Data flow between China and Europe:
On November 1, 2021, the Personal Information Protection Law (PIPL), a tough equivalent of the GDPR, entered into force in China. It is in addition to the legislative arsenal in place (in particular the Cybersecurity Law of 2017 and the Data Protection Law of 2021). It clarifies and strengthens the legal framework within companies that can collect, use, share or store the personal data of anyone located in Chinese territory.
KPI and Results focused. We are the most visible Marketing Agency for China. Not because of huge spending but because of our SMART Strategies. Let us help you with: E-Commerce, Search Engine Optimization, Advertising, Weibo, WeChat, WeChat Store & PR.
Each company can be linked to this law, at different levels depending on the volume of data processed, the status of the information collector (CIIO critical information infrastructure operator) and the nature of the latter. Personal information in China is defined as any information of any kind that identifies or can identify individuals.
China publishes its first law on the protection of personal data
One of the major points of this law is its extraterritoriality and the declared obligation for companies outside China to either establish an entity in China or have a local representative to manage the protection of the personal data that they are collected. This obligation applies to all foreign companies that have access to this personal data for the purpose of providing a service, selling a product or analyzing the properties of any person established in Chinese territory. A breach of this obligation could result in the company concerned being placed on a blacklisting, which would prevent it from entering the Chinese market. It thus obliges any company that collects or simply accesses personal data in China to put in place the necessary protective measures for its compliance at the risk of seeing any opportunity to develop the Chinese market closed, in addition to the risk of a significant fine.
For companies established in China, in addition to the risk of revocation of the activity license, this law mentions significant financial penalties of up to 50 million RMB or 5% of turnover (the law does not specify not at this stage if it refers to the global or domestic turnover) of the company not fulfilling these obligations.
Application of the GDPR to all companies
This situation must be combined with the application of the GDPR to all companies of Chinese origin an establishment on the territory of the European Union (EU), or having in China but offering remote services to people in the territory. of the EU. Compliance with GDPR requirements will thus have to be superimposed on the new PIPL rules for companies subject to both regulations.
The European Commission recently updated its requirements for transferring data outside the EU, which apply to partners of Chinese companies wishing to transmit data to China, or to Chinese companies wishing to access contained data. in the Union. Indeed, the “standard contractual clauses” (CCT) proposed by the Commission – a widely used data transfer compliance tool – have been amended and now require the data exporter and importer to assess in practice whether the legislation of the third country makes it possible to respect the level of protection required by EU law and the guarantees provided by CLAs. Otherwise, additional measures will have to be put in place by the companies concerned.
Particular attention should therefore be paid to these aspects when they involve potential breaches of the provisions of the GDPR and, therefore, the implementation of the corresponding penalties (administrative fines that can reach a maximum of 20 million euros). explain this Chinese law firm