Please join us as we discuss China's evolving data protection regime and what technology companies will need to know. This program will provide an overview of China’s Personal Information Protection Law (PIPL) and Data Security Law (DSL), and their impact on the technology industry, cross-border transfer of data and technology, and relevant data privacy compliance issues.
KEY TAKEAWAYS
Multinational tech companies handle significant amounts of often potentially sensitive personal data. The three most critical legal frameworks for data protection affecting global tech companies in China are the Cybersecurity Law (CSL), which took effect in 2017, and the Data Security Law (DSL) and Personal Information Protection Law (PIPL), both of which took effect in 2021. These laws demonstrate the Chinese government's aim in enhancing data protection supervision, specifically with respect to data that will impact data security and national security.
Issues Affecting Multinational Technology Companies
- The Chinese data protection laws require companies acting as data handlers (a concept under the PIPL, similar to data controllers under the EU General Data Protection Regulation) to obtain informed and separate consents from the data subjects for the collection, processing, and cross-border transfer of personal information (limited exceptions apply).
- For data localization and cross-border transfers, a security assessment by the Cyberspace Administration of China, certification by a qualified institution, or standard contract may be required, depending on the types and volume of the data to be cross-border transferred.
- Global tech companies must also comply with the Multi-Level Protection Scheme (MLPS), developed to identify the nature of systems deployed and data handled in China, and whether and to what extent it could raise cybersecurity concerns.
- Specific Regulations on Mobile Applications (Apps): Technology sector–specific regulations follow the general principles of the PIPL, DSL, and CSL but impose additional privacy and cybersecurity obligations.
Proactive Steps to Mitigate Compliance Risks
- Perform data mapping to understand categories and location of data and identify important data, personal information, and sensitive personal information that the company is processing.
- Perform a gap analysis of the current data-related policies, both internal employee notices and external-facing privacy notices and policies, to comply with the informed consent requirements.
- Establish a risk assessment process for major data processing activities, covering the processing of important data, (sensitive) personal information, and cross-border data transfers, including the internal assessment and government reporting obligations.
- Conduct the MLPS as soon as possible.
- Understand the localization requirements and (if required) implement localized storage within China.
- Understand any app-specific requirements and take actions to be fully compliant.