China’s second draft of the Personal Information Protection Law (PIPL)  regulates how organisations may collect, use, store and transfer personal information of residents in the People’s Republic of China (PRC). Patric Sawada, head of growth at Silkdrive, explores the potential impact of the PIPL on personal information processing, and what it means for international organisations and their marketing activities.
Which organisations have to comply with the PIPL?
Any organisation handling personal information of individuals based within the borders of the PRC will have to comply with the PIPL. And not only local organisations will be affected; international entities outside the PRC that provide products or services to individuals within PRC borders, or analyse and evaluate data on individuals within PRC borders, will also have to comply.
What are the main principles of the PIPL?
Similar to the European Union’s (EU’s) General Data Protection Regulation (GDPR), the PIPL guarantees individuals’ right to know and make decisions about the processing of their personal information, as well as the right to withdraw or refuse consent, and request correction or deletion.
Any gathering of information needs to be on a legal basis, of which the most common is the individual’s consent. Additional bases include contractual obligations, legal duties, public health emergencies, and various circumstances stipulated in other laws and administrative regulations. Unlike with the GDPR, legitimate interest is not a legal basis for organisations to collect and process data under the PIPL.
Further important principles include ‘explicit purpose’, ‘minimum necessary’ and ‘transparency’. ‘Explicit purpose’ for the collection, storage and processing of the data means personal information can only be used for that purpose. ‘Minimum necessary’ means data may not be held if not needed or it does not fulfill the explicit purpose stated. Data may not be held for longer than needed. ‘Transparency’ means the individual needs to be aware of how their data is handled, stored and processed, and who has access to it.
What are the consequences of violating the PIPL?
In 2020, GDPR-related fines rose by nearly 40 per cent and totaled euro (EUR) 158.5 million. This shows there can be serious consequences for violating data protection laws, and provides an example of what can be expected from the PIPL in the future.
Upon violation of the PIPL, the authorities may impose correction or confiscation of illegal income, issue warnings and sanction fines of up to CNY 1 million, or in serious cases, up to CNY 50 million or 5 per cent of the previous year’s turnover. The authorities can also suspend or cancel the licence of any business that refuses to correct data.
Under the PIPL, the person directly responsible—like managers and data protection officers—can also be fined up to CNY 100,000, or in more serious cases, up to CNY 1 million.There may even be criminal liability, which is not the case under the GDPR.
How does the PIPL affect marketing?
The current draft of the PIPL leaves many aspects open to interpretation, so there is still some uncertainty about how it affects marketing specifically. As with the GDPR, marketing departments should pay special attention to cookies used for profiling or storing personal information, contact forms, newsletters, lead generation campaigns, customer relations and analytics. In addition, the use of algorithms, location tracking, and how to deal with third-party data and cross-border processing of data should be carefully reviewed.
Organisations using algorithms are required to ensure the transparency of the decision-making process. Individuals have the right to request an explanation as to why an algorithm produced a certain result, and can refuse the use of automated decision-making completely.
Marketers that use automatic or programmatic decisions based on the analysis of personal information—like website personalisation, personalised offers or advertising—should be aware that individual consent will be a prerequisite.
Under the PIPL, the location tracking of individuals will be regarded as ‘sensitive personal information’ and will be strictly limited. This will restrict organisations’ ability, for example, to track offline store visits for use in remarketing and retargeting campaigns.
Marketers may rely on technology giants to provide access to vast datasets of customer data in order to personalise content and advertising. But organisations should reassess the legal basis under the PIPL of sharing data with third parties and the use of third-party data. Providers of third-party data, platforms and advertising networks will also be under scrutiny as to how they obtain and process personal information.
Organisations that process personal information cross-border are required to appoint a dedicated entity or representative in China, sign standard contractual clauses for cross-border transfers, and may be subject to security assessments or certification requirements by the Cyberspace Administration of China (CAC).
How to become PIPL compliant, step-by-step
- If your organisation is already GDPR-compliant, it is likely that at least some measures are in place. However, there are several differences between the PIPL and the GDPR to consider. Find a specialised legal advisor or law firm to make sense of the PIPL and how it will affect your organisation specifically.
- Put together an internal team and review all personal-information handling in the organisation by data mapping the current processes and software.
- Work with information technology, human resources, marketing, sales and any other departments that handle personal information, to implement policies and procedures according to the PIPL principles. If external agencies or third parties are involved—such as advertising agencies, software-as-a-service, external customer service, platforms and so on—make sure the appropriate agreements are signed.
- Update privacy statements, cookie notifications, and terms and conditions, and inform all contacts. If explicit consent has not been obtained earlier, notify these individuals and request explicit consent for each and every purpose of the intended use.
- Inform and train all employees handling personal information on how to do so properly. Make sure access rights and physical security measures are aligned.
- Document all efforts, policies and procedures that are put in place. Make a plan to audit and review them regularly.
Take action now
To become compliant with the PIPL, it will take dedicated time and resources to implement the changes needed. Currently, it is unknown if there will be a grace period and for how long. After the GDPR was introduced, many organisations in the EU struggled to become compliant within the grace period, and some are still not compliant today. To avoid this situation, organisations that have not yet started preparing for the PIPL should begin to take action now.
Disclaimer: This article does not represent legal advice. If you need legal advice on these matters, please seek assistance from professional legal counsel.
Silkdrive is an international agency for marketing and localisation across European and Asian markets. We developed the ADAPT Culture Framework to localise marketing assets and advertising based on cross-cultural research, and have worked for more than 50 companies in over 30 different industries. European companies doing business in China hire us for digital marketing services like advertising, e-commerce, and international SEO. Since 2016, we have also supported marketing departments to implement GDPR and cookie banner solutions.