New Cybersecurity Regulations in the PRC

Regulation of cyberspace and the ability to access personal user data is a global, sweeping phenomenon that is undergoing immense change. Countries and societies around the world have had to confront questions about: What is private? What is sacred? What rights do individuals have to privacy? Where should the ability of corporations to access personal user information begin and end?

---

There is no overarching data protection law in the United States. Europe has instituted the G.D.P.R., which restricts what information can be collected and stored. And now, China has entered into the mix, with what purports to be a significant, stringent set of personal privacy regulations that is influenced by G.D.P.R. but has its own distinctive framework: the Personal Information Protection Law or PIPL.

---

Data Security and Cybersecurity Law in China

Going into effect November 1st, the PIPL is a sweeping set of requirements that act in conjunction with their new “Data Security Law” and “Cybersecurity Law”. Among many other rules, it requires any cross-border data transfers be submitted to the Chinese “Cyberspace Administration”. It requires consent when obtaining sensitive biometric information, including facial recognition software. It requires the suspension or termination of services for apps that illegally processed personal data, with violations of the law resulting in fines ranging between $7.7 million or up to 5% of the previous year's business revenue.

---

Still there is little way to “watch the watchmen”

Even though it is described in terms of personal privacy, according to Yale Law Professor Paul Tsai, there is little to indicate "anything resembling legal limits on government surveillance. ... Chinese civil society still has very limited means of ‘watching the watchmen.'"

---

Be that as it may, the regulations are sweeping and companies will need to be prepared. To quote IAPP VP Omer Tene "If you're doing business in China…get legal advice. They're not playing around."

---

• Source: https://iapp.org/news/a/china-adopts-national-privacy-law/. Accessed September 23rd, 2021.
• Source: https://www.natlawreview.com/article/china-s-new-data-privacy-law-sweeping-and-serious-avoid-high-cost-noncompliance. Accessed September 23rd, 2021.
• Source: https://www.wsj.com/articles/china-passes-one-of-the-worlds-strictest-data-privacy-laws-11629429138. Accessed September 23rd, 2021.

---

11月1日から中国で個人情報保護法が施行されます。
この法律の要点は海外へのデータ転送には届け出が必要であること、顔認識を含む生体情報を取得の際に同意が必要となることです。違反した場合には7.7万ドルまたは前年の事業収益の5％までの罰金が科せられます。規制は複雑で多岐にわたるため、中国でビジネスをされている企業は準備が必要でしょう。

---