Why does China’s Personal Information Protection Law matter to Australian organisations?
11 March 2022 06:00
Should Australian organisations, even those that don’t have a Chinese market for their products or services, care about China’s new privacy law?
On 1 November 2021, China’s Personal Information Protection Law (PIPL) commenced in the People’s Republic of China. The PIPL establishes a framework for collection, storage and disclosure of personal information.
This wide-reaching jurisdictional approach of the PIPL is similar to the extraterritorial operation of article 3 of the European Union’s General Data Protection Regulation (GDPR).
How will China’s new Personal Information Protection Law impact Australian organisations?
You may not expect that legislation passed in the People’s Republic of China could potentially impact Australian organisations that have little connection to mainland China. But the PIPL, with its significantly wide jurisdictional reach, does exactly that.
It applies not only to organisations that handle personal information within China (such as to global multinationals with local Chinese operations), but also to organisations that handle personal information outside of China, if the personal information they handle relates to any individual inside China.
Australian organisations that are domiciled outside of China, may (sometimes unexpectedly) find themselves subject to the PIPL, if, for example,
- they sell goods or services to persons in China (even if those products are only sold in China online)
- if they analyse the behaviour of persons in China ( such as through marketing campaigns or through customer feedback programs)
- if they have a web platform accessible in China
- if they employ personnel in China or even if they have employees in Australia whom ordinarily reside in China (such those on a working visa), or
- if they have customers who access their products or services in Australia but ordinarily reside in China (such Australian universities with international students and tourist operators who have Chinese based customers).
But are these organisations ‘handling’ personal information?
Handling of personal information under the PIPL is broadly defined and includes collecting, storing, using, processing, transmitting, providing, disclosing and deleting personal information, through any means - whether online or through traditional methods such as hard copy.
In this way, the PIPL applies broadly to most activities involving personal data.
Organisations that collect employment data (such as their Chinese employees’ residential addresses), or the vaccination status of Chinese base staff or customers, the resumes of potential Chinese based employees or who collect and analyse deanonymized “click data” of Chinese customers would all be “handling” the personal information of persons in China.
What are the key rules for Australian organisations handling the personal information of individuals in China?
The PIPL contains eight chapters and 74 articles regulating how organisations handle personal information including:
- restrictions on cross-border transfers. These restrictions will impact many organisations, including those that employ persons in or from China or who have customers from China, as these organisations are likely to be storing personal information such as employee or customer records or customer feedback, on servers outside of China.
- requirements for critical infrastructure operators in China and large organisations above (a yet to be defined) threshold of data collection to obtain a security assessment clearance from the Cyberspace Administration of China (CAC) in order to transfer personal data overseas. It remains to be seen how difficult, or easy, it may be to arrange the relevant security assessments and may effectively operate as a requirement for most large organisations to store their data locally in China.
- restrictions on information that can be provided to Australian judicial and enforcement agencies.
- restrictions of the collection of sensitive personal data including data pertaining to minors under the age of 14.
- Obligations on data controllers that are similar (but not identical) to those currently applied to data controllers under the GDPR.
What are the penalties for Australian organisations mis-handling the personal information of individuals in China?
Penalties for non-compliance with the PIPL may be severe, with fines up to 5% of the organisation’s revenue for the prior year or up to RMB 50 million (around $10 million AUD) and suspension or termination of the organisation’s license to operate in China.
In light of these penalties, Australian organisations that handle the personal information of individuals who may reside in China or in connection with individuals that may reside in China, should urgently undertake a review and assessment of their data handling activities to ensure they understand if thePIPL is applicable to them and, if so, to ensure compliance with the PIPL.
Organisations may need to amend their existing privacy and data handling policies, controls and processes or reconsider how and where they handle personal information to ensure compliance under the PIPL.
Whilst there are many similarities between the PIPL and the GDPR, the schemes are not identical. Organisations that currently comply with GDPR requirements, that will now also be subject to the PIPL, should undertake an analysis of the gap between the PIPL and GDPR to ensure compliance with both schemes.
Organisations may benefit from appointing a representative in China, or locally, to deal with PIPL matters and to liaise, as needed, with Chinese regulators including the CAC.
Alison Cripps is the LexisNexis Legal Writer for Practical Guidance – Cybersecurity, Data Protection and Privacy.
LexisNexis Practical Guidance for Cybersecurity, Data Protection and Privacy provides extensive practical guidance on China’s Personal Information Protection Law, including English translations of the PIPL and other applicable Chinese legislation and a PIPL Applicability Assessment Questionnaire to assist with determining if the PIPL applies to your organisation.
Practical Guidance gives you the practically-focused online content you need to conduct a new legal matter. Discover expert guidance, repeatable documents, forms, precedents, checklists and an extensive range of specialised toolkits, designed for today's lawyers and the flexible way you work.
To stay across further developments in this space, register for Practical Guidance Fortnightly Roundups.
TO SUBSCRIBE TO PRACTICAL GUIDANCE, CONTACT US BELOW.