By Francesca Lewis, BritCham Shanghai Policy Team
On the 6th September 2021, BritCham Shanghai hosted a webinar called “China’s Data Protection Law: The Wait is Over”, focusing on the legal business and HR implications of the Personal Information Protection Law (PIPL) coming in on the 1st of November. The webinar was hosted by Jasmine Chen, the Legal Director at the Weir Group.
The webinar led to an active Q&A session with key questions included below, as there is still much uncertainty surrounding the upcoming regulations. The talk prioritised the scope of the law, the extraterritorial reach, enforcement authorities and the legal liabilities.
The following are the key takeaways but bear with us – there’s a lot of information to get through:
– Services provided outside of China to persons inside China.
– Software that analyses/ assesses the behaviour of persons in China.
– Circumstances as provided by laws and administrative regulations.
There’s a lot of key takeaways from the talk as a result of the information rich-discussions fuelled by the speakers, however, there is also more basic background information to be aware of.
The new regulations come from the central level from the CAC. They will be enforced by three other ministries; the Ministry of Public Security (MPS), Ministry of Human Resources and Social Security (MOHRSS) and the Ministry of Industry and Information Technology (MIIT). Enforcement will depend on the industry. Additionally, some sectors will also be enforced by local counterparts such as Shanghai CAC / Shanghai PSB, Shanghai Municipal Commission of Economy and Informatisation (SHEITC) and Shanghai Municipal Human Resources and Social Security Bureau (SHHRSS).
For general breaches, penalties can include confiscation of illegal gains, an order to rectify, order to suspend or terminate provision of the application programs unlawfully processing personal information. This is seemingly all reversible if the necessary corrections are made. Additionally, all authorities from central and local level have authority to fine general breaches.
For severe breaches however, penalties can include an order to rectify, confiscation of illegal gains, suspension of relevant business activities, cessation of business for rectification and/or revocation of business license or permit. Additionally, the person responsible can be prohibited from holding a position of authority (such as director, supervisor, senior manager or personal information protection officer) for a period of undisclosed time. Only enforcement authorities of provincial or higher level can penalise these types of breaches.
Can personal or sensitive personal information be stored outside of China?
If the company has met all of the government-required procedures satisfactorily, it seems likely.
Is the employment contract signature sufficient evidence of employee consent?
It depends on what the employment contract provides in terms of purpose, method, and how the company uses the information. Companies should review their existing employment contract templates, code of conduct, or relevant data protection policies already being used in the company.
If personal information handling issues are caused by a vendor, who does the liability fall with?
At this point there is no answer. It can fall either solely to either side or both parties end up facing joint responsibility. It will likely depend on the agreement in the contract to find the internal liability.
What is the main focus under PIPL? National security or protection or independent privacy?
The focus of PIPL is the right to privacy, protecting individual and personal information.
What’s the scope of HMRP exemptions?
The scope can be split into 4 stages. Recruitment, onboarding, during employment, post-employment. If contracts don’t account for this, it’s worth considering adapting them. Although agreed on during employment, it’s appropriate to seek employees’ consent – especially over personal issues. It is best to use the exemption prudently.
Information presented by:
Disclaimer: The views and opinions expressed within this content are those of the Policy team summarising the information. This material is for informational purposes only and has been prepared for the exclusive use and benefit of British Chamber of Commerce Shanghai members or prospective members. Neither the Policy team nor the British Chamber of Commerce Shanghai accepts any liability arising from use of this content.