Does our company need a PIPL Representative?

The extra-territorial scope of the PIPL is very similar to the GDPR. According to Art. 3 PIPL, the Chinese data protection law applies to your company if you:

• offer services or products to people inside the Chinese borders;
• analyse and assess activities of people inside Chinese borders; and
• do so under other circumstances provided in laws or administrative regulations. So far, no such additional laws or regulations have been published.

So far, there are no guidelines published by Chinese authorities on the question of when a company offers services or products in China. However, the wording is nearly identical to the wording of GDPR. Assuming that the purpose of regulating the extra-territorial scope of PIPL is similar to that of GDPR, and if it takes the same approach as GDPR does, it gives a first indication of what the offering means from the guideline on the territorial scope of the GDPR by the EDPB (Guideline 3/2018). However, it is expected that the Chinese authorities will publish their own guidelines, which, hopefully, will bring more clarity and certainty. Until then, factors that may be considered to result in an “offering of goods or services” to individuals in China could be:

• using languages used in China and offering payments in Chinese Yuan;
• using ads to address Chinese individuals or other marketing tools directed towards Chinese customers;
• mentioning addresses or phone numbers to be reached from China;
• using top-level Chinese domains;
• offering delivery of goods to China.

So far, there is no material from Chinese officials on the interpretation of the criteria “analyse and assess the activities of individuals”. However, the following activities are likely to trigger the applicability of Chinese PIPL:

• behavioural advertisement
• geo-localisation activities
• online tracking by using cookies or other tracking technologies
• market surveys and other behavioural studies based on individual profiles
• CCTV

PIPL has hefty penalties in place for breaches of data protection laws. Penalties can reach up to RMB 50 million (€ 6.6 million) or 5% of the previous year's turnover. It is not yet clear whether the turnover is calculated based on the revenue from the Chinese market or the global business activities. Personal fines of up to RMB 1 million can also be imposed on 'directly responsible persons'. The data protection authorities can order other authorities to revoke administrative and business licences. It is to be expected that the Chinese authorities will take tough action here. For example, companies operating app stores were ordered to remove the app of Uber-competitor Didi Chuxing from their stores due to alleged data protection violations. When companies infringe the privacy rights of many individuals, prosecutors, statutorily designated consumer organisations, and organisations designated by the State for cybersecurity may file a lawsuit with the competent Chinese Court. This way, the State can take action against companies on behalf of affected individuals. Of course, it is also possible for individuals to file their own lawsuits for damages against a company.