PRC Newsletter – Personal data compliance issues from the perspective of Nordic/Baltic web shops with business into China

China recently introduced a new data protection legislation that has significant impact for foreign businesses with operations in or sales to China, such as web shop businesses domiciled in the Nordics or Baltics selling products to customers based in China.

The long-awaited Personal Information Protection Law (the “PIPL”) took effect on 1 November 2021 and is together with the Cyber Security Law and the Data Security Law providing a more comprehensive cyberspace governance and data protection in China.

In this article, we analyze what impact there will be from the PIPL to Nordic and Baltic web shops conducting sales activities to customers in China through their own websites operated in Europe.

1. Scope of “Personal Information” and “Sensitive Personal Information”

PIPL to a large extent mirrors the language in EU’s General Data Protection Regulation (GDPR) in relation to the definition of personal information. The fairly broad definition covers all kinds of information relating to identified or identifiable natural persons recorded by either electronic means or in other forms.

During the ordinary course of business, a Nordic/Baltic web shop will collect and process its customers’ personal information, for instance name, gender, address, email, preferences, identification number, etc. Such information is considered personal information under the PIPL.

In the PIPL, for the first time, China introduces a concept of “sensitive personal information”, which refers to personal information that is likely to infringe the dignity of a natural person or result in harm to his/her personal safety and property security if it is disclosed or illegally used. Biometric identification information, religious beliefs, medical health information and financial accounts are all deemed as sensitive personal information.

As a natural part of engaging with customers Nordic/Baltic web shops are likely to collect sensitive personal information during the transaction process, such as identification number, bank account information and so on.

2. Scope of Application

The PIPL adopts the concept of “personal information processor” which means to cover organizations and individuals that independently determine the processing purpose and method in personal information processing.

In addition to the processing of personal information within China, the PIPL also applies to such processing outside China where it is for the purpose of providing products and services to natural persons in China, such as Nordic/Baltic web shops selling products from overseas to customers located in China.

For that reason, Nordic/Baltic web shops selling into China must be alert.

3. Legal Basis of Processing – Consent

One of the welcoming changes introduced by the PIPL is a broad and expanded legal basis of personal information processing, which is quite similar to the GDPR.

The processing of personal information must satisfy the processing conditions provided for in the PIPL:

§ Clear consent

For a Nordic/Baltic web shop, the most critical issue is to obtain consent from natural person customers.

Consent must be a clear and voluntary declaration of intent as a prerequisite to the full knowledge of the natural persons. A bundle of consent covering all the processing purpose is also not allowed while the processor is required to obtain a separate consent under certain circumstances.

For a Nordic/Baltic web shop to sell products to Chinese customers, the following separate consents will be necessary: (a) processing sensitive personal information, and (b) providing personal information to a third party (such as banks and courier services companies).

As such a Nordic/Baltic must set up a special consent gathering process for Chinese customers or align its general consent gathering process to the requirements set out in the PIPL.

§ Limited to smallest scope

The collection of personal information must be limited to the smallest scope necessary for achieving the purpose of processing, and personal information cannot be collected excessively.

For a Nordic/Baltic web shop, it is permitted to collect necessary information from the customers for the ordinary business purpose such as delivery and marketing purpose; however, if the web shop asks for excessive information unrelated to its sales business (e.g. family members’ information, social media account, etc.), it will be caught as a breach of the PIPL.

4. Cross-border data transfer

Cross-border transfer of personal information can only be made for legitimate and solid reasons (e.g. business needs).

A number of compliance conditions much be met in relation to the cross-border data transfer, including that the transferor:

§ is obligated to take the necessary measures to ensure that such processing activities satisfy the legally required protection standards

§ must pass the security assessment by the authority

§ must obtain person information protection certification issued by a qualified organization

§ must enter into a contract with the overseas recipient

as well as comply with other conditions stipulated by the authorities from time to time.

Further, as written under Section 3 above, a separate consent on the cross-border transfer must be obtained by the processors before the transfer. In such situation the consent requirement is enhanced to include more details about the transfer, such as (i) name and contact information of the overseas recipient, (ii) purpose of processing, (iii) processing methods, etc.

In terms of a Nordic/Baltic web shop processing a large volume of personal information, it should store the data collected and generated within China, however the threshold for this has not yet been

clarified. In such case, any transfer of the personal information to its off-shore entity will trigger the cross-border transfer and the relevant conditions and compliance requirements must be met.

If the Nordic/Baltic web shop is running a smaller size of business, strictly speaking, it may still be caught by the cross-border transfer regime, however, under the current rules and in practice, the compliance conditions as described under the first paragraph of this section may not be necessarily implemented as long as a clear and concise consent is obtained.

Cross-border data transfer is always a matter of essence in the data protection regime, and details in this regard are yet to be specified by future regulations.

5. Compliance Requirements

The PIPL requires offshore “personal information processing entities” subject to the PIPL to establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purpose.

That is to say, if a Nordic/Baltic web shop does not have any business presence in China now, but is selling products to Chinese customers, the web shop is required to have an office or a representative located in China to be responsible for data compliance issue.

In addition, for a Nordic/Baltic web shop having huge number of users in China, there are extra compliance requirements to be complied with, including but not limited to:

§ having data stored within China and transferring such personal information out of China subject to a series of complicated requirements

§ formulating platform rules according to the principles of openness, fairness and impartiality, and clarifying the standards for personal information processing by the web shop

§ regularly publishing report on social responsibility for personal information protection and accepting social supervision. The definition of “huge number of users” has not been clarified in the PIPL and is awaiting further clarification.

6. Our take

The PIPL reshapes the handling of personal information in China and marks that protection of personal information is “there to stay” in China.

Consideration and understanding of the scope and application of the PIPL is an ongoing process, and we expect there will be more details and clarity coming out from future regulations.

For now, for a Nordic/Baltic webshop selling products to Chinese customers, it is time to set up proper internal risk-control/compliance measures and policies to fulfill the regulatory

requirements set out in the PIPL, including how you gather consent from Chinese consumers. Internal compliance due diligence and training to staff may also be considered.

If you have any questions or comment on this topic or any other matters related to foreign companies doing business in China or Chinese investments in Europe, please do not hesitate to contact Magnusson’s China Group.

Our China Group team has almost two decades of experience advising Chinese companies who conduct business in the Baltic Sea Region and local clients who conduct business in China.

We have Chinese qualified lawyers in our group as well as Mandarin speakers in most of our offices. Our lawyers are able to offer a comprehensive range of services in Mandarin and the local languages and have considerable experience of helping Chinese businesses who are looking to set up operations in the Baltic Sea Region.

Moreover, we are also there to support and advise local businesses looking to take advantage of the many opportunities that China offers. Our services include M&A and investments, dispute resolution, employment law, foreign investment screening, regulatory advice, e-trade and personal data and commercial contracts.

Nikolaj Juhl Hansen
Partner
+45 27 74 05 07
nikolaj.juhl.hansen@magnussonlaw.com

Natalie Pu
Counsel
+46 72 442 68 80
natalie.pu@magnussonlaw.com

Contact