Change is the Only Constant, Part 1

Market Research and Regulatory Developments in China

Privacy regulation and associated requirements are often seen as a frustration that arises when working in Europe or with European clients, as though you’re either subject to GDPR or nothing, and for many market researchers based in the United States, that perception may reflect the reality of their work, which is likely to be focused on the United States and EU5 (France, Germany, Italy, Spain, and the United Kingdom). But privacy is a global concern governed, for the most part, by a patchwork of national laws.

157 countries (that’s ~80% of the world) have data protection laws, from Albania to Cuba, Ethiopia to Khazakhstan, South Korea to Zimbabwe, with new or stricter laws seeming to pass every year. In this post, we’ll take a look at China’s Personal Information Protection Law, how GDPR has evolved (particularly with respect to US-based companies), and what to expect from the UK post-Brexit.

Of course, a deep dive into these issues could fill a book, so this post will not be exhaustive; we will instead focus on top-of-mind points of interest and concerns. Additionally, new guidance from regulatory authorities is likely to be forthcoming over the course of the year (and beyond), which may degrade the accuracy of statements made in this post. Remember, also, that I am a lawyer, but I’m not your lawyer. The information provided in this post does not, and is not intended to, constitute legal advice; it is presented for general informational purposes only.

China’s Personal Information Protection Law

When China’s Personal Information Protection Law was passed in 2021, it was touted as a Chinese answer to Europe’s GDPR. But, as privacy wonks may remember, PIPL’s official English-language translation wasn’t released until nearly two months after the law took effect, setting the tone for how quickly aspects of the law would be clarified. China is intensely bureaucratic and the gears of that machine move slowly - now, the better part of two years later, many of the practical aspects of PIPL have not been clarified by regulatory authorities, and legal uncertainty always bears (not insignificant) risk.

That said, there are features of PIPL that we can write about definitively. Like GDPR, PIPL is extraterritorial, meaning it applies even when the personal information of individuals in China (not including special administrative regions) is processed outside China, provided that the purpose of the processing is to provide products and services to, or analyze/evaluate the behavior of, individuals in China. Generally speaking, because market research involves the analysis or evaluation of respondents’ behavior, PIPL will be applicable in most market research situations.

Personal information is broadly defined as “information related to an identified or identifiable natural person that is recorded electronically or by other means.” Wrapped into that definition is a significant deviation from what we have become accustomed to under GDPR – PIPL does not differentiate between business and personal data, meaning information collected in the standard course of business, such as vendor contact details, falls within the ambit of the law. On the other hand, PIPL is similar to GDPR in that special protections are provided for sensitive data and individuals have GDPR-like rights.

Sensitive personal information is defined as that which, if disclosed or used illegally, may easily lead to the infringement of an individual’s personal dignity (which is vague and suggests that actual harm is not required for a violation to occur) or harm their person/property, including information relating to biometrics, religious beliefs, health, financial accounts, whereabouts, or specific identity (though further detail on “specific identity” is not given), and any information about minors under the age of 14. Any handling of sensitive personal information requires a specific purpose, sufficient necessity, strict (but as yet undefined) protective measures, an impact assessment and record of processing, and separate consent.

Separate consent appears to only be required when consent is the legal basis for personal information handling, but it is not defined or explained. It could be that separate consent simply means that consent for handling sensitive personal information cannot be wrapped into acceptance of a privacy policy that covers a variety of situations. Or it could mean that consent becomes a two-step process where respondents first consent to the handling of their personal information generally and then consent to the handling of their sensitive personal information separately. The latter would be clunky in the context of market research, but, unfortunately, only time will tell what is required.

PIPL also includes special requirements for automated decision-making. Specifically, (1) handlers using personal information in automated decisions must ensure the transparency, fairness, and justice of results; (2) unreasonable differential treatment of individuals based on such decisions is prohibited; (3) if an individual’s rights/interests are significantly affected, they may prohibit the handler from making decisions solely using automated processes. I don’t necessarily anticipate that we as market researchers will ever widely use automated or algorithmic decision-making that would be subject to the above, but it’s likely that many of our clients do, and so is worth remembering.

Much like GDPR, PIPL identifies six legal bases for handling personal information (not including a seventh that serves as a kind of miscellaneous basis). Of them, consent, which must be voluntary, clearly given, informed, express consent, will undoubtedly be the legal basis most commonly relied upon by market researchers. When consent is the basis for handling, individuals must be provided a convenient method to withdraw their consent. No specific procedural guidance or requirements for this mechanism are included in the text of the law, but draft implementing regulations contemplate three weeks (fifteen business days) for the handler to respond to a request to withdraw consent as being reasonably convenient.

Though consent will likely be used in most market research scenarios, studies that involve social listening may rely on public information (information that has been lawfully and publicly disclosed and the handling of which is within reasonable scope) as a legal basis for handling. It is also worth noting that, unlike GDPR, legitimate interest is not a legal basis for handling under PIPL, and some companies that are GDPR-compliant will need to reassess their personal information processes with respect to China.

Off-shore companies that engage in data-handling activities subject to PIPL must establish a presence in China or designate a representative in China to assume responsibility for personal information protection. Associated reporting procedures have yet to be put in place, and it remains unclear whether in-country partners would satisfy the “representative in China” requirement (though we presume for the moment that they do). Cross-border personal information transfers (e.g. China to US) can be made for legitimate purposes, such as business needs, but the transferor must still take steps to ensure the off-shore processing satisfies the protection standards set forth in PIPL.

In addition to a legal basis for handling personal information, a legal basis for transferring that information out of China is also required. This involves meeting one of the following requirements: (1) passing a security assessment by the Cyberspace Administration of China (the CAC); (2) obtaining a personal information protection certificate from an authorized data security assessment institution/authority; (3) adopting CAC-promulgated standard contractual clauses in a data transfer agreement; or (4) fulfilling conditions stipulated in other laws or regulations.

During the March 2023 meeting of the National People’s Congress, China’s rubber-stamp legislature, announced a new data governance bureau, intended to be the top regulator for data-related issues. When that agency is established and becomes functional, it will undoubtedly play a role in these processes as well, the most obvious being the creation of the “conditions stipulated in other laws or regulations.”

Also like GDPR, PIPL allows for heavy penalties against a violating party, including fines of up to ¥50 million ($7.28 million) or 5% of the previous year’s revenue (it is not yet clear if a percentage-of-revenue penalty would consider worldwide revenue or China-derived revenue only). However, PIPL also takes it a step further. Violations can result in warnings, rectification orders, confiscation of gains, business suspension, revocation of a relevant permit or license, or, if a violation jeopardizes national security, the public interest (which could be used to enforce government will or policy, regardless of the public interest case), or the rights or interests of an individual, the CAC can blacklist off-shore entities and/or individuals and prohibit them from receiving personal information. Additionally, civil remedies are available when individuals’ rights are infringed and it appears that the accused handler(s) must prove that they are not at fault, meaning there is no disincentive against making frivolous or claims. Finally, for serious violations, fines of up to ¥1 million ($145k) can be levied against the individual(s) directly responsible.

Though PIPL is now nearly two years old, it is still quite new in the grand scheme of implementation and enforcement. We do not yet know how strictly PIPL will be enforced or where enforcement actions will focus. PIPL has the potential to be relatively GDPR-like in scope and function or far harsher – government enforcement priorities and decisions, not to mention which interests set those priorities and drive those decisions, will determine which way the wind blows.

At a time when China hawks are ascendant in the western world, PIPL gives the Chinese government significant control over whether and how cross-border transfers take place, providing opportunities for China to punish foreign companies that don’t align with its interests. We’ve already seen this happen in the EU, to some extent, with high-profile litigation and eye-watering fines levied against Google, Facebook, and Amazon, including many cases where the actual harm was minimal or debatably nonexistent. Of course, in China, the concern is different: PIPL could be leveraged to support government efforts to force companies to abide by state censors’ wishes, efforts that currently rely primarily on brands’ access to the Chinese market (and have effectively cowed the likes of Activision Blizzard, Disney, Marriott, Mercedes-Benz, the NBA, Nike, and Paramount Pictures).

It is also worth noting that the protections established in PIPL do not extend to government action and that no restrictions on how the Chinese government can handle personal information and sensitive personal information exist. While this is not surprising, given than China is an authoritarian surveillance state, it sets the stage for conflict with countries that already had major concerns about government control and access to personal data, both generally and specifically with regard to China, and who have addressed this with their own privacy laws (GDPR being the prime example). Needless to say, even if you don’t operate in the Chinese market or rarely conduct studies with a Chinese cohort, it will be worthwhile to keep an eye on PIPL-related developments, which are likely to shape the international conversation around privacy, in part through other countries’ reactive regulation. Stay tuned.