China officially joined the ranks of governments worldwide passing comprehensive privacy legislation on August 20, 2021. China’s new Personal Information Protection Law is the country’s first ever privacy legislation and comes after years of reports about data collection, theft, and fraud from Chinese tech giants.
The new law will go into effect November 1, 2021 and requires organizations to obtain consent for processing personal data and to practice data minimization. It also gives consumers the right to withdraw consent without discrimination, obtain a copy of their data, and request their data be deleted. Failure to comply with the law can lead to fines of up to 50 million yuan or up to 5% of the previous year’s business revenue.
Need help including privacy regulations in your incident response plan?
Leverage the BreachRx platform to make your plans actionable today!
Who Must Comply with China’s Personal Information Protection Law?
China’s Personal Information Protection Law applies to any organization in China processing the personal information of Chinese residents. It also applies to any processing of personal information on Chinese residents that occurs outside China when the purpose of the processing is to provide products or services to residents within China or to analyze and evaluate the behavior of residents within China.
Importantly, any organization that needs to share personal information with another processor located outside of China must meet one of the following conditions:
- Pass a security assessment organized by the State Cyberspace Administration
- Conduct a personal information protection certification in accordance with National Cyberspace Administration regulations
- Enter into a contract with the overseas recipient stipulating the rights and obligations of both parties
When organizations share personal information with a processor outside of China, they must also inform the individuals involved about the name and contact information for the recipient, the processing purpose, processing method, and types of personal information included.
Finally, organizations may not share personal information with any foreign judicial or law enforcement agencies without the approval of the Chinese government.
How Does China Enforce the Personal Information Protection Law?
China’s National Cyberspace Administration is responsible for overall supervision related to the Personal Information Protection Law, however relevant state councils are responsible for enforcement within their territories. As part of enforcement activities, these councils can:
- Lead personal information protection publicity and education efforts
- Guide and supervise organizations processing personal information regarding protection measures
- Accept and process complaints and reports related to personal information protection
- Investigate illegal processing activities
If a council’s investigation finds illegal data processing occurred, the council can order the organization to correct its practices and confiscate any gains obtained through the illegal practices. If the organization fails to make any corrections, the council can issue a fine of up to 1 million yuan. They can also fine any individuals directly responsible for the illegal actions between 10,000-100,000 yuan.
If the “circumstances are serious,” the council can increase the fine up to 50 million yuan or 5% of the previous year’s turnover and suspend the relevant business permit. In these cases, the council can also issue a fine ranging from 100,000 to 1 million yuans for any individuals directly responsible and prohibit them from taking on roles related to protecting personal information for a designated time period.
Unlike other regulations, the PIPL does not specify if the revenue penalty refers to turnover worldwide or only what’s generated in China. The National Cyberspace Administration will likely make this clearer via guidance in the near future.
The law gives the council discretion to determine these fines based on the loss suffered by affected individuals or the gains realized by the offending organization.
Finally, if the council identifies a crime, individuals can be investigated for any criminal responsibility and held liable if found guilty.
What Incident Response Does China’s Personal Information Protection Law Require?
Any instance of leakage, tampering, or loss related to personal information requires organizations to go into incident response mode under China’s Personal Information Protection Law.
What’s considered personal information?
China’s law defines personal information as any information (electronic or otherwise) related to an identified or identifiable natural person, excluding anonymized information.
It also outlines a special class of sensitive personal information, defined as personal information that, once leaked or used illegally, can easily lead to the infringement of personal dignity or threaten personal and property safety. Examples of sensitive personal information include:
- Religious beliefs
- Medical information
- Financial accounts
- Personal information about minors under age 14
What’s required when an incident occurs?
Once an organization becomes aware of any incidents of leakage, tampering, or loss related to personal information, they must immediately take remedial measures to correct the situation.
Organizations must also notify the relevant state council responsible for enforcement and the affected individuals. If the organization’s remedial efforts effectively mitigate the potential harm to individuals, the council may allow them to skip notifying the affected individuals.
In either case, the notification should include the following:
- The types of personal information affected in the incident
- A description of the incident
- The potential harm to affected individuals as a result of the incident
- Remedial efforts already taken by the organization, plus additional measures that individuals can take to reduce potential harm
- Contact information for a responsible party at the organization
The law does not provide any specific requirements for when this notification should be issued or how it should be delivered to individuals. The National Cyberspace Administration may provide ongoing guidance here as the Personal Information Protection Law comes into effect.
What Kind of Incidents Can Trigger a Notification Under China’s Personal Information Protection Law?
A variety of circumstances can create a privacy incident under China’s Personal Information Protection Law, since any instance of leakage, tampering, or loss related to personal information requires a notification. Some common examples of incidents that can trigger this notification requirement include:
1) Improperly Sold Data
China’s new law includes strict requirements around how organizations can process data and the consent they need from individuals for certain processing activities. Any sale of personal information that goes against consent can qualify as an incident that requires a notification under the Personal Information Protection Law.
2) Lost or Stolen Data
Any personal information that’s lost or stolen (electronic or physical) qualifies as a data privacy incident that requires a notification, even if the loss was accidental. These cases qualify as an incident since the information might then fall into the wrong hands and there is no way for organizations to track who can see it or how they’re using it.
3) Mistakenly Updated or Deleted Data
Mistakenly changing data, overriding information, or deleting details is an example of tampering with personal information and therefore creates a privacy incident that requires notification under China’s Personal Information Protection Law.
A ransomware attack is when digital information gets stolen through malware and held captive in exchange for money. Regardless of whether or not the data gets retrieved, this type of theft can expose the data to any number of malicious groups. As a result, instances of ransomware require incident response in the form of a notification.
How Should Organizations Prepare for China’s Personal Information Protection Law?
China’s Personal Information Protection Law places the responsibility of safeguarding personal information on the organizations that collect and process it. Unlike many other privacy laws globally, China’s outlines exactly what’s expected of organizations in this regard.
The law requires organizations to:
- Introduce internal management systems and operating procedures for processing and protecting data, including classified management for personal information
- Adopt technical security measures, such as encryption
- Regularly conduct education and training for employees involved in processing personal information
- Implement response plans for any incidents affecting personal information
- Appoint a person as responsible for supervising personal information processing activities and associated protective measures, and share their name and contact information with the relevant enforcement council (organizations located outside of China must appoint a designated representative inside the country)
- Conduct regular audits to ensure processing activities remain in compliance with the law
Organizations that provide “important internet services,” have a large number of users, and process complex personal information must also adhere to the following:
- Establish an independent organization to supervise the protection of personal information
- Follow the principles of openness, fairness, and justice when developing rules for handling personal information
- Stop providing services to organizations whose handling of personal information violates the law
- Regularly publish social responsibility reports on personal information protection
Overall, meeting these obligations requires organizations to take a proactive approach to incident response by developing plans that can be put into action at any time. This proactive approach requires organizations to think through three essential phases of incident response:
Readiness is how quickly and confidently organizations can jump into response mode when an incident occurs. Although China does not have specific timelines for when organizations must issue a response, the faster organizations can do so, the better chance they have of lowering the costs associated with the incident.
During the readiness phase, organizations should review the requirements in relevant laws, including but not limited to China’s Personal Information Protection Law, and any customer and partner contracts. From there, the next step is to develop incident response plans based on those requirements.
Response is how effectively organizations can enact their plans. Once again, even though China does not outline any timeline requirements, responding to incidents quickly can help organizations stem the issue before it becomes too big and mitigate any potential fallout.
During the response phase, organizations should start by investigating the incident (what happened, what data was involved, when it happened, who was affected), take appropriate steps to remediate the issue, and issue notifications as required under the law.
3) Ongoing Management
Ongoing management is the effort of regularly revisiting incident response plans as laws, contracts, and threats continue to change. China’s Personal Information Protection Law outlines this type of ongoing effort as a requirement for organizations.
During the ongoing management phase, organizations should establish a single source of truth for all monitoring, reporting, and incident response plans through a centralized dashboard. It’s important to give stakeholders access to this information to ensure they remain aligned on response plans and aware of their responsibilities.
How Does China’s Personal Information Protection Law Compare to Other Global Privacy Laws?
China is far from the first country to introduce comprehensive privacy legislation, with regulations now in place in Europe (GDPR), Brazil (LGPD), Singapore (PDPA), Australia (Australian Privacy Act), and more. Here’s a look at how China’s new law compares to other global privacy regulations.
|China – Personal Information Protection Law||Europe – GDPR||Singapore – PDPA|
|Effective Date||November 2021||May 2018||July 2014|
|Jurisdiction||Extra-territorial, if certain requirements are met||Extra-territorial||Extra-territorial|
|Enforcement||National Cyberspace Administration||Information Commissioner’s Office||Personal Data Protection Commission|
|Penalty for Non-Compliance||Up to 50 million yuan or 5% of the previous year’s turnover||Up to 4% of annual global turnover|
|Incident Response Measures||Take remediation steps and notify the relevant council and individuals||Notify the relevant supervisory authority and individuals within 72 hours||Investigate the incident and notify the PDPC and relevant individuals within 30 calendar days|
Prioritizing Proactive Incident Response in China
China’s Personal Information Protection Law is poised to usher in a new era of privacy in the country. And for global organizations operating in China, it’s the latest of many such regulations that are forcing teams to take a deep look at data protection and incident response plans.
Notably, at a time when data privacy incidents are all but unavoidable, organizations must take a proactive approach to incident response. Doing so requires teams to understand what’s required by global privacy laws, keep updated on new laws and changes to existing ones, introduce response plans that can go into action at a moment’s notice, and continually revisit those plans as regulations evolve. Automation will be essential.
This type of proactive incident response is not only required by laws like China’s, but it can also help organizations reduce the costs associated with an incident. As a result, every organization must make these efforts a top priority.
Take the risk out of your breach response
Automate your incident response today