31 October 2022

Last year, we reported on China’s new Personal Information Protection Law (PIPL) which came into force on 1 November 2021. PIPL sits alongside the Data Security Law (DSL) and Cybersecurity Law (CSL) at the heart of China’s integrated cyber and data governance regime.

In August 2022, PIPL claimed its first notable scalp. CAC, China’s national enforcement agency, held that rideshare platform Didi had committed serious violations of PIPL, DSL and CSL. Didi was found to have engaged in illegal collection of excessive data from users' mobile phones, including call logs, contact details, location data, photo albums and apps. To make matters worse, Didi failed to take corrective action when initially ordered to do so and, as a result, CAC fined it RMB8 billion (approx AUD1.7 billion), with two senior executives being personally fined RMB1 million each (approx AUD220,000).

PIPL is, of course, a Chinese law and so applies primarily in China. But it includes a very broad extraterritoriality provision (something which is becoming increasingly common in data protection regimes around the world, a consequence of the current “space race” between major powers to assert data sovereignty and establish international data protection standards). Just as GDPR applies to all processing inside the EU and/or concerning EU citizens, so PIPL extends outside mainland China to cover all processing of personal information relating to Chinese individuals.

Foreign businesses trading in China or handling the data of Chinese individuals should be aware of their obligations under PIPL, including the need to have a dedicated local presence or local representative to ensure proper compliance. This includes any Australian business with employees or consumers in China, regardless of the size of operation.

The international data privacy landscape is becoming increasingly complex, with laws that are often not consistent, fully clarified or even available in English. In addition, data privacy issues can become tools in broader international trade disputes. Businesses are therefore at increased risk of significant penalties, even for inadvertent breaches: GDPR provides for maximum fines of EUR20 million or 4% of global turnover, and infringements of PIPL can result in corporate fines of RMB50 million or 5% of annual turnover, with individual liability of RMB1 million and disqualification from directorships etc.

While there are clear similarities between some regimes (such as GDPR and PIPL), it would be a mistake to see these as offering a short cut to global compliance. In any case, other important data protection regimes such as the USA and Australia set markedly different standards which require specific and detailed attention.

Moulis Legal lawyers are experts both on privacy and data protection, and doing business in China. As well as our specialist lawyers, we have an extensive network of legal contacts across China who we can call on to help advise Australia-China business entities.

You can read more about Moulis Legal’s technology services here or, if you would like further information regarding China’s data and security laws, we would be happy to help.

This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.

© Moulis Legal 2022