The year is ending, and it is heartening to see that IBA is getting back to organising in-person events. Allows us to hope for a more normal 2022. November has brought interesting developments in technology law, namely, on November 1, 2021, China introduced its new Data Protection law, called Personal Information Protection Law (PIPL). The PIPL will supplement the Chinese Cybersecurity Law (CSL) and national guidelines.
Now, whether PIPL is, in fact, a version of the EU General Data Protection Regulation (GDPR) remains to be seen, but it does lay down the law of the land on how businesses collect, use, process, share, and transfer personal data and information in China. And not just within China: the PIPL has extraterritorial jurisdiction over data processing activities that may occur outside China if the purpose is to provide products or services to individuals located in China, or to profile individuals in China. As in many other jurisdictions, for instance, India, foreign companies addressing the Chinese market may need to establish an entity or appoint a representative in China to handle data and information-related matters.
Data controllers are now required to obtain informed and separate consents from data subjects for collection, processing, and cross-border transfer of their personal data (limited exceptions apply), and to store personal data on servers physically located in China if the company is certified as a critical information infrastructure operator (CIIO) or is processing personal data exceeding a certain volume threshold.
Consent is not the only requisite for the processing of personal data/information. Other lawful bases enjoined under the PIPL include processing under a contract where the data subject is a party or responding to sudden public health incidents or protecting individuals’ lives, health, or properties under emergency conditions, or acting in the public interest for news reporting and media supervision within a reasonable scope. Interestingly, given that PIPL also makes HR management a lawful basis for processing personal data/information, consent may not be required for an employer to process employees’ personal information for HR management purposes!
PIPL has an interesting provision relating to M&A activity, which stipulates that if a data controller needs to transfer personal information due to a merger, division, dissolution, or bankruptcy, etc., it must inform data subjects of the name and contact information of the recipient. Further, the data controllers’ obligations transfer to the receiving party.
A data subject has the right to access, copy, correct, modify, and delete their personal information, the right of data portability, the right to withdraw and modify consents, and the right to refuse automated decision-making. The compliance requirement for employers also goes up from this month, given that employers qualify as data controllers.
Data localisation is also covered by the PIPL. The obligation to store personal information in China and undergo security assessments approved by the Cyberspace Administration of China (CAC) for cross-border data transfers is imposed not only on CIIOs, but also on companies that process personal information that exceeds an amount threshold designated by the CAC.
Other cross-border data transfer may be possible by either obtaining certification on personal information protection or signing the standard contract formulated by the CAC. It seems that the standard contract will be like the Standard Contractual Clauses (SCC) under the GDPR.
Certain companies that process personal information beyond a threshold are required, like the GDPR, to designate a Data Protection Officer (DPO). Critical Internet platforms, say, with a large user base, must submit to additional compliances, such as an improved personal information protection compliance system, adherence to the principles of openness, fairness, and justice, and publishing reports on social responsibility.
The rights of children are protected under the PIPL, with the categorisation of personal information of children under the age of 14 as sensitive personal information. Data breach notifications are also elaborated on. Interestingly, though notification to the authority is mandatory, notification to data subjects is not, if the Data Controller takes measures to effectively avoid damage caused by the leakage, tampering, or loss of data.
Penalties under the PIPL may go up to 5% of a company’s last year’s turnover, revocation of the company’s licence to do business in China, and (potentially) personal liabilities for officers of the company.
Having taken note of the developments in China, post PIPL, we consider it equally important to update you on the efforts made to infuse new blood in the Technology Law Committee. Following a mandate from the IBA to fill up all vacancies, I had, last month, invited colleagues from all over the world to volunteer. I am happy to note that the response has been overwhelming. Hopefully, you will see a full roster of new Officers in the month of January 2022, which will take the Committee to new levels of success.
I send festive greetings from India for the festival of lights – Diwali, to all my friends across the globe. May this season and the new year outshine any in the past, and may the world recover and rebound like never before.
Chair, IBA Technology Law Committee