New data protection requirements
From 1 November 2021 new data protection legislation, the Personal Information Protection Law (PIPL), comes into force in China which has worldwide implications for anyone who holds or processes the personal data of individuals in China. Most of the requirements are in line with the GDPR which landlords and letting agents in Scotland should already be complying with. However, landlords and letting agents who deal with the data of any individual based in China in order to provide services to those individuals should comply with the following new requirements to ensure they don’t fall foul of the new PIPL:
- Appoint a representative in China
Similar to the GDPR which requires you to appoint an EU representative if you are not established in the EU/UK, the PIPL requires you to set up a special institution or hire a representative in China to handle the personal data matters on your behalf. Details of the institution/representative must be made known to CAC, China’s regulatory body. As the PIPL becomes established it is likely that data protection firms based in China will offer their services as a representative to businesses based elsewhere in the world.
- Ensure lawful basis for processing data
The PIPL only allows the processing of personal data without the explicit consent of the individual in limited circumstances. For the types of data processing typically carried out by landlords/letting agents, processing would be allowed without explicit consent where:
- it is necessary for the conclusion or performance of a contract to which the individual concerned is a party
- it is necessary for the performance of statutory duties or statutory obligations
- it is necessary for coping with public health emergencies or for the protection of the life, health, and property safety of an individual.
In all other circumstances it is advisable to ensure you have the explicit consent of the individual to process their data. The PIPL requires a “separate consent” (rather than a package consent covering all the processing purposes) to be obtained under each of the following situations:
- providing personal information to a third party
- publicizing personal information processed
- processing sensitive personal information
- transferring personal information outside the territory of China
- Carry out impact assessments
Where data is being transferred outside China, the PIPL requires that an impact assessment is performed in relation to that processing. The personal information protection impact assessment shall cover three main aspects:
- whether the purpose, manner and other aspects of processing personal information are legitimate, proper and necessary
- the impact on individuals’ right and the risk level
- whether the security measures adopted are legitimate, effective and appropriate to the risk level
The PIPL also requires that the assessment reports and relevant records of processing status shall be retained for at least three years.
Data breaches & penalties
As with the GDPR there is an obligation to notify the appropriate Chinese data protection regulator of a data breach. This will mean that organisations subject to the GDPR and the PIPL may find themselves making two sets of reports in the event of a data breach. The data protection regulator is likely to simply issue warnings for minor offences as is the case with the ICO for breaches of the GDPR. However, for serious offences fines can be levied as well as orders to suspend or terminate services unlawfully processing data. The PIPL allows individuals to raise legal actions against businesses who violate their data protection rights.
This legislation has had a very short lead in time and details of how to ensure compliance are still being established. Any landlords or letting agents doing, or intending to do business with individuals based in China are advised to obtain specialist legal advice to ensure compliance with the PIPL.