How China’s New Data Privacy Framework Affects U.S. Nonprofits

Print Friendly, PDF & Email

Introduction

Nonprofits reaching Chinese donors, employees, contractors, newsletter and program service recipients, and other stakeholders face new legal challenges in the handling of such stakeholders’ personal information. Adopted on August 20, 2021, China’s Personal Information Protection Law (“PIPL”) became effective on November 1, 2021. This extraordinarily brief implementation period leaves for-profit and nonprofit entities alike scrambling to understand their compliance obligations under the new framework. As addressed below, nonprofits must comply with PIPL, and penalties for non-compliance may be hefty. Nonprofits with connections to China thus should assess their data handling practices, disclosure and notice efforts, including efforts related to consent requirements, individual control of personal information, and data audit functions to mitigate risks arising under the new framework.

Backdrop: Global and U.S. Data Privacy Laws

Before discussing new requirements under PIPL, let’s review the current U.S. and international data privacy legal milieu. Nonprofits already face compliance obligations under numerous data privacy regulatory regimes, both globally and domestically. The most significant of these frameworks is the European Union’s General Data Protection Regulation (GDPR). GDPR is broadly applicable applies to persons in the European Union (“Data Subjects”) and governs the collection, transmission, retention, processing, and destruction of such Data Subjects personally identifiable information. GDPR provides for a very broad conception of users’ “personal data” that is collected, aggregated, and otherwise used by organizations that is subject to the law. The European framework contains robust provisions for users’ personal control over their personal data in keeping with a users’ “right to be forgotten” – a principle with legal force analogous to First Amendment type freedoms in the U.S. contexts. Other data privacy laws across the globe are country-specific (e.g., Brazil, South Africa, South Korea, Australia, and Canada).

The U.S. landscape of data privacy law is a patchwork of federal and state privacy regimes. At the federal level, laws affecting data privacy tend to be application specific – not via an overarching framework like GDPR. The Federal Trade Commission Act (FTCA) contains enforcement provisions against deceptive practices in personal data use. The Health Insurance Portability and Accountability Act (HIPAA) promulgates national standards to protect patients’ sensitive health information. The Children’s Online Privacy Protection Act imposes certain requirements on operators of websites or online services directed to children under 13 years of age. The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) regulates the sending of commercial e-mail. The Telephone Consumer Protection Act (TCPA) addresses marketing phone calls and text messages.

At the state level, the most comprehensive framework is the California Consumer Privacy Act (CCPA), which rivals GDPR in breadth and scope. Other state laws include the Massachusetts Data Security Regulation, the Illinois Biometric Information Privacy Act, Maine’s Act to Protect the Privacy of Online Consumer Information, and Nevada’s Online Privacy Law. Whether these state and federal legal frameworks are applicable to U.S. nonprofits depends on the nonprofit’s programming, data uses, website operation, appetite for legal risk and a wide array of other variables. For example, generally, CCPA is not applicable to nonprofits, but many nonprofits choose to comply with CCPA has a matter of best practice, daisy chain-like relationships with for profit CCPA compliant entities, and other factors nonetheless.

China’s Personal Information Protection Law (PIPL)

General Applicability

China’s Personal Information Protection Law (PIPL) like GDPR, is a robust, comprehensive data privacy framework with substantial compliance requirements for nonprofit processing the personal information of persons within the People’s Republic of China (PRC). PIPL will be administered through the Cyberspace Administration of China (CAC). Nonprofits with reach into the EU and China should not rely on their existing GDPR compliance programs, as PIPL contains certain requirements that are not found within GDPR, and vice-versa.

PIPL is applicable to entities that: (1) provide services to natural persons in China; (2) assess or analyze activities of natural persons in China; or (3) are subject to “other circumstances” provided in laws or administrative regulations. Personal Information subject to PIPL includes “all kinds of information,” electronic or otherwise, related to identified or identifiable natural persons in China. PIPL imposes requirements on “Personal Information Handlers.” Significantly, “Personal Information Handling” is defined very broadly under PIPL and includes the collection, storage use, processing, transmission, provision, disclosure, or deletion of Personal Information of persons in the PRC.

Conditions, Requirements, and Consent

1. Conditions

PIPL strictly limits the conditions under PIPL in which an organization is permitted to collect Personal Information and engage in Personal Information Handling to the following circumstances:

  • Individual consent;
  • Contractual requirements;
  • Necessary under human resources management requirements, labor rules, or collective contracts;
  • Compliances with statutory duties or obligations;
  • Sudden public health incidents or other emergency conditions;
  • Where made necessary by news reporting, public opinion, or activities in the public interest;
  • In circumstances where the natural person has previously self-disclosed or lawfully disclosed the Personal Information; and
  • In other administrative or regulatory circumstances.

Nonprofits seeking to “handle” data of persons in the PRC should be able to link such data handling to one or more of these conditions.

2. Requirements

Provided that an entity satisfies one or more of the required conditions, any Personal Information Handling under PIPL must meet all the following conditions:

  • have a clear, reasonable purpose;
  • be limited to the smallest scope required to achieve that purpose;
  • be performed using measures necessary to safeguard Personal Information;
  • be accompanied by significant notification requirements with respect to covered entities’ processing of Personal Information; and
  • be coextensive with, the organization’s retention of Personal Information policies.

3. Consent-related requirements.

Consent under PIPL is like the GDPR derogation (exception) of consent, but with some important nuances. Like valid consent under GDPR, consent under PIPL needs to be “knowledgeable, voluntary, and explicit.” Like GDPR consent, consent under PIPL may be rescinded. Parent/guardian consent is also required for minors under the age of 14. Please note, under PIPL, consent must be specific to the types of Personal Information Handling disclosed. For any new use of personal information, an entity must obtain a new consent from the data subject. For example, if a nonprofit collects email data for the use of sending a monthly newsletter, it may not, without obtain a new consent, use the email address data for purposes of fundraising. Nonprofits should carefully assess data uses and obtain specific consents for specific data uses.

Additional Requirements and Penalties

PIPL places rigorous requirements on entities outside the PRC for handling data. For example, such entities are required to establish a dedicated entity or appoint a representative within the borders of the People’s Republic of China if they provide products or services to natural persons inside China, analyze or assess activities of natural persons inside China, or are subject to circumstances provided in other laws or administrative regulations.

Organizations conducting cross-border transfers must be properly vetted through PRC mandated vetting processes. PIPL requires that entities conducting cross-border transfers pass a security assessment implemented by the PRC, obtain protection certification through a Chinese-licensed provider, or utilize Chinese standard contractual forms (similar to GDPR standard contractual clauses, or other conditions that may be promulgated). At present, much of the PIPL-related infrastructure listed above have not been promulgated by the PRC. For example, China has not provided standard contractual forms nor identified alternative mechanisms by which entities conducting cross-border transfers may be vetted. Our firm will continue to monitor this developing area and provide updates as they become available.

PIPL provides that users have certain rights related to their Personal Information; specifically, the rights to access, correct, and obtain the information collected, erasure or deletion, to obtain explanations with respect to Personal Information Handling, to object to specific processing, to data portability, to withdraw consent, to lodge complaints with regulators, and to file a lawsuit in China against entities who fail to honor these rights.

Notably, significant penalties exist for organizations and key individuals that violate PIPL. Organizations face penalties for “level one” violations of up to $155,118. “Directly Responsible Personnel” held in violation of PIPL are subject to level one penalties may be personally liable for up to $15,511. In situations that the PRC deems “grave” those levels go up to $7,755,906 USD for organizations, and up to $155,118 for directly responsible personnel.

Compliance Basics

For many U.S. nonprofits, compliance with China’s new PIPL should not be a trivial data privacy consideration. While the scope and impact of PIPL is yet to be determined, U.S. nonprofits can take early steps to begin their compliance processes and mitigate liability under the new law. Specifically, nonprofits should consider keeping the following in mind with respect to PIPL compliance: (1) clearly disclose the uses of information through posted privacy policies and at the point of sale or time of a transaction; (2) identify a lawful basis for the use of collected data; (3) develop and implement data breach and notification policies; (4) utilize GDPR-like consent, data management and withdrawal mechanisms; (4) assess possible needs for in-country authorized representatives and watch for additional regulations; and (5) get consultation on whether large volume data handler conditions apply.

Further, nonprofits with significant activities in China may wish to consider utilizing a client relationship management system (CRM) to maintain context-specific consent and personal control of information issues. Good CRM audit functions should greatly assist nonprofit efforts to manage and audit data subjects’ consents and other control requests. Upon PRC CAC (and GDPR DPA) requests for compliance-related information, a nonprofit CRM functions should simplify such audit and reporting functions.