[co-author: Tong Zhu, and William Ferreira]
Six months have now passed since China’s Personal Information Protection Law (PIPL) became effective on November 1, 2021. As noted below, Chinese authorities have recently stepped up enforcement actions relative to PIPL.
China’s PIPL resembles the EU General Data Protection Regulation (GDPR) in many ways. For example, the PIPL tracks GDPR’s extraterritorial application in cases where data processing activities outside China are (i) for the purpose of providing services or products to individuals in China, or (ii) analyzing or evaluating the activities of individuals in China. But the PIPL also endorses a unique Chinese perspective on such issues as separate consent requirements, data localization, and cross-border transfer of personal data. Our previous summary of PIPL is available here: The journey has just begun: China passes its Personal Information Protection Law.
Many institutions outside China have been working to evaluate PIPL’s impact on their operations related to China. For organizations that have a subsidiary or representative office in China, the compliance efforts often include (but are not limited to) conducting a data mapping exercise and gap analysis, and developing privacy notices and consent forms directed at employees, visiting scholars, students, and website users. For organizations that have no presence in China, the PIPL’s extraterritorial effect may still mandate action, such as appropriate consent mechanisms embedded in websites and mobile applications (including WeChat mini programs) targeting China, and appropriate data protection and cybersecurity clauses in agreements with Chinese parties. All organizations are closely monitoring prospective regulatory developments in China which are expected to shed more light on the specific requirements for data localization and cross-border transfer of personal data.
Over the past six months, Chinese authorities have stepped up their enforcement actions. Thus far, the enforcement has centered on unlawful data collection and data leakage. Neither PIPL’s data exportation restrictions nor its extraterritorial reach has been publicly enforced at this time.
- Strengthened governance over data protection in mobile applications. Since 2020, the Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT), and Public Security Bureau (PSB) have exercised strong supervision over data protection within mobile apps, focusing on over-collection of personal information; the unlawful usage of targeted push function; and ineffective channels for data subjects to exercise rights. In 2021, Chinese authorities required numerous mobile apps to rectify their procedures – several English training apps and pre-education apps have been issued violations, including Offcn, a famous Chinese vocational education and training company.3
These enforcement actions demonstrate that authorities are focused on Chinese websites and apps, including consent and separate consent mechanisms, over-collection of personal information, and protection of data subject rights. In the education industry, especially online education, the Ministry of Education has recently emphasized data protection via several circulars issued in 2021.4 As online education programs surge with both Chinese and non-Chinese providers entering the market, the education industry is poised for data protection enforcement in China.
The PIPL features many vague provisions. Accordingly, organizations continue to await China’s issuance of rules and regulations that clarify PIPL’s scope and practical effect on operations that touch China. Meanwhile, preparation is key. The recent enforcement actions suggest that organizations should give priority to developing tailored consent mechanisms and mitigating risk through effective data protection and cybersecurity clauses in agreements with Chinese parties.
4 For example, the Circular of the Ministry of Education on Strengthening Information Technology in Education Management in the New Era, and the Notice on the Change of Requirement for Online Training Institution from Record-Filing to Approval