Multinational brands and ad tech companies doing business in China will have new hoops to jump through starting November 1.
That’s when China’s newly passed privacy regulation, the Personal Information Protection Law (PIPL), goes into effect.
The National People's Congress, China’s top legislative body, voted to adopt the law on August 21. That doesn’t leave a lot of time to prepare.
But companies with a privacy compliance program already in place for Europe’s General Data Protection Regulation and/or the California Consumer Privacy Act in the US “have a leg up,” said Gary Kibel, a partner at Davis & Gilbert LLP, because they’ve already done privacy impact assessments and gotten familiar with their own processing activities.
“The challenge is then to apply a different privacy regime to an existing compliance program and marketing activities,” Kibel said.
Out of all the privacy laws around the world, China’s new regulation most closely resembles GDPR in terms of scope and basic definitions.
Both PIPL and GDPR are extraterritorial. Just as GDPR applies to any company that handles the data of EU residents, PIPL applies to any company that processes the personal data of Chinese citizens regardless of whether that happens in China or outside the country.
Unlike the CCPA, which draws a somewhat confusing distinction between third parties and so-called service providers, PIPL relies on the more familiar concepts of data controllers and data processors.
Also, just like under GDPR, PIPL gives individuals the right to access, request, correct, delete, transfer and restrict the collection and use of their personal data.
But there are a few big differences between PIPL and the GDPR.
The first is PIPL’s requirement that any company located outside China involved in processing the personal information of Chinese citizens designate a dedicated in-country representative to support compliance, said Cillian Kieran, CEO and founder of privacy compliance startup Ethyca.
PIPL also diverges from the GDPR through its lack of legitimate interest. Under GDPR, legitimate interest allows companies, in certain cases, to process personal data without consent as long as it’s collected legally and there’s a justifiable reason for its use.
The absence of legitimate interest makes PIPL even more strict in some regards than GDPR.
“There is no concept of legitimate interest under this regulation,” said Julia Shullman, general counsel and chief privacy officer at TripleLift. “As of right now, it’s looking like we’re all going to have to rely on notice and choice and on consent.”
And companies will also need consent for any downstream data operations, Kieran said.
“For instance, companies handling personal data require an individual’s consent prior to disclosing that [person’s] personal information,” he said. “Furthermore, companies cannot refuse to do business with individuals who do not consent to unnecessary personal data processing.”
But obtaining consent is a tricky business for ad tech companies and other third parties, which aren’t always in a position to get it. Hence the intense and ongoing courtship of publishers.
“If previous data regulations weren’t already a wake-up call for ad tech companies to transition toward first-party data, the new PIPL law surely will be once the law goes into effect,” said Charles Farina, head of innovation at Adswerve. “China’s decision to pass its new ruling is a direct result of consumers becoming frustrated with the mass collection of their data.”
Between the lines
But although the targeted online advertising industry gets a bad rap for what some refer to as a form of surveillance, the Chinese government actually engages in mass surveillance of its citizens as a matter of course.
PIPL also gives the Chinese government greater control over the cross-border transfer of data. Data sharing between mainland China and a regional office in London or Singapore, for example – a standard business practice for many companies – will come under greater regulatory scrutiny.
And PIPL could theoretically be used as a cudgel to punish foreign companies that don't align with China’s own interests.
“Government control and access in China were major concerns before PIPL,” Kibel said. “Those concerns may become more significant with this new legal framework put in place.”
Violations of the PIPL can result in fines of up to 5% of a company’s annual turnover for the previous year or 50 million RMB (around $7.7 million), as well as the revocation of the company’s right to do business in China.