Data assessment, user consent key to compliance with China law

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

International businesses that process information from China should obtain user consent and establish a data map, so they do not run afoul of the country’s Personal Information Protection Law (PIPL). Specifically, they should look closely at cross-border data flow and residency, even as more clarity still is needed on some components in the new legislation.

Organisations that already are set up to comply with Europe’s General Data Protection Regulation (GDPR), though, have a good foundation on which to work towards PIPL adherence.

Passed in August, the Chinese legislation came into force last month, laying out ground rules around how data should be collected, used, and stored. It outlines data processing requirements for companies based outside of China, which included passing a security assessment conducted by state authorities.

Multinational corporations (MNCs) that move personal information of the country also will have to obtain certification on data protection from professional institutions. The Chinese government described the legislation as necessary to address the “chaos” created, in which online platforms had been excessively collecting personal data.  

Because it was modelled broadly after GDPR, enterprises that had readied themselves for the EU data protection legislation would be better placed to prepare for PIPL compliance.

For instance, both bills spell out the need to get user consent and rules around data sovereignty, according to Xin Leo, a Shanghai-based senior associate with law firm Pinsent Masons.

Like GDPR, companies would need to obtain consent before collecting and using data from customers under PIPL. The Chinese legislation also outlined standard clauses that should be included in service contracts or agreements between both parties–one that provided the data and the other that received it–that were similar to those detailed under GDPR.

This ensured organisations that collected and processed data would provide similar levels of protection under PIPL as they would with GDPR, Xin said in an interview with ZDNet.

Being GDPR-compliant put  enterprises on the right path towards PIPL adherence as well as other associated Chinese legislations, specifically, the country’s 2017 cybersecurity and 2021 data security bills,

Read more