Article

China’s Personal Information Protection Law – FAQs

25 Oct 2021

More than 320 industry professionals attended Morrison & Foerster’s recent webinar, “All You Need to Know about China’s Personal Information Protection Law” where MoFo attorneys Paul McKenzie, Gordon Milner, Chuan Sun, and Xuezi Dan provided an overview of some of the key requirements of the Personal Information Protection Law (“PIPL”) and discussed how companies should prepare for the new law. In this follow-up, we consider the questions most frequently raised by the attendees during the webinar.

Question 1: We are a U.S.-based B2C company that targets U.S. consumers. If, incidentally, Chinese citizens located in China open accounts, do we become subject to PIPL?

Answer:

Likely yes.

While PIPL applies to the handling of personal information (“PI”) undertaken within China, it also applies to offshore handling of the PI of individuals located in China where that handling is for the purpose of providing products or services to individuals in China. There is no de minimis threshold provided under PIPL. Therefore, it seems you will become subject to PIPL if consumers in China set up accounts—not only Chinese citizens but also nationals of other countries based in China. That said, implementing rules or guidelines might be issued in future providing for exceptions or other guidance on the extraterritorial application of PIPL.

Question 2: We are a U.S.-based B2B company. We may process PI of China-based employees or other individuals in the course of providing services to some of our enterprise customers. Does PIPL apply to us?

Answer:

Possibly not—but we recommend monitoring developments.

If you are providing services to enterprise customers and not to individual consumers in China, then there is a good argument based on the strict wording of PIPL that PIPL does not apply to you directly—unless, that is, you use the PI to engage in behavioral analytics, which is another basis for the extraterritorial application of PIPL. However, we believe further guidance is needed to confirm this understanding.

Question 3: Various PIPL provisions require a data handler to disclose information about third parties receiving PI. How detailed does the information need to be?

Answer:

PIPL requires disclosure of both names and contact information of PI recipients. This wording suggests that the information needs to be quite specific, likely naming individual recipients at the entity-level, and not just by category (e.g., “service providers”) and possibly not just at the group-level (e.g., XYZ Group, or XYZ Company and affiliates). However, it will be worthwhile to monitor both interpretative guidance issued on the PIPL and evolving market practice.

Question 4: Are there legal bases other than consent to share employee data with a vendor?

Answer:

Yes, under PIPL legal bases other than consent include (amongst others) performance of a contract and human resources management. It is important to note, however, that PIPL does not include an analogous concept to the broad “legitimate interest” basis found under the GDPR regime. Therefore, if you are currently relying on legitimate interest as a legal basis for handling employee data in your global operations, you will then need to ensure that your handling of PRC employee PI is covered by another legal basis recognized by PIPL.

Question 5: If there is no legitimate interest basis now, will there be one in future?

Answer:

It is not impossible that, in the future, legitimate interest might be added to PIPL or its implementation rules as a legal basis for the handling of PI. PIPL is structured so that other laws and administrative regulations may provide additional legal bases.

Question 6: Is there any distinction or exception that would apply to handling PI that is already in the public domain?

Answer:

Yes. The fact the particular PI that has been voluntarily made public by the individual or otherwise made public lawfully is a valid legal basis for handling PI under PIPL (i.e., additional consent is not required). However, this basis is subject to three important limitations: (i) the handling must be limited to a reasonable scope, (ii) the individual must not have expressly refused the handling, and (iii) the handling must not have a significant impact on the individual’s personal rights or interests.

Question 7: What are the obligations of entrusted parties under PIPL? How do they differ from the obligations of data handlers?

Answer:

Entrusted parties (the equivalent term to “data processors” under GDPR) have more limited obligations than PI handlers do. An entrusted party’s obligations under PIPL include (i) adopting necessary measures to safeguard the security of the PI that it handles in accordance with the instructions of the PI handler and (ii) assisting the PI handler in performing the handler’s obligations under the law. That said, in practice, a sophisticated PI handler is likely to require its entrusted parties via contract to meet the PI handler’s own PIPL obligations.

Question 8: Is it the company using an enterprise cloud service that is responsible for obtaining consent from individuals (if needed) or is it the cloud service provider?

Answer:

Typically, in an enterprise cloud arrangement, it is the customer that independently determines the purposes and methods for handling PI, rather than the cloud service provider. As such, the cloud service provider will be acting as an entrusted party rather than as a PI handler. Under PIPL, the PI handler (i.e., the customer in this case) and not their entrusted parties are subject to the requirement to obtain consent or ensure there is another legal basis for the handling activity.

Question 9: Will PIPL require something similar to EU standard contractual clauses (“SCCs”)? Can you use an SCC between corporate entities—e.g., parent company outside China with subsidiary in China?

Answer:

The PIPL prohibits the export of PI from the PRC unless at least one of three grounds has been satisfied. One of those grounds is that the PI handler and overseas recipient have entered into a contract in the standard form to be issued by the PRC authorities. This is similar conceptually to the use of SCCs under GDPR. Indeed, it is likely that use of the standard contract will be commonplace, since PIPL does not provide for any separate grounds analogous to binding corporate rules (“BCRs”) that are often adopted by multinational corporate groups. While it is anticipated that the standard contract form will be similar to the SCCs, it is important to note that the form of standard contract has not yet been issued, and it is quite possible that existing SCC arrangements with subsidiaries in China may need to be updated to address any eventual differences.

Question 10: Can our company transfer PI cross-border for compliance purposes?

Answer:

Both PIPL and the Data Security Law require a data handler to obtain regulatory approval in China before providing data stored in China to a foreign court or law enforcement agency.

This does not preclude an international company from transferring PI cross-border for its own internal compliance purposes, for example to complete diligence for anti-money laundering or other diligence purposes, so long as the general requirements of PIPL are met in respect of the transfer.

For more information, please see our prior client alert China’s Personal Information Protection Law (PIPL): Key Questions Answered.


As further explained in the Terms / Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (“PRC”) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.

Close
Feedback

Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.