China's PIPL: How to Comply in Under 60 Days

1. 1
1
Thank You for Joining “China's PIPL: How to Comply in under 60 Days”
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers

2. 2
2
© 2021 TrustArc Inc. Proprietary and Confidential Information.
China's PIPL:
How to Comply in under 60 Days
15 September 2021

3. 3
3
Speakers
Paul Breitbarth
Director
Global Policy & EU Strategy
TrustArc
K Royal
Associate General Counsel
Privacy Intelligence
TrustArc

4. 4
4
Today, we will address:
● The key components of the law
● The enforcement mechanisms and potential fines
● Similarities between PIPL, GDPR, and other major data protection
laws
● Steps to take to comply before November 1, 2021
Resources: https://trustarc.com/china-pipl/

5. 5
5
Key Components of PIPL
● Fundamental Requirements
○ Basic principles and definitions
○ Legal bases for processing / handling data
● Cookie Compliance
● Individual Rights, including Notice
● Data Sharing
○ Vendor Management
● Cross-border transfers
● Enforcement

6. 6
6
Legal Bases
Article 13 PIPL
Consent
(freely given, informed,
active & distinct)
Necessary
for a Contract with
the Individual
(incl. HR)
To Fulfill Statutory
Duties and
Obligations
Public Health, Life
and Death or
Protection Property
in Emergency
Situations
News Reporting,
Opinion
Formulating, etc.
Information
Disclosed by the
Individual or in a
Lawful Manner
As Provided by
other Laws

7. 7
7
Individual Rights
Transparency and notice (Art. 17)
Know if an entity is processing their personal information (Art. 44)
Decide if and how their personal information is processed (Art. 44)
View and copy (Art. 45)
Portability (Art. 45)
Correction and amendment (Art. 46)
Deletion (Art. 46)
To know (and have explained) the handling rules (Art. 48)
Non-discrimination for exercising rights (Art. 16)
Automated Processing rights (Art. 24)
Consent to cross-border transfers (Art. 39)

8. 8
8
Notice
Before processing personal information, must provide the following:
● Handler’s name or personal name and contact method;
● Purpose of handling;
● Handling methods,
● Categories of personal information, and
● Retention period;
● Methods and procedures for individuals to exercise the rights including how to reach the
DPO; and
● Other items that laws or administrative regulations provide shall be notified.
For sensitive personal information, Handlers must also disclose the necessity and the influence
on individuals’ rights and interest except where permitted not to do so (Art. 30).
For cross-border transfers, currently or proposed in future, with separate consent.
Accurate, truthful, clear, and understandable

9. 9
9
Data Sharing & Vendor Management
Contracts require:
● Purpose of processing
● Time limit
● Handling method
● Categories of personal information
● Protection measures
● Rights and duties of both sides
● Supervision
● Limited to the activities in the agreement
● Handlers must approve subcontractors

10. 10
10
Cross-Border Transfers
All subject to further documentation from the State cyberspace and informatization department
Chapter III PIPL
Passing a Security
Assessment
Certification
Conducted by a
Specialized Body
Use of a Standard
Contract
As Provided by
other Laws

11. 11
11
Enforcement (Chapter VII)
Entities must:
● Correct the violation, relinquish the unlawful income, and suspend activities.
If entities refuse, they face an additional fine of up to ¥1 million.
Severe (grave) violations: Maximum penalty: ¥50 million (~$7,7 million) or 5% of annual revenue
➢ If impact a large number of people, the entity faces lawsuits (Art. 70)
Individuals in charge or directly responsible for the processing operation face:
● Fines between ¥10,000 and ¥100,000 / up to ¥100,000 and ¥1 million and
● Prohibited from “holding positions of director, supervisor, high-level manager, or personal
information protection officer for a certain period.”
Plus:
● Reported to credit files (individual and business) and publicized (Art. 67)
● Individuals may file a lawsuit when their individual rights are denied (Art. 50)
● Criminal penalties (Art. 71)

12. 12
12
Comparison to Other Laws

13. 13
13
Sensitive Personal Information
CPRA GDPR PIPL
Racial or ethnic origin X X i
Religious beliefs X X i
Philosophical beliefs X X X
Political opinions X i
Union membership X X
Mental or physical health X X X
Sexual orientation or sex life X X i
Genetic or biometric data X X X
Personal data from a known child Provisions Art. 8 for child <14
Precise geolocation X X
Govt-issued ID numbers (SSN, DL, ID, passport) X i
Account access credentials X i
Financial Accounts X
Content of messages unless a business is the recipient X

14. 14
14
Comparison to other laws
CCPA/ CPRA GDPR PIPL
Effective Date Current / CPRA 1 Jan 2023 25 May 2018 1 November 2021
Triggers
In addition to doing business in state with
residents, must generally meet at least one
trigger
$25M rev,
buy/sell data 50k (100k) consumers or
households, or
50% rev from selling (CPRA sharing)
Art. 3
Activities of EU establishment, offering
goods/services to persons in EU or
monitoring their behaviour
Art. 3
Data processing in China, offering
goods/services to persons in China or
monitoring their behaviour, or if prescribed
by law
Implementing Regulations Yes Yes awaiting guidance
Privacy Notice Yes Yes Yes
Consumer Rights
Access | Know | Delete | Correct | Portability |
Appeal | Non-discrimination
A, K, D, C
Non-d
A, K, D, C, P, Ap, Non-d A, K, D, C, P, Ap (plus others)
Non-d
Response Time 45, +45 One month timely
Sensitive Data No Yes, explicit consent or exempted
situation
Yes, separate consent
Minors, Age <13, 13-15 <16 (member states cannot go
<13)
<14
Applies B2B No (CCPA moratorium) Yes Yes
Applies to Employees No (CCPA moratorium) Yes Yes

15. 15
15
Comparison, cont.
CCPA/ CPRA GDPR PIPL
Opt-outs Sell / CPRA Share Right to object Sensitive data, transfers, ads
Vendor Contract Requirements Yes Yes Yes
Security Audits No / CPRA Yes Implied in accountability
obligations
For important data only,
under Art. 30 DSL
DPIA / PIAs Yes (CPRA) Yes Yes
Enforcement AG DPAs Agency
Cure period 30 days / CPRA No No No
Penalties $2500 / $7500 Up to 4% revenue /
20M Euros
Up to 5% revenue /
¥50M / and individual sanctions
Private Right of Action Yes, if data breach Yes (+ collective redress) Yes
Sale / Sharing Data Sell / CPRA Share Right to object Sensitive data, transfers, ads

16. 16
16
Roadmap to Compliance

17. 17
17
Roadmap to Compliance
Four week planning guide
6 weeks to go!
Week 1
• Identifying
elements of
law and status
• Processing
activities
• Stakeholder
alignment
Week 2
• Vendor
management
• Join Handlers
• Cross-border
transfers
• Data
localization
Week 3
• Policy review
and revise
• Consent
• Automated
decision-
making
• Cookies
Week 4
• Individual
rights
• Notice
• Training
• Finalize DPIAs
• Verify ready

18. 18
18
Privacy Central

19. 19
19
Last Thoughts and Questions
?
?

20. 20
20
Thank You!
See http://www.trustarc.com/insightseries for the
2021 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.