending on the finalised version expected to be announced in 2022. This is also not to be construed as legal advice but rather a framework to reference.
“Personal Information, Important Information, Public Information… What are they?”
By this point, it has probably become apparent that you won’t be able to assess your position in PIPL without a basic understanding of how CAC categorizes or defines Information.
So going one step further, we refer to the Draft Network Data Security Management Regulations:
What are the different types of Information?
Important Information: Information that endangers national security & public interest when tampered with or misused
Core Information: Information that is relevant to national security, economy and public interests
Public Information: Information gathered by government representatives in order to provide public services
Sensitive Personal Information: Information that easily causes damage to one’s character, conduct, or endangers one’s property and safety, including biometric recognition, religious information, specific identity, medical health, financial information, tracking information, and Personal Information of individuals aged under 14.
General Information: Information that falls into neither of the above categories.
(Article 73 clause 1-5)
PIPL certainly sets the ground for handling information in China. We foresee that as the Internet ecosystem in China interacts with the broader one rest of the world, these local regulations will continue to evolve.
Below are our thoughts regarding future practices:
More often than not, it comes down to the type of information you process or whether there’s a proven need to use offshore providers in lieu of an onshore equivalent. In the case of Google Analytics, if you’re collecting data that is unidentifiable to any individuals, PIPL may not apply to you*
*Please reference our disclaimer for more information.
The basis of PIPL is that individuals who are asked to provide information have the right to be informed about its intended use, domestic or not. Reported legal precedences in 2021 also share the absence of such intent.
Do not over-collect information that is unnecessary in your use case. You’ll either need to observe additional regulations as far as Important Information and Sensitive Personal Information (and others) are concerned.
This Draft provides arguably the most amount of information regarding cross-border data transfer out of others. Once finalised, Security Assessment for Outbound Data Transfer is expected to clarify any requirements and legal application further.
PIPL does share some similarities and differences with GDPR as its EU (closest) equivalent. This article discusses more in-depth on PIPL vs GDPR.
You may refer to other sources including KPMG, Deloitte, and Deacon. This Directory of cybersecurity information by Thomas Reuters among others.
Are there any other practices we should be aware of?
Email us your thoughts at email@example.com. We’d be happy to discuss more.
- Personal Information Protection Law | English Summary
- Draft Security Assessment for Outbound Data Transfers | English Summary
- Draft Network Data Security Management Regulations | English Summary
- Reported cases of PIPL violation
Article 4, the Personal Information Protection Law (PIPL)
Article 4; Article 43 Clause 4, the Personal Information Protection Law (PIPL)
Article 4; Article 73 Clause 1, the Personal Information Protection Law (PIPL)
Article 3, the Personal Information Protection Law (PIPL)
Article 3, the Personal Information Protection Law (PIPL)
Article 36, Draft Network Data Security Management Regulations
Article 53, the Personal Information Protection Law (PIPL)
Article 38, the Personal Information Protection Law (PIPL)
Article 40, the Personal Information Protection Law (PIPL); Article 4, Draft Security Assessment for Outbound Data Transfers
CII refers to network facilities and information systems in important industries and fields—such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and science, technology, and industry for national defense. More on Article 2, Regulation on Protecting the Security of Critical Information Infrastructure (2021).
Article 8, Draft Security Assessment for Outbound Data Transfers