By Maarten Roos, Connie Chen, Catherine Zhu
China has been a prime market for foreign investors seeking opportunities. These investors may now have to take steps to ensure data privacy compliance as per the PRC Personal Information Protection Law (PIPL). However, international companies that operate in China or with Chinese customers without a local subsidiary will also need to be vigilant, as long as they collect personal information from natural persons in China.
- Extra-territorial Provisions of PIPL and GDPR
Article 3 (Paragraph 2) of the PIPL states that the circumstances in which the law applies if personal information of natural persons is collected from the Chinese Mainland and processed outside of Chinese Mainland:
- If the purpose is to provide products or services to domestic natural persons;
- If the purpose is to analyze or assess the behaviors of domestic natural persons;
- In other circumstances as per PRC laws and administrative regulations.
For example, it is quite clear that an international airline that collects detailed information from Mainland Chinese passengers, is covered by this definition. But if a restaurant in Amsterdam collects the personal information of a Chinese tourist for a reservation, does that mean the restaurant is subject to the PIPL?
There is no clear guideline on the criteria to determine whether the personal information handler intends providing products or services to a natural person in China. But since the extra-territorial effect clause of the PIPL is quite similar to terms in the European GDPR (General Data Protection Regulation), the GDPR’s solution to this issue may provide further guidance.
Under Article 3.2, the GDPR applies when a data controller or processor that is established outside the EU processes personal information of an EU data subject under any of the following circumstances:
- It provides products or services for data subjects in the EU (irrespective of whether the data subject pays for the products or services); or
- Monitoring of data subjects’ activities occurring in the EU.
To “provide products or services” to data subjects in the EU suggests that a degree of intent and awareness is required to fall under the scope of the GDPR, and there should be some evidence thereof. The EDPB (European Data Protection Board) has elaborated some factors to be taken into consideration for determine this “degree of intent”:
- Naming EU or member states in reference to the goods or services;
- Using EU languages;
- Having marketing and advertising campaigns directed at EU audiences;
- Able to place orders in EU languages;
- Paying a search engine to facilitate access by individuals in the EU;
- Dedicating addresses or phone numbers for individuals in the EU;
- Using EU domain name, for example “.de” or “.eu”.
As regards “monitoring”, this is explained to specifically include tracking individuals online, creating profiles used for analyzing and predicting their personal preferences, behaviors and attitudes, etc., the EDPB offers the following examples:
- Behavioral advertising and content localization (particularly for advertising);
- Online tracking through cookies and device fingerprinting;
- Online personalized diet and health analytics service;
- Closed circuit television (CCTV);
- Monitoring or regularly reporting on an individual’s health.
- Case Examples
One way to interpret and apply the PIPL’s Article 3 i.e., to determine whether personal information is collected and processed “for the purpose of providing products or services to domestic natural persons”, is to refer to the EDPB’s interpretation of the GDPR’s Article 3.2 under GDPR. We analyze why the PIPL could be deemed to apply in the following cases:
A UK company creates a website in the UK without any national or regional access restrictions. The website can be accessed all over the world, including from China IP addresses. The website has a simplified Chinese language option, and natural persons in China can log in, select the simplified Chinese language, and subscribe to receive monthly marketing materials. Personal information (i.e. name and email) must be provided to subscribe.
Our analysis: The website has a simplified Chinese language option, which makes it more convenient for individuals from Mainland China to access and subscribe. This is a key factor to determine whether the UK company targets Mainland Chinese natural persons to sell its products or services, and therefore PIPL shall be applicable.
An Italian charity runs a website without country or region access restrictions, which can be accesses from IP addresses in China. The website does not offer any Chinese language options. When subscribing as a member of a certain charity program organized the Italian charity, the subscriber must provide her name, email, shipping address and postcode (for the purpose of mailing program-related materials).
Our analysis: although the website does not have a Chinese-language version and so clearly does not target Mainland Chinese individuals, the collected information allows the website operator to identify the data subject’s located country. It also clearly intends to offer services. Therefore, the PIPL still applies.
A foreign website authorized a Chinese company to add a link or URL on its website; Chinese users visiting the Chinese company’s website can click this link to visit the foreign website and subscribe to certain services.
Our analysis: Although natural persons in China visit the foreign website in an indirect way, since the website of the Chinese entity is legally authorized to show the foreign website link, therefore the foreign website operator has shown an intent to attract visitors and subscribers from China. Therefore, the PIPL shall apply.
Looking at these examples, it seems unavoidable that many foreign entities without any subsidiaries or affiliate in China will still be collecting and processing personal information frequently from China data subjects. For these companies, it is time to put the data compliance topic on the table. For instance, these foreign websites will need to have privacy policies with an appendix related to data compliance in China; and they will need to designate local representatives to handle personal information protection matters, as per Article 53 of the PIPL. Once the Chinese authorities start actively enforcing the PIPL, failure to ensure compliance risks them barring these companies from selling in China.
For foreign companies that collect large amounts of data from China, a more elaborate approach will be necessary. Those companies that have collected (as of 1 January of the preceding calendar year) personal information of more than 100,000 individuals, or sensitive personal information of more than 10,000 individuals, must obtain approval from the Cyberspace Authority of China before transferring such personal data out of the Chinese Mainland.
R&P’s data privacy team advises companies on how to remain compliant with China’s data privacy laws and supports our clients with assessments and CAC filings. For more information on how we can support your business to be compliant, please reach out to [email protected], [email protected] or to your usual contact at R&P.