On the 31st of March 2022, the Belgian-Chinese Chamber of Commerce (BCECC) organized a webinar together with tax and legal experts from BDO Belgium. During the webinar, China’s new Personal Information Protection Law (PILP) was introduced, including the difference with the European GDPR and what this new legal framework means for your business in China.
It is clear that PIPL-compliance should become part of each organization involved in personal data processing in China. Belgian companies with activities or employees in China should make sure they comply with the law in their daily operations. The implementation of the PIPL is a comprehensive project, requiring cooperation from legal, HR and IT departments.
China’s Personal Information Protection Law was promulgated on 20 August 2021 and took effect on 1 November 2021. The aim of the new law is to regulate activities involving personal data of Chinese individuals, processed by companies and individuals, but also organizations providing internet platform services and public authorities.
It is the very first comprehensive and specialized legislation regarding personal information protection in China. Compared with the PRC Cyber Security Law and the PRC Civil Code, which also provide legislation on personal information protection, the new PIPL improves the rules and elaborates on the processing of personal information and cross-border provision of personal information, rights of individuals in processing activities, and obligations of personal information processors.
Companies must notify their employees and obtain their consent in view of the processing of personal information. In special situations, such as the treatment of sensitive information or the collection of personal images of employees, specific consent of employees is required.
Furthermore, for HR management purposes, a Chinese employer may need to change its employment policies by updating the statutory procedures or by concluding collective contracts with employees, covering the processing of specific personal information.
Special requirements for cross-border provision of personal information:
If an employer wants to provide personal information about its employees in China to its foreign headquarter or plans any other cross-border data transfer, it shall adopt certain measures to ensure that data processing activities comply with the PIPL standards. The employer shall accept a security assessment by China’s cyberspace authority CAC, or alternatively obtain a personal information protection certification by a qualified professional institution or conclude a data transfer agreement with the overseas recipient, as formulated by the national cyberspace authority.
In addition, the employer must notify employees of the name and contact information of the overseas recipient, processing purpose and method, type of information, and the way and procedure for employees to exercise their legal rights against the overseas recipient.
If the employer fails to process personal information according to the law, it may lead to penalties on the employer and its staff directly in charge. If the employer causes any damages to the employee, the employer may be liable for such damages. Administrative fines could be up to RMB 50 million or 5% of the annual turnover in the preceding year. Other penalties are warnings, termination of services, rectification orders, revocation of business licenses or even the prohibition of doing business in China.
The new PIPL is inspired by GDPR, with a clear influence of the underlying goals, which is shown through more stringent obligations for strategic players, keeping data within China, the possibility to blacklist foreign entities and the supervision by state administration. The PIPL is definitely vaguer than the GDPR, so its impact will depend on the guidelines for its application and the use Chinese authorities will make of the PIPL.
For more information and support with regard to China’s Personal Information Protection Law, please contact us or follow the official WeChat account of the Belgian-Chinese Chamber of Commerce.