While there is still a great deal of uncertainty surrounding it, one thing is clear about China’s new Personal Information Protection Law (PIPL): It means business. Intended as a law that equals or surpasses the seriousness of the EU’s General Data Protection Regulation (GDPR), it operates in similar fashion. If you don’t carefully handle the personal data of those living in China, you will be expected to pay a steep price.
As of November 1, 2021, the law is in force and the Chinese government says it is serious about enforcement, which can include substantial fines and a mandate that you discontinue business operations entirely in China — not only fines but criminal sanctions.
From a data inventory standpoint, the imperative is clear: You must know whether data you’re collecting is being collected from someone currently living in China and you must know whether that data is going to travel outside the country’s borders, as it can only do so under fairly specific conditions (if at all!). Then, once you’ve legally collected the data, you need to make sure you can keep track of it and that it is tagged properly, as any successive use of that data requires acquiring yet further consent.
Practically, this suggests your data inventory should be able to do the following:
- Provide a quick view of every piece of data collected from someone in China.
- Show you where that data is stored.
- Allow for the attachment of tags to data so that there is an immediate red flag or some other check and balance to make sure data being moved from China is only done so with the correct requirements fulfilled.
- Allow for the attachment of tags so you can quickly ascertain for what purposes you have consent and provide a red flag if that data is to be used for a purpose for which you do not have consent.
Depending on the size of your team, however, it may be true that you don’t need or want a system that’s so granular that it only applies to data gathered from people in China. Given the GDPR in the EU, and even laws like Brazil’s LGPD, many of the same requirements for understanding the points above apply regardless of jurisdiction — so the better course is to simply default to a system where a flag is raised any time personal data is being moved from one privacy jurisdiction to another or is being used in a way for which you’re not certain you have consent.
If you’re moving personal data from certain jurisdictions to others — such as countries in the European Economic Area to the United States — that should be flagged for someone to take a closer look, and ensure it is being done in compliance with the law.
Similarly, tagging data for the consent attached to it is quickly becoming best practice. While it may be obvious that a subscriber to your email list can get another email from you, you should be able to distinguish between people who only want editorial emails — and definitely do not want promotional or pure marketing emails. Further, do you have permission to send marketing emails or only those emails required to fulfill a contract? And once you start to think about marketing, do you have permission to offer discounts to that person via automated decision making or is automated decision making something for which you need explicit consent, as is required in China with PIPL? Do you have authority to sell or provide that data to a third party? This is particularly critical for California as well as China and other jurisdictions.
If this information is in the metadata by default, the people tasked with using that data in regular operations will be able to operate largely without oversight and with confidence. They can see exactly what they’re allowed to do and have no need for running permissions up the flagpole. It is far easier to do the work of setting up the system correctly in the first place and make the information available to everyone with permissions than it is to create a system where everyone has to do the research on the data every time they want to use it.
PIPL may be the impetus for taking this step in your organization — major violations can mean a fine of up to 5% of your annual revenue, or roughly $7.5 million, whichever is higher. There can also be fines for individual members of your executive team or employee base of up to about $150k. You may even have to directly compensate affected parties.
On the other hand, most of PIPL’s requirements would be a matter of course for a solid data management program — with privacy principles in place — and a mature data inventory system with the power to enforce and manage those principles.
Above all else, however, you need to be able to demonstrate compliance. Can you?
Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.