China’s New Data Privacy & Data Security Laws: What Do They Mean for Data Sanitization Compliance?

The People’s Republic of China joins a host of nations implementing new data privacy and protection regulations that affect global organizations. Here, we briefly introduce both the new Personal Information Protection Law and China’s Data Privacy Law—and how Blancco helps you comply with China’s data protection mandates.

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

China’s Personal Information Protection Law

The Personal Information Protection Law, or PIPL, is China’s first comprehensive data protection legislation. Its goals are to protect the personal information rights and interests of data subjects by regulating personal information handling activities.

In effect since November 1, 2021, the PIPL is similar to the EU General Data Protection Regulation (EU GDPR). However, compared to earlier legislation on data protection issues, the PIPL will have a much bigger impact on local and international businesses operating in China.

PIPL provides for some hefty monetary penalties: when a breach is found to be serious in nature, a fine of up to RMB 50 million (approximately 7.7 million USD) or up to five percent of preceding annual revenue can be imposed. Notably, the PIPL also enforces personal liability, even holding directors and senior management liable if they are found responsible for a data privacy breach.

What businesses and regions are affected by the PIPL?

The PIPL applies to both Chinese companies and to international businesses operating in China if they handle personal information on any natural persons within the country.

Also, beware: The PIPL may also, under certain conditions, apply to the handling of personal information by non-Chinese companies operating outside of China, where the personal information processed is from data subjects in China (for example, PIPL could apply to a U.S. data broker which has collected personal information on consumers in China).

How the PIPL defines ‘Personal information’

PIPL has a very broad definition of personal information (PI): “Personal information is all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including anonymized information.”

The PIPL gives individual rights similar to those found in the EU GDPR, including those concerning

• the right to know,
• the right to access,
• data portability,
• the right to refuse decisions made solely through automated methods,
• the right to request a correction, and
• the right to delete personal information.

The ‘Personal Information Protection Impact Assessment’ requirement

Under PIPL, a “Personal Information handler” needs to conduct a personal information protection impact assessment (“PIPIA”) before they

• process sensitive personal information or when using personal information in automated decision making,
• engage an entrusted party (processor) to process personal information on a personal handler’s (controller’s) behalf or exchange that information with another handler,
• disclose personal information in public or transfer it outside China, or
• undertake any processing activity that might have material impact on data subjects’ rights and interests.

China’s Data Security Law

The second of the two new China data protection laws is the China Data Security Law (DSL). It went into effect September 1, 2021. The DSL introduces new data security protection obligations for information processors, including

• the designation of persons responsible for data security,
• the establishment of data security management bodies, and
• the conducting of risk assessments.

The DSL establishes not only monetary but also civil and criminal liability for organizations or individuals found responsible.

China Data Protection Requirements: Data Processing & Destruction

Many PIPL provisions require implementing technical security measures and taking operational steps for limiting the processing of personal data of data subjects. For instance, PIPL Article 51 states that personal information handlers shall implement measures like encryption or de-identification to prevent unauthorized access, disclosure, tampering with, or loss of personal information.

Like other data protection regulations, the PIPL also provides individuals the right to erasure. To support this right, personal information handlers need to proactively delete personal information when

• the processing purpose has been achieved or is no longer necessary,
• when the reasonable retention period has expired, or
• when the individual rescinds the consent.

But there’s another important point: PIPL also requires that organizations maintain data processing records for three years in certain circumstances, so a history of the entire data lifecycle—from collection to erasure—needs to be recorded.

The DSL, like the PIPL, also mandates establishing a strong data security management system. It further clarifies that those handling important data carry out periodic risk assessments of their data handling activities. The risk assessment reports must include:

• the types and amounts of important data being handled,
• the circumstances of the data handling activities, and
• the data risks faced and methods for addressing them.

How Can Blancco Help Businesses Comply with Today’s Data Protection Laws—Including China’s PIPL and DSL?

Blancco data erasure solutions offer software-based data sanitization across virtually every type of IT asset. This includes the ability to erase specified files, folders, and LUNs within live environments (for instance, erasing data from employee laptops and desktops or from within your active on-prem or cloud network). It also includes the ability to wipe inactive data from a wide range of end-of-life data storage devices, regardless of the underlying technology.

Plus, Blancco’s digitally signed erasure reports mean you can prove you’re in compliance with deletion-focused data protection mandates, including China’s regulatory data sanitization requirements: Each erasure generates a tamper-proof audit trail of what data was erased from where, how it was handled, and when.

Furthermore, because erasures are verified and certified, you can confidently dispose of, reuse, or resell IT assets with no risk of data recovery. Whether you are erasing desktops, laptops, servers, flash storage devices, or mobile devices, you can be sure sensitive and personal information has been certifiably erased.

Many thanks to Blancco Junior Legal Associate Kinjal Kurani for her significant contributions to the drafting of this data protection article.

You may be interested in

Is It Time to Update Your IT Security Policies?

Legislation Labyrinth: Navigating Global Privacy Laws Along the Asset Lifecycle

How Does Blancco Help Organizations Comply with Australia’s Notifiable Data Breaches Scheme?

Our Certifications