China’s Version of GDPR is in the Works
China’s version of the EU’s General Data Protection Regulation (GDPR) could be in place by the end of this year. Considering the amount of business conducted with this economic superpower and the differences between this potential law and GDPR, it’s best to begin preparing for the regulation sooner than later.
The Personal Information Protection Law (PIPL) – the second draft of which was published in April – has some major differences from GDPR.
GDPR has consent, legal obligation, performance of a contract and legitimate interest. Legitimate interest, in the context of GDPR, means that even if a company doesn’t have your consent, if it thinks it has a legitimate interest to collect data, it goes through a risk analysis and balancing exercise between interests and individual rights before deciding whether to proceed or not.
PIPL, on the other hand, does not include legitimate interest basis. This means if a company wants to collect a Chinese user’s data, feed it into an algorithm and send personalized ads based on that, the user must explicitly opt-in.
Other aspects of the proposed law include requiring bigger domestic tech companies like WeChat and Alibaba to put in place external boards to review their use of personal information. Also, there will be data localization requirements that will force companies to conduct security assessments in conjunction with Cyberspace administration China.
Another provision of the law gives the Chinese government the power to blacklist foreign companies for “harming the rights and interests” of Chinese citizens. Even the Chinese government itself is not immune from this potential regulation – one chapter of the draft document released in April aims to regulate the federal government’s use of personal data.
If you conduct business in China, you won’t want to get caught flat footed if and when PIPL is implemented. 2W Tech’s Cybersecurity Compliance Program was designed to support businesses with their compliance obligations. Most organizations must abide by and maintain a standard for controls that safeguard the confidentiality and privacy of information stored and processed. We work hand in hand with you to learn more about your required compliances, help obtain proper agreements, and access relevant system architecture information. Give us a call today to get started.