.svg)
China’s Congress passed the Personal Information Protection Law (PIPL) on August 20 and it will become effective as of November 1 this year. It copies the EU’s General Data Protection Regulation (GDPR) in many ways. It will reach across borders and will therefore affect all payment companies that deal with China.
The short time between the law’s passage on August 20 and its effective date of November 1 stands in contrast to the two-year grace period that passed before the GDPR became enforceable.
“It is significant because it is China's first generally applicable data protection law,” said Peggy Chow, Singapore-based counsel at Herbert Smith Freehills.
Previously, such requirements were tucked into various laws and regulations such as the Civil Code, the consumer protection law, local data regulations and sector-specific regulations that covered such things as financial services and telecommunications, Chow pointed out, noting that these other laws and regulations still applied.
As with the GDPR in the EU, these regulations will have an effect on payment companies.
"PIPL will have some impact on the likes of AliPay and WeChat, with consumers now having the ability to opt in and out of certain data services,” said Richard Turrin, fintech consultant and author of "Cashless: China's Digital Currency Revolution".
Data that was previously available to companies, such as the data that contributed to credit scores, may not be as available to them as it once was, he pointed out, adding that “this is something that we are going to have to watch".
Although businesses have less than two months to become compliant, there are still segments of the law that the government has to flesh out, Chow said.
“Considering the obligations that are substantially different from those under the GDPR, as well as the uncertainty about the interpretation and enforcement of some provisions in the PIPL, companies still need to take additional steps even [if] they have already made policies or set up mechanisms for GDPR compliance,” said Yan Luo, a partner at Covington & Burling in Beijing.
However, in general, the PIPL had many similarities with the GPDR, she pointed out.
For example, Luo continued, both laws oblige data controllers to protect personal information, although the PIPL uses the term “personal information processing entities”.
The laws also give data subjects various rights to privacy. The PIPL refers to data subjects as individuals. It orders data controllers to provide data subjects with the means to exercise their rights to privacy and obliges those data controllers to respond to those data subjects' requests.
However, there are also contrasts. For instance, the PIPL does not provide data controllers with “legitimate interest” as a lawful basis for processing data, Luo said.
The PIPL also requires data controllers to obtain separate consent from individuals if they want to share personal information with other processing entities; and/or publicly disclose personal information; and/or process sensitive personal information; and/or transfer personal information overseas.
As with the GDPR, it is likely to hit companies overseas.
“PIPL can apply to companies outside of China if they process personal information of people in China when they provide products and services to them, or if they monitor the behaviour of people in China,” said Chow.
But the PIPL imposes “personal information overseas transfer requirements” that are quite different from the ones that the GDPR imposes, Luo pointed out.
Under the PIPL, the data controller who plans to transfer personal information overseas needs to provide individuals with certain specific information about the transfers and: (i) obtain separate consent for doing so; (ii) adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as the PIPL; (iii) carry out a “personal information protection impact assessment”; and (iv) choose one of the lawful transfer mechanisms.
This will make it a major challenge to transfer personal information outside China, Chow said.
“It is a multi-step process that requires various data transfer safeguards to be adopted simultaneously, making such transfers more complex.”
By contrast, under the GDPR, personal data can be transferred outside the EU if at least one of the safeguards has been adopted.
It is these clauses, however, that have made the laws extremely popular in China, according to Turrin.
"The laws are extremely popular in China and widely praised as Chinese internet users are more afraid of bigtech's use of data than they are of how the government uses it,” he said, adding that most people considered the laws to be a positive development that offered citizens better protection than before.
Regulators are using these laws to make the internet a more fair and just place, not least by strengthening the relationship between bigtech and society, he added.
