PIPL: what you need to know about China’s personal information protection law
As part of The Drum’s Data Deep Dive, we look at how China is tightening controls on how data is collected and shared.
China’s new personal data law, The Personal Information Protection Law (PIPL), which came into effect on November 1, is one of the strictest in the world and draws inspiration from Europe’s GDPR.
Beijing has moved to tighten controls on how big tech uses data and curtail how private information is moved overseas, which means that adtech companies doing business in China have new hoops to jump through.
Companies with a privacy compliance program already in place for GDPR and/or the California Consumer Privacy Act in the US will have a head start as they have already done the necessary Privacy Impact Assessments and are familiar with their processing activities.
This is crucial as Gartner predicts in its Market Guide to Consent & Preference Management report that, by year-end 2023, 75% of the world’s population will have its data covered under modern privacy regulations.
What is the difference between PIPL and GDPR?
PIPL draws inspiration from Europe’s GDPR but goes even further, with tighter controls on how data is collected and shared beyond China’s borders, explains Laura Quigley, the APAC senior vice-president at Integral Ad Science.
“Adtech companies operating in China will have new requirements to meet beginning in November, and those with a privacy compliance program already in place for GDPR or the CCPA will have a leg up,” she says.
“PIPL requires app makers to offer users options when it comes to how their information is or isn’t used, including the ability to opt-out of targeting for marketing purposes or exclude marketing based on personal characteristics. For advertisers, this could mean greater alignment and clearer guidelines for campaigns that span multiple markets.”
JoHannah Harrington, chief legal officer of Elements Global Services, points out while the new law adds additional data protection requirements for any company that will process data in China, it also adds a factor of oversight by China into the workings of tech firms.
She explains transnational technology companies face strict regulations (on reporting, access, etc) under Chinese law while PIPL adds a layer of complexity to data protection.
This means companies with a strong GDPR and data protection programs will be in a good place to ensure they can start to meet the requirements of PIPL. On the other hand, companies that process data in China have several steps and requirements they need to meet to comply.
“This includes, but is not limited to, obtaining consent from the individual whose personal data is being processed or transferred outside China, ensuring that any data recipients satisfy the data protection standards in PIPL, meeting the requirements of processing data for a ’clear and reasonable purpose’ and is related to that purpose, ensuring that all policies and procedures maintain protections for personal information, imposing technological solutions for data security, and conducting risk mitigation processes – including assessments before engaging in processing activities,” says Harrington.
“Foreign companies will also need to assign local representatives to oversee data processing and reporting to regulatory agencies and/or establishing an entity in China. Moreover, foreign companies may need to undergo a government security assessment, depending on the type of work the company does – eg public communication and information services, energy, transport, water, finance, public services, e-government services, national defense, and other network facilities to name a few – or the amount of data the company might process.”
She adds: “Any PIPL compliance program will need to have a detailed understanding of Chinese business and cultural practices to be successful.”
The road ahead
Foreign tech firms like Yahoo, LinkedIn and Epic Games’ Fortnite have left China after PIPL came into effect, citing a significantly more challenging operating environment and greater compliance requirements in China. This has had a chilling effect on the future expansion of tech companies into China, notes Harrington.
“Of course, understanding the various practices and reasons why companies exited China will also help future companies decide the best next step for their business decisions. Moreover, companies must keep in mind the various data protection requirements under the PIPL as they will add an extra layer of compliance and complexity to the work that companies have to undertake to effectively work in China,” she says.
“As tech companies are under further restrictions in China under PIPL and other laws, they face hurdles to accomplish their business mandates. Companies will walk a fine line to follow the laws in their home countries while also ensuring the protection of PIPL is met.”
For foreign businesses still keen to expand into China, Harrington says companies need to consider a variety of factors when they look to expand. At the very least, companies need to ensure that they are compliant with local laws, from payroll to HR to data protection and everything in between.
“If you look at data protection and compliance as one very important component of that expansion, companies need to consider the requirements of PIPL, such as naming a local representative, having consent procedures in place, process data for a clear purpose, and possibly undergoing a security assessment. These steps are part of the common work requirements in China and are as much a part of the day-to-day business as ensuring respectful communication,” she explains.
“In the end, businesses need to consider the administrative, compliance, regulatory, legal and business landscape when expanding.”
On the other hand, Humphrey Ho, the managing director of Hylink Digital, says PIPL is unlikely to impact brands outside of China because of the new law objectives, which are “to reduce the over-collection of Chinese users’ information“.
“Its primary concern is protecting Chinese consumers on the Chinese internet in China,“ he says. “GDPR’s implications are global, whereas PIPLs are limited to China, to protect user information from being analyzed, reported, exported and used outside of China,” he explains.
“Similar to all other privacy laws like the GDPR, it is trying to geo-fence consumer data of its citizens inside the country.”