🔒 Top Tips regarding China's new Privacy Law
Cloudflare is recognizing Data Privacy Day 2022 with a special series of fireside chats. This session features Tilly Lang, Cloudflare Senior Counsel, Privacy, in conversation with Samuel Yang, who leads the Technology, Data Protection & Cybersecurity practice at AnJie Law.
Samuel has worked in both in-house and private practice roles within the TMT sectors for nearly 20 years and is regarded as a leading expert in these areas. He advises clients on a wide range of regulatory, commercial, and corporate matters, especially in the areas of data protection, cybersecurity, telecommunications, internet, media, social networking, hardware and software, technology procurement and transfer, distribution and licensing, and other technology-related matters.
Legal 500 describes Samuel as “probably one of the leading authorities on data protection” and “a respected expert in telecoms regulations”. Who’s Who Legal commented that “Samuel Yang ranks highly among peers thanks to his in-depth knowledge of data protection and compliance, regulatory and contentious matters in the TMT sectors. Samuel’s clients include MNCs, large state-owned enterprises, leading Chinese internet companies, and startup technology companies. He is a regular contributor to many legal journals, and his publications on TMT, data protection, and cybersecurity laws in China are well-received and widely reproduced.
Hi everyone, welcome to Cloudflare TV, and I'm looking forward to discussing the privacy landscape in China today with Samuel.
My name is Tilly Lang and I'm the Senior Privacy Counselor here at Cloudflare.
Samuel, would you like to introduce yourself?
Hello everyone, my name is Samuel Yang. I'm with a Chinese law firm called Anjia Law Firm.
We have a great data privacy and cybersecurity practice here.
And thank you Tilly for having me today. Thank you. No problem at all.
So I'd like to start off the session just with a couple questions that I'm always fascinated in in terms of how you know you started your career in privacy because I know as a privacy professionals.
There's a lot of different routes into privacy.
Some of us sort of find ourselves in privacy, almost by mistake, while some of us sort of deliberately start our career paths, you know, sort of with privacy in mind.
So I'd love to hear how you got into privacy. Well, in the beginning of my career, I spent some time with a Chinese Internet company as a new house counsel.
Then I joined a multinational company, a foreign telecom carrier.
And so my background, you know, career background is always about technology and telecommunication etc.
But at that time, you know, back in 2005 or something like that.
At that time, we didn't really have a concept of privacy in China.
Although we have that general concept, but we did not have the modern privacy and data protection laws, etc.
I think that's all started from there. And then I joined an international law firm.
And then, you know, naturally, because of the development of legislation in China, you know, we start to have some scattered privacy and data protection rules, you know, all started.
And we began to have clients increase in this area.
And then, so everything's then I somehow I became a privacy professional.
Yeah, no, no, I hear you. I hear you there. I kind of my career path into privacy was was a little bit the same as well in terms of, I sort of started working sort of in corporate law and corporate governance, and sort of privacy kept on creeping more and more and more into it.
But it was a part of my job I actually really enjoyed so that I was like, you know what, I'm just going to focus on this so now I hear you there.
And also I mean just on the back of that I mean what do you enjoy about working in privacy.
Well privacy. Well, the first thing about privacy.
I think it's a, you know, way I always like new things you know privacy is new you know it's a, you know, there's a, you know, basically, at that time if it didn't really have any rules you know then we started to study rules in the, in the EU in the US, etc.
You know, and that kind of dream you know you one day trying to have similar rules or even better rules you know now, it seems that China is catching up, you know, it's, it's like you know realizing your dream although it's not my dream.
You feel, you felt that you really contributed to that and you really answer the client's questions that really helped them that's, you know, that that's achievement, you know, really give me a lot of power.
Yeah. No, I agree. I always say that there's never a dull moment when working in privacy just because as you mentioned, there's so much change all the time.
You know, if it's not amendments to privacy laws, countries are doing that it's sort of new privacy laws coming into play so everything is constantly changing.
Another thing probably I should mention is that, you know, we are also like uncertainty you know because of this new area, you know, even, I guess, even in the EU, you know, some concept it's not 100% clear, it's the same in China, you know, in terms of scope of personal information, you know, anonymization, you know, really new concept and, you know, as I said it's a really workable solutions for the client and sometimes they also contributed to, to the lawmakers, you know, to provide our previous, you know, it's, it's interesting.
Yeah, no, absolutely. So just on on following on from that sort of you mentioned that there's been a lot of sort of awareness and growth of privacy in China over the last sort of few years so I was wondering if you could give us some background in terms of sort of the gradual aware growth of awareness but also privacy laws coming into place in China because, as I know you're definitely aware, as well, China had a new privacy law come into place.
And the first of November, last year, so it'd be good to kind of just have a have a little bit of a background in terms of sort of that development.
Yeah, I mean, when you look at looking back, you know, really, China doesn't have a very long history of privacy legislation.
You know, back in 2016 or probably 2015, you know, before then we didn't really have a specialized data privacy law, and we kind of have some specific not specific some very general, you know, data protection, you know, regulation, not rules, you know, but those rules are quite high level.
And then, because I think you know everyone can understand that, you know, since since the development of the Internet industry, especially because you know all of a sudden, everyone is using a mobile app.
Yeah, that changed a lot. And so, since 2015, and then we started to have new laws, especially in 2016, we have a new law called the cybersecurity law and, you know, the topic of that law is basically about the cybersecurity.
But it also, I think the government also noted the requirement of the society to have a more solid privacy and data protection rules in that sense.
So we began to have some high level requirements in that law, and then, you know, the government, the different government authorities, they, they started to study this topic and they also issued their own.
Can you hear me. Yes, I can hear you first for a short time but I can hear you now.
Yeah. And then last year was really remarkable because last year, we had also had our data security law.
Promulgated, and on November 1, our first personal information protection law came out and, you know, was promulgated by the government.
Perfect. And, and I think sort of knowing a bit of the background, and kind of having an overview and build up to sort of the, the latest privacy law that was enacted is helpful.
And I was wondering if you'd be able just to sort of expand and hit sort of the key sort of points that the new privacy law that came out in November, sort of includes the judge just for the audience.
Well, if you fall for those who are familiar with the GDPR I think the PRPL the personal information protection law of China is very comparable, you know, because we look at that, you know, it almost adopted this various methodologies.
And, you know, the components of this law includes for example for some, some things that you are very familiar with, you know, the DPI, although we don't call that DPI, you know you need to appoint a DPO etc and you need to have an internal policies and rules in the area of data protection, you need to have a legal grounds to to to process personal information you need to have consent or you need to rely on your contract.
All those things are very similar to, to the GDPR.
Of course, you know, China, China's PRPL also has its own characteristics in terms of data has some very specialized data localization requirements, and it also requires that a certain, you know, cross border data transfer will subject to the government's approvement, sorry, the government's assessment.
Okay. And then also I mean, sort of, based on that sort of overview I mean what strategic advice would you provide organizations that are currently operating in China, or are looking to sort of expand into China given given the new sort of privacy laws come into force, but also sort of the other existing laws, and how those laws, sort of inter interact with each other.
Yeah, I mean, so for some industries.
For example, in the, in the financial and banking and insurance industry.
They already have some data privacy or data protection requirements industry.
And so, yeah, where is the PRPL is really repeating the similar requirements or maybe you know you know where it's, you know, the scope is larger.
But for all other companies, you know, the PRPL is still kind of a new, although you know in the past few years, China, really, you know, the government has been really proactive in terms of, you know, to roll out campaigns against misuse of personal information.
I mean the PRPL is not a surprise to to companies doing business in China, and especially considering that, you know, for for global companies who are already GDPR compliant, you know, especially they, you know, they can really leverage their existing data protection or data governance framework, and that can quickly adapted to the PRPL compliance work.
So, I mean, the key point is to really to start to work.
You know, yeah, you know, set up your compliance, the framework in China, appoint a DPO in China, seek consent, you know, to, to improve your privacy policies, you know, there are a lot of work streams, but all together so it's about you know you do have a solid framework, you know, and live this, you know, PRPL compliance to a strategic importance level, I would say.
And then you mentioned the role of the DPO, which, which stands for data protection officer.
And that's obviously sort of in, in the EU. The role of the data protection officer sort of was embedded in the GDPR for certain organizations if you meet sort of thresholds.
Well it's mandatory if you meet certain thresholds.
Obviously organizations can appoint a DPO on a voluntary basis as well.
But I was wondering if you'd be able to sort of walk us through the role of the data protection officer the DPO, sort of under the, the new Chinese privacy legislation and if there are sort of differences in the concepts of the role of the data protection officer between sort of the Chinese privacy law and also sort of the GDPR, and if there's sort of similarities and differences.
And then I think not to add another question on top of that, but I think it will be interesting because if I'm not mistaken, I think it's the first time that sort of the role of the data protection officer has been sort of mandatory for some organizations in China.
So it. How do you see sort of that, that role or or or set of privacy professionals developing as well.
Oh, I see. Well interesting very, very good point.
You know, from legally speaking the PRPL only have had some very high level requirement for the DPO.
You know the threshold, it depends on the volume of personal data, the organization going to process.
But unfortunately, at this stage, that volume, you know, there's a quantity threshold has not been published by the government.
So, essentially, you know, we consider the population in China.
So, so any meeting probably it's a million people is probably a very high threshold but in China actually so it's not so my observation is that, you know, as long as our clients collect personal information, they will have someone to really to look after data privacy issues, you know, not necessarily call them, you know, the DPO data protection officer.
But actually we don't use that term, you know, the term that we used in the PRPL is someone who is responsible for data privacy matters.
So in terms of a development of, you know, this career, I think this, it's very promising China.
I, my observation is that, you know, data protection professionals in companies, in law firms, elsewhere, you know, it's understaffed, really understaffed and really kind of, you know, the market really needs professionals like that.
And some interesting point I also observed is that according to a new draft regulation, it seems that the government is really want to encourage companies to treat this role as a special role.
And it's a very important role in organizations. And the ones provision in the draft regulation I just referred to was that the DPO can report directly to the authority.
So, which means that, you know, you, it's like the DPO is a really special workforce in the company, so it doesn't have to listen to the, to the president and they can really decide their own rules.
Okay, no, that's definitely interesting.
Yeah. And then I think just in terms of the like personal information protection law, the PIPL, is there included in it aspects of sort of data localization sort of acquiring certain categories of data to remain in China, or like copies of that data to remain in China, I was just wondering if we could sort of just touch upon sort of the international transfers requirements which are embedded in the, in the new law and also highlighting if there are sort of those data localization sort of requirements because we're seeing those type of requirements sort of popping up in a number of in a number of jurisdictions.
There's a first point I want to make is that, you know, the data localization is a requirement that you know cross border data transfer is another thing, you know, the way we typically we would discuss those two things separately.
You know for for in terms of data localization, the PIPL does have some requirement, you know, namely, you know, if an entity is treated as something called critical information infrastructure operator, which means that that organization has certain information infrastructure, the network, your system, etc.
It's very important, you know, then the government will treat that entity as an important or critical information infrastructure operator or CIO, and then the CIO will need to store the personal data within China.
And the other requirement is about for those who are not CIO, but they kind of process a large volume of personal information in China, for example, the fake Internet companies, or, you know, when you consider the population in China, maybe it's a middle sized Internet companies can still be regarded as the process a large number of personal information.
So, as I said, those two types of entities, you know that by default, they need to store their personal data within China.
Okay, but this, this does not mean they cannot send personal data outside of China, you have, they are complying with the data localization requirements in China.
And when they do need to send personal data outside of China.
For example, you're probably the one for some person.
So contact information outside of China, you know, just as part of normal business activities, then we will need to report to the government and go through something called government security assessment.
As the time we are speaking now it's a, you know, there's a government assessment mechanism is not in place yet.
And we are, we are waiting, you know, for for new regulations from from the government on that point.
Okay, no, that's that's very interesting.
And then on that point as well I think it's a nice sort of follow up.
Are there sort of extraterritorial scope in the PIPL, which came out in November and yeah just sort of talk us through what what that scope means and also what that means for sort of organizations, you know, perhaps headquartered in another jurisdiction but obviously with operations in in China I think that would be really interesting to hear about.
I think, I think the way the PIPL mechanism it's a, it's a, it's quite similar to the GDPR.
You know, the first thing is, is that any processing activities within China, you know, regardless of whether you process personal information of Chinese citizens or you process a foreign foreign citizens personal information within China, as long as the activity is happening in China, then the PIPL will apply.
And the second thing is that for activities processing activities outside China, as long as the target.
It's about is Chinese citizens are all. And the purpose is to really to assess their behavior or analyze their behavior, or for the purpose of providing services and product to them.
And then the PIPL will also apply to the foreign entity.
I mean, there, there's, there is certain room for interpretation, I mean it's a I guess it's a it's quite also quite similar to the GDPR especially considering the foreign entity part, you know, sometimes it's not very clear in terms of whether what kind of services and what kind of a product, for example, whether you operate a website outside China but you know to do offer Chinese language, whether that will count.
Those, those specific increase, you know, unfortunately, we currently we don't have specific guidelines from government because the PIPL is really new.
Yeah, yeah, no, no, no, it's very new. And one thing as well.
I just wanted to wanted to discuss with you as well as terms of enforcement because obviously sort of GDPR is 4% of global turnover or 2% of global turnover depending on sort of what the banding of the sanction is, but I was wondering what the, the PIPL sort of enforcement sanctions included in the, in the act are.
And also, if there's sort of been any enforcement action to date. Um, yes, I mean, there's a penalty.
I guess the PIPL really, really followed the GDPR trend.
And, and so the penalty on GDPR is pretty heavy. Yeah, you know, it's up to 50 million RMB or 5% of the, you know, revenue of last year.
But it's unclear whether the revenue will apply to the global income, or simply, you know, the revenue from, from the single entity.
It's still not clear. Okay, interesting. And then I think there's there's obviously sounds like there's been a lot of sort of development recently, sort of with the privacy laws in China and also, I imagine as well sort of with security cyber security laws as well so I'm just wondering kind of where you see sort of the data protection laws kind of moving in the next five to five to 10 years in China.
Well, way. I said to you, it's a difficult question but my personal feeling is that because the PIPL is a is a pretty new, and the government is currently is a very busy.
You know the design you employ mentation rules to work together with the PIPL you know to answer some, you know, really ambiguous areas, for example, you know, the cross border data transfer the volume of the volume of the threshold, etc.
So, in the next five or six years, I hope you know there will be more.
How's the, there will be clear guidance, you know, because sometimes it's the uncertainty itself is really, you know, it's really difficult to file for our clients.
Yeah. People doing business in China, and there's other observation that I have is that the China, Chinese government authorities are very hands on in terms of enforcement and you know way.
Even before we have the PIPL, the personal information protection law, we had already started special enforcement campaigns against the mobile apps in China, because the misuse of personal information by by mobile apps in China.
Word was very serious at a time.
And, you know, there's also a government authority to rely on some specific regulations to deal with that, that phenomenon.
Okay. Okay. Chinese government will continue that the investment trend.
Yeah, yeah. No, interesting.
So I mean, sort of with all this information, sort of that you've that you've touched upon.
And also I imagine a lot of organizations are sort of building out their privacy programs as well to make sure that they're kind of in line with the regulation like what, what three sort of key pieces of advice would you give to sort of organizations like currently operated in China to make sure that they're sort of sort of meeting the privacy requirements.
Well, this is the first point I want to make is that the PIPL is not designed to push back a foreign investment, you know, foreign companies sometimes feel paranoid, you know, whether this is against us only actually it's not it's a, it will apply universally to all entities doing business in China.
That's the first thing. And the second thing is probably, you know, to really, you need to act, you know, because it's already there you really need to take steps to comply with the PIPL that's that's the second thing.
And the last thing is that, especially for for large MNCs you know because they are already GDPR compliant, and they can really leverage their existing data protection framework, you know, you know, some very successful experiences they have, you know, to set up the data protection framework or data governance framework in China.
Perfect. And so just to conclude we've got about, we've got about two minutes left.
I just, I would like to ask you, it's a question I like to ask people that I've interviewed as well so what was not privacy related I have to say, but maybe, maybe, but what was the best piece of career advice that you've ever been given.
I think, well, I think, from my personal experience is that it's a really follow your heart, really find the find your own interest.
That's pretty important. And I didn't mention to the audience is that before I started the IT, you know, Internet companies and then and telecom companies and spend some time with a lot from doing anti dumping, you know, as a time.
So, you know, the anti dumping is good but the same way, I didn't really like it, you know, so I switch it to IT and the data, and I felt great.
No, I had a similar experience when I started off my career I was working for a law firm.
And I was doing sort of restructuring and it just wasn't what wasn't for me let's say and I always say as well, especially sort of speaking to people starting their career it's always important to know what you like but it's also important to know what you don't like.
So you can kind of make that the best decision for you so I think sort of having experiences in different areas definitely kind of opens your eyes a bit.
But like I said, thank you so so much for joining us on this on today's segment of Cloudflare TV and it was great to have the overview of the PIPL, which came into effect in November of last year and I know sort of organizations are still sort of working through the lobby enacted so thank you very much.
It's a pleasure having you. Thank you for having me. I'm looking forward to see you in there.