China’s Cybersecurity Law: Personal Information Protection Law (PIPL) Overview
As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this Point of View (POV) highlights a key area pertaining to personal information protection.
Personal information is defined as information that can be used individually or in combination with other information to identify a person. Requirements around the dissemination and management of personal information by network operators are prescribed within the Cybersecurity Law and are closely linked to the national standard of personal information protection, the Personal Information Security Specification (“the Specification”).
The enforcement of personal information protection is primarily based on the Territoriality Principle: all legal entities operating in mainland China must comply with legal requirements, and authorities can prosecute offenses committed within the Chinese border. This means that both local and multi-national companies operating within mainland China are accountable for personal information protection and must comply with requirements outlined in the Cybersecurity Law and the Specification. It is therefore essential that companies understand these requirements and address the potential compliance challenges discussed in this POV.
The Cybersecurity Law is based on a Territoriality Principle, requiring compliance by any company processing personal information within mainland China. As such, even multi-national companies within mainland China must comply with the personal information protection requirements outlined in the Cybersecurity Law even if they only process personal information belonging to citizens of other countries. In addition, industries or business functions in marketing and sales, data analysis, medicine, customer relationship and others related to personal information processing are obligated to comply with those requirements.
GDPR is based on a Personality and Protective Principle. It stipulates that entities in countries beyond the EU providing services or goods to its citizens can fall under GDPR requirements.
The Cybersecurity Law considers personal information protection as part of the network operator’s responsibilities. Administrative authorities can take legal enforcement actions on network operators whom they believe have not fulfilled obligations around personal information protection and can require network operators to provide evidence of compliance.
GDPR tends to regard privacy protection as the data subject’s right. Therefore, to justify penalties for infringements of GDPR, administrative authorities in the EU must prove with solid evidence that a violation against the regulation and data subject rights exists or a data breach has led to the disclosure of private data.
As the Cybersecurity Law is a law with Chinese sources of law, this has several implications. First, the Cybersecurity Law will have effect within the territory of mainland China, and no national regulations, rules or local legislation can override it. Secondly, when not conflicting with the Cybersecurity Law, administrative regulations and rules enacted by state councils of the PRC and subordinate ministries and commissions can prescribe detailed specifications, standards, and procedures to enforce the Law.
GDPR should be regarded as an administrative regulation or international agreement created by the European Parliament and the Council of the European Union. Although GDPR claims to be effective in the EU and the European Economic Area, it cannot conflict with the laws of sovereign states within the EU. Furthermore, there is no unified EU enforcement agency for GDPR, nor are there unified specifications, standards and procedures. Thus, each sovereign state in the EU has the right to lay down rules on penalties applicable to GDPR infringements, and each supervisory authority shall take legal enforcement actions on their own.
The Cybersecurity Law may refers to both the Public Security Administration Punishment Law and the Criminal Law of the PRC to determine penalties for legal violations and offenses, which include administrative fines, custody, and, in the worst cases, criminal sentences. Because of the differences between Administrative Punishment Law and Criminal Law, the severity of penalties vary depending on which is broken.
The typical penalties issued under GDPR are administrative fines that generally fall below €1 million ($1.08 million USD) for a single case. Notable exceptions include a fine of €204 million ($220 million USD) issued to British Airways for a data breach; €50 million ($54.1 million USD) issued to Google for transparency violations in France; and €2.6 million ($2.8 million USD) issued to the National Revenue Agency in Bulgaria for stolen personal data.
When comparing the Cybersecurity Law and GDPR, it is clear that personal information protection clauses in the Cybersecurity Law prescribe more severe penalties for the violation of the respective personal information protection clauses. Organisations’ senior leadership should pay close attention to the request of comments on the Public Security Administration Punishment Law, since the public security agency has the authority to perform administrative adjudication without public defense and judgment, and it is possible that the ruling may include a period of jail time.
Cybersecurity threats present a potential challenge for companies trying to achieve compliance to personal information protection regulations. According to The Internet Security Threat Report from Symantec, there is one phishing email in every 3,208 emails in China, and the country’s spam rate is up to 62.2 percent. Of 545,231 ransomware attacks globally, 16.9 percent were targets in China, among the top three targets for these attacks. China also contributed 19 of 49 espionage indictments by U.S. authorities, and is one of the top sources of Internet of Things (IoT) attacks at 24.0 percent. As cybersecurity is a part of personal information protection, it is imperative that companies take measures to defend against security threats.
However, this is complicated by a shortage of security professionals in China. The CAC reported in September 2018 that the gap in security professionals would reach 1.4 million by 2020. Without enough security professionals to work on technical solution development and security processes adjustment, it is difficult for legal compliance to be effective and continuous.
The progress of digitalisation in China has deeply impacted all aspects of the economy and enabled rapid market expansion. The increasing reliance on internet technology saw the monthly active users of China’s mobile internet reaching 1.136 billion as of June 2019, according to data from QuestMobile. Market penetration of social media reached 87.2 percent as of December 2018, with WeChat reported as the most used platform.
A challenge resulting from these trends is that when designing technical solutions for legal compliance, especially for personal information protection, companies must consider both business functional operation and user experience in the development phase. Otherwise, businesses will expose themselves to legal risks when compliance solutions are abandoned due to poor user experience, operation performance pressure, and market competition.
The Specification provides detailed technical requirements regarding data, development, and data lifecycle management, which may not be compatible with companies’ existing application systems.
Companies may realise that compliance with personal information protection regulations will be needed beyond firewalls at the network border and anti-virus application in endpoints, while supply chains will make the compliance with privacy regulations even more complicated.
While the Cybersecurity Law holds network operators accountable for personal information protection, the Specification prescribes compliance requirements for controllers, not processors. Therefore, not only will each network operator need to comply with personal information protection, they will also have to provide specific instructions to prevent suppliers from intentionally or accidentally violating the legal requirements. This is especially important in China, where the rule of law may sometimes be neglected in favor of political or financial considerations.
To comply with these requirements effectively and efficiently, technical control solutions designed for compliance must be integrated into some processes to provide continuous implementation.
Although there is some overlap, data security and privacy protection may apply different technologies and solutions from those used in infrastructure and application security. While infrastructure and application security uses sessions to manage access control, data access is controlled by cryptographical algorithms and keys. Privacy protection complicates matters further as it relies on technology such as de-identification and tokenisation. As such, securing infrastructure and applications does not automatically mean that data and personal information are protected.
Application developers and system administrators need to align with suppliers, select proper technical solutions, re-design infrastructure and application systems, and make multiple changes in order to fulfill compliance requirements. This will likely require additional technical resources and investment.
Furthermore, enterprises in mainland China will likely find it difficult to find technical professionals in data security and privacy protection. The reason for this shortage is the historical lack of value attached by management to data and personal information. Even though they are increasing in importance, data and personal information can be legally, or to some extent illegally, acquired and exchanged in the market. Investment in data and personal information protection is seen by management as having a poor return on investment, thus there is less interest in hiring for data security and privacy protection. Furthermore, most security professionals are former system administrators and software developers who may be reluctant to step into a relatively new environment.
Protiviti aids businesses in ensuring their IT services meet legal requirements and regulatory rules on both national and industry-specific levels. With our IT security professionals, compliance experts, auditors, as well as other IT professionals, we are able to quickly react to constantly evolving regulations based on industry innovations, environmental trends, and emerging risks.
Protiviti security and privacy services will evaluate your existing state of compliance in accordance to relevant legal requirements and regulations before developing technical solutions corresponding to your current technology, procedures, as well as resources competency. We expect to close any gaps in your IT technology and processes within budget while preventing disruptions to normal IT and business operations from compliance activities.
 These laws and rules include the Criminal Law, Public Security Administration Punishment Law, Self-Assessment for Illegal Personal Information Collection, and Provisions on the Cyber Protection of Children's Personal Information.