Collecting data from China: What companies should know
Article by CNBW Member
R&P China Lawyers, Shanghai + Beijing
Authors: Maarten Roos, Connie Chen, Catherine Zhu
Collecting data from China: What companies should know
China has been a prime market for foreign investors seeking opportunities. These investors may now have to take steps to ensure data privacy compliance as per the PRC Personal Information Protection Law (PIPL). However, international companies that operate in China or with Chinese customers without a local subsidiary will also need to be vigilant, as long as they collect personal information from natural persons in China.
1. Extra-territorial Provisions of PIPL and GDPR
Article 3 (Paragraph 2) of the PIPL states that the circumstances in which the law applies if personal information of natural persons is collected from the Chinese Mainland and processed outside of Chinese Mainland:
1. If the purpose is to provide products or services to domestic natural persons;
2. If the purpose is to analyze or assess the behaviors of domestic natural persons;
3. In other circumstances as per PRC laws and administrative regulations
For example, it is quite clear that an international airline that collects detailed information from Mainland Chinese passengers, is covered by this definition. But if a restaurant in Amsterdam collects the personal information of a Chinese tourist for a reservation, does that mean the restaurant is subject to the PIPL?
There is no clear guideline on the criteria to determine whether the personal information handler intends providing products or services to a natural person in China. But since the extra-territorial effect clause of the PIPL is quite similar to terms in the European GDPR (General Data Protection Regulation), the GDPR’s solution to this issue may provide further guidance.
Under Article 3.2, the GDPR applies when a data controller or processor that is established outside the EU processes personal information of an EU data subject under any of the following circumstances:
. It provides products or services for data subjects in the EU (irrespective of whether the data subject pays for the products or services); or ...
. Monitoring of data subjects’ activities occurring in the EU
To "provide products or services" to data subjects in the EU suggests that a degree of intent and awareness is required to fall under the scope of the GDPR, and there should be some evidence thereof. The EDPB (European Data Protection Board) has elaborated some factors to be taken into consideration for determine this "degree of intent":
. Naming EU or member states in reference to the goods or services;
. Using EU languages;
. Having marketing and advertising campaigns directed at EU audiences;
. Able to place orders in EU languages;
. Paying a search engine to facilitate access by individuals in the EU;
. Dedicating addresses or phone numbers for individuals in the EU;
. Using EU domain name, for example ".de" or ".eu".
As regards "monitoring", this is explained to specifically include tracking individuals online, creating profiles used for analyzing and predicting their personal preferences, behaviors and attitudes, etc., the EDPB offers the following examples:
. Behavioral advertising and content localization (particularly for advertising);
. Online tracking through cookies and device fingerprinting;
. Online personalized diet and health analytics service;
. Closed circuit television (CCTV);
. Monitoring or regularly reporting on an individual’s health.
CASE EXAMPLES: more here