A New Data Protection Law - Due in 3 weeks!
Since 2017, when the Cyber Security Law was first introduced, we have been witnessing an increase in legislation regarding Data Protection in China. There are 3 main laws constructing this old-new legal framework – the Cyber Security Law (CSL), the Personal Information Protection Law (PIPL, still a draft, expected to take effect in 2022) and the latest Data Security Law.
What are the differences?
CSL – This was the first time one macro-level law relating to data protection was introduced in China, merging other laws and local regulations under one roof. This law also stipulated legal liabilities for consideration by any company that employs networks or information systems in its operations.
PIPL – Still a draft. This law will detail liabilities in regard to the protection of personal data companies might be collecting and processing for their operations. There is still no concrete date for this law to be officially released, but the draft is widely circulated online, plus, if you are already familiar with the GDPR, this law won’t catch you by surprise.
Nonetheless, it is better not to wait for the official enactment of the law, and start preparing your business to comply with it well in advance. Not convinced yet? Just look at what the Chinese tech giants are dealing with now. You might not be collecting data like Alibaba, but if you really check, you’d be surprised how much personal information you might be collecting for daily operations.
The Data Security Law – Outlining the frame for how data should be treated - used, collected, developed, and protected in China. This law will take effect on September 1st so it’s critical you understand how it is going to affect your business.
What you should know and do?
Put someone in charge –
The upcoming law states that both the company and the individual who oversees data protection will be subject to penalties and other administrative punishments specific to companies.
This means you better appoint someone in your organization, committed to overseeing compliance with the new law. The law does not explicitly state whether this individual should be employed by the organization, or whether the service could be outsourced, but it is advisable to have someone responsible.
Check local regulations –
As with all macro laws, this one too has some ambiguities, such as the definition of “important data” and “core data”. You can expect local governments and bureaus to add their own regulations, so make sure to check what is relevant to where your business is registered.
Penalties –
Non-compliance with the law will result in penalties, based on the severity of the violation. The penalties can vary starting from 100K RMB fines and all the way to business license revocation.
Remember that the individual in charge might get fines as well.
Take the time to map all data-related processes in your organization -
Since the law classifies data into several different types, and each one might be treated differently by different people and for different purposes, it is important to create clear procedures for each process separately. This will allow you to better understand the specific requirements for each type of data and formulate relevant handling routines aligned with the law.
IT Compliance –
Since the new law pertains mostly to online systems, either connected to the internet or not, we suggest you get some IT advice and check your systems with an expert to ensure all processes are compliant with the law and all data is properly stored.
In the coming weeks we will dive further into these Data Protection laws and focus on the implications they will have on your business. Stay tuned, and share your comments and questions below.
Past Posts
News
Who has a legal responsibility in a WFOE?
News
Transfer funds out of China
News
3 perspectives on manufacturing in China
WeChat ID: PTL Group