10 ways China’s new data rules will change your business
Summary
- 10 key facets of the comprehensive new privacy law transforming the business landscape in China — plus strategies for responding.
- The legislation applies globally to any company processing data originating in China.
- Penalties are potentially significant and may include imprisonment.
Navigating PIPL compliance
The Cyberspace Administration of China (CAC) recently issued draft administration regulations on network data security that augment the Personal Information Protection Law (PIPL) enacted November 1. If the CAC finalizes these new provisions by the end of 2021, as expected, it may create one of the most stringent regulatory regimes many multinationals will encounter and significantly increase the risk and cost of doing business in the world’s most populous country.
Who’s affected: The law’s global reach
If your company processes any personal data from China to provide a product or service to Chinese residents or to analyze their behavior, you will likely have to comply with PIPL’s rules — even if you have no business presence in China. For PIPL, “personal information” is any information related to an identified or identifiable person. It does not include anonymized data. A “personal information processor” as defined by the law is any individual or organization with the discretion to determine the purpose and method of data processing.
If you process any personal data originating in China, the law may apply to you — regardless of your location.
10 key requirements to address now
Controlling data throughout its entire life cycle is no longer just an industry leading practice — in China it’s the new minimum baseline. When you take the new rules in the context of the existing China Cybersecurity Law (CSL), Data Security Law (DSL) and PIPL, a clear picture emerges of ten high-impact changes for non-Chinese multinationals.
1. Dynamic data inventory.
China requires classification of data into general, important and core categories. Multinationals with a significant presence in China will need to enhance their record of processing activities with new required fields and automate as much of this process as is feasible with data discovery, classification and workflow technologies.
2. Data localization.
Companies that meet the criteria under CSL for critical information infrastructure operator (CIIO) or process large volumes of Chinese personal data are subject to data localization requirements in China. The new rules bring the reach of these requirements to foreign companies outside China if they process data for providing goods or services to China, analyze behaviors of individuals in China or process important data.
3. Local governance staff.
Recent legislation sets out extra requirements on appointing data responsible persons. If your company processes Chinese resident data but lacks a business presence in the country, you’ll have to either create a special agency or appoint representatives in China to be in charge of your compliance. This provision adds China to the list of about 70 territories tracked by PwC’s Ready Assess database that require local data protection officers.
4. Multilevel barriers to cross-border data transfers.
To transfer Chinese resident data abroad, you’ll generally need to follow a series of steps including obtaining consent; registering the transfer with the government or completing an assessment certified by a third party; implementing technical security measures to prevent foreign-government access to the data; and tracking onward transfer to other entities.
Multinationals currently enhancing their data-transfer controls for EU General Data Protection Regulation (GDPR) and Schrems II readiness will need to apply a similar but augmented approach to their Chinese data transfers and extend their SOC 2 assurance capabilities to this scope.
5. Multiple mandatory assessments.
China’s data privacy and security laws require risk and impact assessments across a broad array of use cases. Companies that automate their data privacy and protection impact assessments for the Americas and EMEA now have a driver to extend this capability to the Asia-Pacific region.
6. Consent management for sensitive personal information.
If you process data designated as “sensitive personal information,” you’ll have to seek separate consent from these individuals or their guardians, state why you’re processing this data and explain the impact.
China’s rules amplify the impact on consumer-facing companies of similar consent requirements in Europe and the United States at the same time that technology platforms are restricting the use of tracking mechanisms such as cookies, putting a premium on permission-based consumer relationships.
7. Accelerated incident response.
Data processors must notify multiple business and government stakeholders as well as affected individuals about the incidents, risk of data breaches and remedial actions they’ve taken within three working days. If the incident involves important data or personal data on more than 100,000 people, companies must report the breach to the appropriate regulators within eight hours.
This timeline is among the most stringent globally and will require state-of-the-art detection, response and resilience capabilities typically seen only in advanced financial and technology companies.
8. Consent for automated decision-making.
Many companies from retail to insurance are striving to address their talent shortage by applying artificial intelligence and machine learning to robotic process automation. If your company uses Chinese personal data for automated decision-making about individuals, you may need to provide transparent explanations about how you’re making decisions about them and enable them to reject the automation and ask for a manual review.
9. Transparency reports for platforms.
If you operate a large digital platform, you may have to enforce fair, transparent and impartial data-processing rules for the product and service providers who use it. You’ll also need to publish social-responsibility reports on data handling, establish a personal information protection compliance system, and create an independent, external body to supervise personal information protection.
10. Third line of defense for privacy.
The internal audit departments that constitute the third line of defense in organizational systems of control historically have not maintained data privacy talent in many companies. Instead, they often turn to their own privacy offices or external audit firms for consultation and support. The new rules in China don’t explicitly require internal audit privacy expertise. If PIPL applies to your company, however, data privacy is likely to join cybersecurity as a top risk and it will require ongoing monitoring and control.
Unlock the value of data in a secure and ethical way
Information Governance & Privacy
Discover how PwC can support your data lifecycle journey
The stakes: Significant penalties and possible jail time
PIPL establishes a spectrum of materially significant penalties for businesses: confiscation of illegal gains, a fine of up to RMB 50 million (about $7.8 million) or 5 percent of the past year’s turnover, and even the possibility of business suspension. Violations could also affect a company’s social credit scores, making it difficult to access credit, purchase property and conduct everyday business operations.
Significantly, the law also contemplates criminal and civil penalties, with a reverse burden of proof in civil cases. Rather than a plaintiff having to prove violations, companies must prove compliance. There is no cap for civil cases, making liabilities potentially unlimited.
PIPL may also hold individuals, such as business leaders and data protection officers, responsible for violations. Authorities and courts could then impose monetary fines of up to RMB 1 million (about $157,000) on individuals, take disciplinary actions and even impose prison sentences.
How PIPL differs from GDPR and CPRA
| Provisions | GDPR | CPRA | China's PIPL |
| Right to stop processing | Right to withdraw consent or otherwise stop processing of EU personal information | Right to opt out of selling/sharing personal information; must include opt-out link on website | Right to limit or refuse processing of personal information, with some exceptions; right to withdraw consent |
| Right to stop automated decision-making | Right to require a human to make decisions that have a legal effect | Regulations to govern access and opt-out rights for automated decision-making technology | Right to explanation and right to refuse solely automated decisions with significant impact |
| Right to stop third-party transfer | Right to withdraw consent for data transfers involving second purposes of special categories of data | Right to opt out of selling/sharing personal information to third parties | Requirement to obtain explicit consent before transfer to third parties |
| Right to equal services and price | At most, implicitly required | Explicitly required | Partial. Cannot refuse to provide goods and services if individual refuses to consent (unless necessary) |
| Regulator enforcement penalties | Ceiling of 4% of global annual revenues | No ceiling—$7,500 per violation | Ceiling of 5% of annual revenues or RMB 50m ($7.8m), plus potentially unlimited penalties to businesses and individuals |
Solutions: The path to data compliance
China’s new data legislation potentially poses new risks and costs, but it’s possible to mitigate both. To support holistic, cost-effective and agile compliance, we suggest five steps.
- Identify exposure. Are you handling Chinese residents’ personal information? If so, assess and document these activities. Cover the full data-use life cycle, note your legal basis for these activities and locate relevant documents. Determine whether you may be deemed a critical information infrastructure operator (CIIO) or if you process large enough volumes of data to face potential additional compliance requirements.
- Assess the gaps. Assess compliance protocols in light of new rules, then identify risks and potential penalties to set priorities for remediation. Pay special attention to your workforce, as the new regulations and the potential penalties for individuals have led to shortages in trained data protection officers.
- Remediate and enhance. As you close current compliance gaps in line with risk-based priorities, act to prevent future shortfalls, too. Enhance management practices, workforce capabilities and technology tools for personal information handling. Where ambiguities remain, consider both government intent and global leading practices.
- Conduct impact assessments. Perform and document personal information protection impact assessments as mandated for high-risk activities, including but not limited to cross-border data transfers. Given existing ambiguities, err on the side of too many rather than too few assessments.
- Set up a technology-enabled system. For long-term, cost-effective compliance, establish dedicated roles and responsibilities, detailed privacy management policies and procedures, a playbook for personal information protection impact assessments and an audit program — all supported by technology solutions.
Strategic implications requiring attention now
PIPL may become a critical turning point for some companies. Non-Chinese firms with robust operations in China may face substantial increases in the cost of doing business. Those in the technology, retail, automotive, banking and pharmaceutical sectors — where the Chinese government has focused its enforcement attention — should prepare for change.
Companies may need to take these steps.
- Redesign information systems to localize data for the Chinese market.
- Assess and segment vendors and supply chains to mitigate risk.
- Reevaluate deals in light of altered costs and returns on investment.
- Modify legal-entity structures and tax strategies to adapt to altered business operations.
Some companies may require a larger shift in their Chinese business strategy to optimize their market position, finding new opportunities in a transformed marketplace. Swift and thorough action is imperative to successfully navigate this new digital landscape.
Get ready for what comes next. Subscribe to Tech Effect today.
Cybersecurity and Privacy solutions
How can we help you build trust in this era of disruption?
Next and previous component will go here
