To print this article, all you need to do is be registered or log in to Mondaq.com.
China recently introduced new data protection legislation which has a significant impact on foreign companies with operations or sales in China, such as online store companies domiciled in the Nordic or Baltic countries selling products to customers based in China.
The long-awaited Personal Information Protection Act (the “PIPL”) came into force on November 1, 2021 and, together with the Cybersecurity Act and the Data Security Act, provides cyberspace governance and data protection. more complete data in China.
In this article, we analyze the impact that the PIPL will have on Nordic and Baltic e-shops conducting sales activities to customers in China via their own websites operated in Europe.
1. Scope of “Personal Information” and “Sensitive Personal Information”
PIPL largely mirrors the language of the EU General Data Protection Regulation (GDPR) as it relates to the definition of personal information. The fairly broad definition covers all types of information relating to identified or identifiable natural persons recorded either by electronic means or in other forms.
In the normal course of business, a Nordic/Baltic online store will collect and process the personal information of its customers, e.g. name, gender, address, email, preferences, ID number , etc This information is considered personal information under the PIPL.
In the PIPL, for the first time, China introduces a concept of “sensitive personal information”, which refers to personal information that may affect the dignity of a natural person or affect his or her personal security and the security of its property if it is disclosed or used unlawfully. Biometric credentials, religious beliefs, medical information, and financial accounts are all considered sensitive personal information.
As a natural part of engaging with customers, Nordic/Baltic online shops are likely to collect sensitive personal information during the transaction process, such as ID number, bank account information, etc.
The PIPL adopts the concept of “processor of personal information”, meaning to cover organizations and individuals who independently determine the purpose and method of processing personal information.
In addition to the processing of personal information in China, the PIPL also applies to such processing outside of China when it is for the purpose of providing products and services to natural persons in China, such as online shops Nordic/Baltic selling products from overseas to customers. located in China.
For this reason, Nordic/Baltic online stores selling in China should be vigilant.
3. Legal basis for processing – Consent
One of the welcome changes introduced by the PIPL is a broad and expanded legal basis for processing personal information, which is quite similar to the GDPR.
The processing of personal information must meet the processing conditions set out in the PIPL:
§ Clear consent
For a Nordic/Baltic online store, the most critical issue is obtaining consent from individual customers.
Consent must be a clear and voluntary statement of intent as a precondition for full knowledge of natural persons. A set of consents covering the whole purpose of the processing is also not permitted, while the processor is required to obtain a separate consent in certain circumstances.
For a Nordic/Baltic online store to sell products to Chinese customers, the following separate consents will be required: (a) processing sensitive personal information, and (b) providing personal information to a third party (such as banks and courier companies) .
As such, a Nordic/Baltic country must implement a special consent collection process for Chinese customers or align its general consent collection process with the requirements set out in the PIPL.
§ Limited to the smallest scope
The collection of personal information should be limited to the smallest scope necessary to fulfill the purpose of the processing, and personal information cannot be excessively collected.
For a Nordic/Baltic online store, it is permissible to collect necessary information from customers for ordinary business purposes such as delivery and marketing; however, if the online store asks for excessive information unrelated to its selling activity (e.g. information about family members, social media account, etc.), this will be considered a violation of the PIPL.
4. Cross-Border Data Transfer
The cross-border transfer of personal information can only be done for legitimate and solid reasons (for example, business needs).
A number of compliance requirements must be met with respect to the cross-border transfer of data, including that the transferor:
§ is required to take the necessary measures to ensure that these processing activities meet the legally required standards of protection
§ must pass the security assessment by the authority
§ must obtain a personal information protection certification issued by a qualified organization
§ must conclude a contract with the foreign recipient
as well as to comply with other conditions stipulated by the authorities from time to time.
In addition, as set out in section 3 above, a separate consent on the cross-border transfer must be obtained by the processors prior to the transfer. In such a situation, the consent requirement is enhanced to include more details of the transfer, such as (i) the name and contact details of the overseas recipient, (ii) the purpose of the processing, (iii) the processing methods, etc.
As for a Nordic/Baltic online store dealing with a large volume of personal information, it should store the data collected and generated in China, but the threshold for this has not yet been clarified. In this case, any transfer of the personal information to its offshore entity will trigger the cross-border transfer and the relevant terms and compliance requirements must be met.
If the Nordic/Baltic online store operates a smaller business, strictly speaking, it may still be subject to the cross-border transfer regime, however, under applicable rules and in practice, the compliance requirements described in first paragraph of this section may not necessarily be implemented as long as a clear and concise consent is obtained.
Cross-border data transfer is still a key issue in the data protection regime, and details in this regard are yet to be clarified by future regulations.
5. Compliance Requirements
The PIPL requires offshore “personal information processing entities” subject to the PIPL to establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes.
That is, if a Nordic/Baltic online store currently has no business presence in China, but sells products to Chinese customers, the online store must have an office or representative located in China to be responsible for the data. compliance issue.
Additionally, for a Nordic/Baltic online store with a large number of users in China, there are additional compliance requirements to meet, including but not limited to:
§ have data stored in China and transfer that personal information out of China subject to a series of complicated requirements
§ formulate platform rules according to the principles of openness, fairness and impartiality, and clarify the standards for the processing of personal information by the online store
§ regularly publish a social responsibility report for the protection of personal information and accept social control. The definition of “large number of users” has not been clarified in the PIPL and is pending clarification.
6. Our point of view
The PIPL reshapes the handling of personal information in China and indicates that personal information protection is “here to stay” in China.
Reviewing and understanding the scope and application of the PIPL is an ongoing process, and we expect future regulations to provide greater detail and clarity.
For now, for a Nordic/Baltic online store selling products to Chinese customers, it is time to put in place appropriate internal risk control/compliance measures and policies to meet the regulatory requirements set out in the PIPL, including how you collect consent from Chinese consumers. . Internal compliance due diligence and staff training may also be considered.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.