China has recently passed the new Personal Information Protection Law (PIPL), which went into effect on November 2, 2021. While several new privacy laws have created navigation minefields, given the size of the China market and the sometimes challenging interpretation of Chinese laws, PIPL is definitely one that must be understood and a strategy devised going forward. The 2021 Cylynt Connect software monetization and anti-piracy summit addressed this issue with a panel of legal experts well versed in global, and Chinese, privacy laws and license compliance, and some of the salient points to keep in mind going forward are summarized in this blog.
PIPL and GDPR
Key similarities and differences with the European General Data Protection Regulation (GDPR) were discussed, and the conclusion was that while China expects to build on the similarities between the two laws, PIPL will go even further in its requirements for businesses to have specific practices in place for compliance. There will be different ways to implement the PIPL in China, so it will be important for people to understand the subtleties of the extraterritorial elements and the different measures or classifications for how sensitive data is and how different types of data should be treated.
The removal of legitimate interest in PIPL is causing uncertainty and ambiguity in terms of what the other exceptions are, but the last exception, which is for other situations specified by the law, allows the Chinese administration to give some leeway. Possibly the administration is planning to seek guidance in other parts of Chinese law for a broader interpretation, which is a legislative technique of China law.
Near-Term Data Collection
In terms of data collection, businesses need to take a step back and ascertain what kinds of data they are collecting in order to pursue software infringers and how that might stack up against what is emerging in the laws as PIPL takes effect. The approaches being used in GDPR might be a good place to start but it is important to identify where the differences are and the potential vulnerabilities in the way companies are currently operating in China and their data sensitivity and cross-border transfer.
Proactive Data Regime
The same discipline of mapping data flows and everything that goes with GDPR compliance would be very important in the PIPL situation as well. A digital protection regime cannot be implemented in an organization without considering not only PIPL but also cybersecurity law and data security law, and how they translate into PIPL. Companies should not be looking at one issue, they should be looking at all three pillars of legislation, compliance, cybersecurity, and data security, in order to help define their strategy.
Initial Steps from an LC Standpoint
The extraterritorial aspects of PIPL will likely be the most challenging in determining the operating room a company has for collecting and exporting data. As a practical step in understanding the risk/reward aspect and where the risk and exposure might be, it is advisable to conduct data audits so it is clear what type of data is being collected, where, and by whom, as well as if it has been shared, and if so, how it is being shared with others, and is it being anonymized.
First Steps for Ensuring PIPL Compliance
Please stay tuned for a checklist Cylynt is compiling of the first steps your company can take to ensure you are compliant with PIPL and other privacy regulations.