Let’s talk about the relationship between YOU and the “Personal Information Protection Law of the People’s Republic of China” (in short, the “PIP Law”) that just came into effect on November 1, 2021, a few days ago. Note that although they are very similar, we are not talking about the same. The recently effective “Cybersecurity Law” or “Data Security Law”, because they may not have the extensive and thorough impact of today’s PIP Law on us to some extent.
Before we start to talk about the law, please imagine this scenario:
If you live in China, especially those super cities (such as Beijing, Shanghai, Guangzhou), you are likely to be surprised by the changes the Internet has brought to real life: you only need a smart phone today to have your all-day needs satisfied – you can use the APP to order a breakfast, whether it is a steamed bun or a hamburger, they will usually be delivered to you within half an hour, and at this time, you may have just finished brushing your teeth. If you want to take a bus or subway that extends in all directions, you only need to point the QR code on your smartphone to the automatic barcode scanner at the entrance of the bus or subway station when you get on the bus or when entering the station. We have not seen a coin for a long time. If you want to take a taxi, you have more than ten APPs to get a cheap taxi or a ride that can take you directly to your destination, and the cost will be automatically deducted from your APP account after you arrive. To start your day’s work, in fact, all you really need to do is to connect your mobile phone via Bluetooth to the company’s computer screen and keyboard, and then you can access to your emails, memo or office software through different APPs. Oh by the way, if you need a video conference or a cup of coffee, the online conference APP and takeaway APP on your phone can also meet your requirements immediately. You find that your colleague’s new windbreaker is actually not suitable for her, but more suitable for your wife, and it hAPPens to be her birthday on the weekend. Perfect! Open your APP and you don’t even need to enter the brand of the windbreaker – all you need to do is to take a picture of the colleague wearing that windbreaker with the APP, and the APP will automatically find it for you. There may be more than one seller of this windbreaker on the Internet, and in ten minutes, you can settle your wife’s birthday gift – it could be delivered to your door within two days from anywhere of China, and you can also by the way order a birthday cake on your in the same APP and require the cake to be delivered to your door on time at 5 pm on the birthday of your wife, with candles and notes prepared on it. At night, you suddenly want to go to a concert, but you don’t have time to queue up to buy tickets. What should you do? Very simple. Open your APP, you can always find a “standby” gentleman to queue up outside the theater to buy a ticket for you, and wait for you to pass it to you at the entrance of the theater after your relaxed dinner. In the same way, you can find it at any time a person to help you deliver the express, a person who moves home for you, a person who cleans, a person who cooks and picks up children for you, etc. The APP platform should be responsible for managing and supervising these people to ensure that they are trustworthy.
I have used 800 words above to describe the changes made to your real life by your smart phone and countless service providers online, not to recommend a smart phone or an errand APP to you. I want to remind you that on this day above, your personal information – your name, ID number, facial features, contact information, address, even your ability to pay, your buying habits, your hobby of coffee, your work unit and job status, your all-day itinerary map, your commuting time and your preference for musicals may all have been known, recorded, processed and shared by countless Internet service providers, and tomorrow, you may find a stranger calls into your cell phone and asks if you want to hire a clown at your or your family’s upcoming birthday party, or tell you that the bank is issuing very low-interest loans, or a residential area near your home is dropping prices. When you open those APPs again, you will find twelve windbreakers on the homepage with styles and prices similar to the products you just bought for your wife, or recommend all concerts and, probably, drama, mime and even circus with the prices listed for the next two months. You may find some strangers online asking you whether you need financial advisory or headhunting service in order to increase your embarrassed remuneration level, or help you pay off those loans that are due soon. What’s even more frightening is that if a service provider’s server is compromised or stolen one day, information including where you went, how much money you spent, who you met, and what you ate may all be leaked. You are almost ” Naked” then.
Now, you can imagine why we need this “Personal Information Protection Law of the People’s Republic of China”. Simply put, the entry into force of this law will make your personal information collected less, more cautiously stored, used and shared, and make those individuals and companies who did the wrong thing with your personal information to be punished as they are, and those who try to use your preferences and habits to bully or deceive you to give up their ideas because of the high price they may face to.
Your personal life will be changed in many aspects due to the entry into force of PIP Law.
For example, you will find that when you use the APP, there are more warnings, alerting you that your personal information will be collected and used by the service provider when using the service. You have the right to choose to refuse this situation and thus give up a certain services. More importantly, in these newly added warnings, the service provider has the obligation to clearly inform you why your personal information will be collected, or what purpose your personal information will be collected for, and whether it will be shared with other third parties. These reminders and disclosures were not necessary in the past – this will increase the service providers’ obligations and responsibilities for carefully collecting and processing your personal information. It also gives you a clear basis for recourse to the service provider for compensation and taking measures through reporting or litigation in the future.
For another example, you may find that there are fewer and fewer strangers calling you to promote loans or reduce price apartments in the future. This is because the PIP Law clearly prohibits service providers from leaking personal information collected to unrelated third parties, no matter it is through sales or free cooperation. Once a service provider is found to have violated the law by leaking personal information, it may face a huge fine of up to 50 million yuan or 5% of its annual income, and up to 7 years imprisonment.
For another example, although shopping platforms can still recommend products that you may be interested in based on your purchase history, they will not be allowed to ONLY push such products to you – there must also be other product choices pushed to you that are not related to your purchase history. In addition, the service provider will not be able to use your trust to deceive you – once, a travel reservation APP you are used to may secretly send you hotel or air ticket reservation prices that are more expensive than others – yes, you read that right, only because you trust those APPs and keep booking your hotel and air tickets there, they take advantage of your trust and charge you higher service fees than those who use them for the first time, so that those who use them for the first time may feel that this APP can provide discounts but at the same time secretly make more money from your wallet. Now, such behavior is not allowed. Anyone who discovers such behavior can report it.
On the other hand, if you are a business owner and your business collects, accepts, and disposes of your users’ personal information, then you should be very careful.
You may be reported excessively for failing to provide persuasive reasons or for unnecessary personal information collection. You may also be reported for refusing to provide services to users who do not agree to provide personal information, or even be investigated for not setting a path for users to sent request to you to prevent you from storing and using their personal information any longer.
The changes you need to make for the promulgation of the PIP Law may be in all aspects. For example, you need to set up separate reminders for each actions, no matter physically or within your APP, that collects users’ personal information, and ensure that your users can see those reminders clearly and have the right to make choices, regardless of whether they are easy to notice these collection actions or not. You also need to clearly disclose the purpose and necessity of your collection of their personal information in these reminders, and what measures you will take to store and use this information prudently. In addition, you must establish a set of compliance systems for the disposal of personal information. These systems should include written internal regulations, operating procedures, emergency measures, etc., and should cover a series of conducts from information collection to information storage, use, sharing, disclosure and destruction, and should be detailed, clear, legal and compliant to the law. Of course, you will most likely need a lawyer to help you draft these regulations.
In addition, you may also need to continue to invest in upgrading your servers, software systems and even hardware equipment – if you cannot guarantee that the personal information you collect is always safe, you can at least guarantee that in the event of an emergency, you have done your best for the protective measures you can take in advance – such preparation can help you avoid or reduce penalties due to adverse consequences. Another very effective way is to carry out specialized legal training for your employees and to record such training. Under such circumstances, you can both increase your employees’ awareness of user information protection and prevent them from unintentionally committing violations of the PIP Law and use it as a measure of your compliance measures to obtain an opportunity for defense in future lawsuits or investigations.
Some other things you may want to know about the PIP Law.
The new law stipulates that any citizen or individual has the right to report violations, as long as your report is substantiated. As for whom you should report to, it will depend on the specific circumstances of these violations. For example, if it is a violation of a trading platform, the most common agency for reporting can be the local Consumer Association or Market Supervision Authority. If it is an illegal act of a public information platform, such as on a social software or an information publishing platform, the Internet Illegal Conduct and Detrimental Information Reporting Center of the local government department is an effective reporting agency, such as the Shanghai Internet Illegal Conduct and Detrimental Information Reporting Center. Of course, if the violation is serious, you can always report it to the police in order to seek stronger public power intervention.
If you find that your contact information or residential address, or even your work and financial situation are known to strangers without your voluntary disclosure, or your private personal information is used by a third party or disclosed on a public network without your consent, for example, your photo, ID number or even contact information and you believe it is due to the misconducts of those service providers, you should consider using the PIP Law as a basis for protecting yourself.
Finally, please attach great importance to the protection of minors’ personal information, whether you are the guardian of minors or a service provider that may collect minors’ personal information. The protection the PIP Law provides for minors is stricter than that of adults.