So what do you need to now about China privacy laws if you’re planning to engage with Chinese clients, customers and prospects, or run a digital marketing campaign? We break down some of the key points below.

Key China privacy law

China enacted a suite of new data privacy and cyber security laws in 2021 and 2022 that radically alter the digital landscape. 

The Personal Information and Protection Law (PIPL) in 2021 and the Recommendation Algorithm Regulations in 2022, are particularly relevant to international student recruiters and marketers. 

The algorithm regulations clarify the user's right to opt out of algorithmic recommendations, demands transparency over how algorithms are functioning, and bans certain targeting. Some of its requirements are included in the comprehensive PIPL.

The PIPL restricts and regulates the use and collection of personal information. It has a particular focus on user notification and consent and shares some similarities with Europe’s General Data Protection Regulation, the so-called GDPR. Personal information (PI) includes any data that can be linked to a specific individual.

It’s core principles, summarised, are that so called "data handlers":

• Minimize data collection and use to only what’s needed.
• Deploy openness and transparency, clearly indicating the purpose, method, and scope of PI use.
• Operate with lawfulness, propriety, necessity, and sincerity.
• Ensure the accuracy and quality of PI.
• Be accountable to your PI handling, ensuring appropriate governance and security is in place.
• Limit PI activity to a clear and reasonable purpose.

Data handlers must get an individual’s explicit consent to collect, process, or store their personal data. Details on what specific conditions need to be met to constitute clear consent are light.

However, Article 14 outlines that it is essential that the individual is fully informed, and consent is given freely and unambiguously. 

As examples of what ‘freely’ given consent may mean in how you relate to your clients: you must not withhold a service or product from an individual because they don’t share PI (unless the information is critical to deliver the service), to avoid coercing or pressuring clients. Or, as another example, you should integrate a check box into personal information submission forms so that the individual actively agrees to your data activity, and gives ‘unambiguous’ consent.

Additionally, data handlers must seek the individuals ‘separate consent’ if:

• they are providing the PI to a third party.
• publicly disclosing the PI
• collecting the PI by devices in public places for any other reason than public security
• processing sensitive personal information (more on this later).
• exporting the PI to a party outside of China.

The PIPL does not offer guidance on what constitutes ‘separate consent’, as opposed to the explicit consent required by more general personal information collection, but some law firms anticipate a separate check box or pop-up window will be needed to meet the additional requirements on how ‘sensitive personal information’ is handled.

The law places further restrictions on how ‘sensitive personal information’ (SPI) is processed. The PIPL also gives Chinese citizens more rights over their own data.

China’s new data privacy law makes it even more critical that organisations have transparency and control across their digital activity in China. You are responsible for your activity, including the activity performed by an agency on your behalf.

So, when is personal information handling lawful?What do you need to do to be compliant?