How China’s PIPL Compares to International Breach Notification Laws

• The low-down on PIPL
• How does PIPL compare to international breach notification laws?
• An uncomplicated approach to complicated regulations

Read more below.

Best Practices for New and Current Privacy Regulations

GDPR, CCPA, CPRA, PIPEDA, and soon PIPL…there sure are a lot of acronyms in the data privacy space. “Privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world,” states JD Supra.

Before PIPL enters the complicated world of privacy law, it might be time for a refresher of the significant laws and their compliance requirements. Privacy professionals can turn to RadarFirst’s Breach Law Radar for a comprehensive list of data breach laws and up-to-date overviews of global breach notification laws and all 50 U.S. state regulations.

Knowing the ins and outs of evolving data privacy laws is especially important as privacy professionals are tasked with making data breach notification decisions. “Understanding the nuances in a law’s risk of harm standard, or lack of a harm standard, is critical in developing a consistent breach notification and documentation program,” states Kelly Burg, lead product manager at RadarFirst.

PIPL

China’s Personal Information Protection Law (PIPL) is the next big data privacy law hitting the globe and will be applicable to any organization and individual who process personal information in China. A draft of the PIPL, with its data collection and protection elements — including consent to collect user information and user rights to withdraw that consent — was presented last year. While a timeline for the PIPL’s effective date has not yet been determined, organizations should take lessons learned from comparable privacy laws and begin planning for change now.

“Globally, there has been a push toward more robust rules to protect consumer data and privacy as technology services continue to expand,” writes Arjun Kharpal, CNBC’s senior technology correspondent based in Guangzhou, China. “After years of Chinese internet companies building business models around Chinese people’s lack of awareness about privacy, users are becoming more knowledgeable, and they are becoming angry with companies abusing their personal information,” adds Winston Ma, adjunct professor at the New York University School of Law.

Most notably, PIPL includes requirements for sensitive personal information, which requires extra protection legally. If your company is going to process sensitive personal information, you may need to consider designing a differentiated privacy notice interface as the PIPL requires “explicit and individual consent” for each purpose of processing sensitive information, meaning users will need to explicitly consent to each of the purposes of data processing that you will do.

In the current draft of PIPL, sensitive personal information is defined as “information that may lead to discrimination or serious harm to personal or property safety once disclosed or illegally used, including such information as race, ethnicity, religious belief, personal biological characteristics, medical health, financial accounts, and personal whereabouts.”
Under this definition, location information, mobile number, bank account, financial transaction data, etc. are all considered as sensitive personal information.

GDPR

European Union’s General Data Protection Regulation (GDPR), designed to harmonize data privacy laws across the EU, went into effect May 25, 2018. The GDPR poses significant challenges for compliance professionals, including a 72-hour risk assessment and breach notification timeline as well as hefty consequences for noncompliance.

When making breach notification decisions under GDPR, the risks to the rights and freedoms of affected individuals — such as risk of discrimination or damage to an individual’s reputation — must be considered, in addition to financial harm.

Download the Comparison Guide: GDPR vs. US Regulations to learn how the mandatory breach notification requirements in the GDPR compare to U.S. laws. For example, did you know both U.S. laws and the GDPR require multi-factor risk assessment?

A consistent incident risk assessment will determine if the incident qualifies for any exceptions or meets the compromise standard according to applicable laws.

Learn more about how Radar incident response management software simplifies compliance with automated multi-factor risk assessment.

CCPA

The California Consumer Privacy Act (CCPA) is a first-of-its-kind U.S. state law. Comparable in some ways to the GDPR, this regulation requires organizations to reexamine the ways data is collected, used, and protected. CCPA took effect January 1, 2020, and has spawned more rigorous privacy laws in other states.

Under the CCPA, the definition of personal information is relatively broad and includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including name, email, biometric information, geolocation data, household data, and IP address.

Organizations can mitigate risk and be compliant with CCPA by following these best practices:

• Know the law. Stay ahead of changing privacy regulations through continuous monitoring of legislative updates.
• Understand your data. Analyze your data inventories and determine what data is subject to the CCPA (or other applicable laws) at the data flow and data element level.
• Practice. Perform regular simulations and table-top exercises to better understand your company’s risk and identify areas for improvement within your privacy and incident response programs.
• Document and improve. Track your privacy incidents and notifications over time, capturing enough data to establish benchmarks, run trends analysis, and report on key metrics

Additional CCPA resources can be found here.

CPRA

The California Privacy Rights Act of 2020 (CPRA) takes effect on January 1, 2023. Among its numerous amendments and additions to the existing CCPA (see above), the CPRA expands the definition of personal information and individuals’ rights for privacy breaches.

It is recommended that organizations affected by CPRA should start preparing now, with these six best practices:

1. Mapping, classifying, and managing all the “sensitive personal information” newly protected by CPRA.
2. Revising workforce disclosures and processes to comply with CPRA’s new workforce privacy protections.
3. Reviewing child privacy policies and practices, since the CPRA mandates steep fines for violation of children’s data privacy.
4. Reviewing data usage and retention policies and creating required new consumer notices, disclosures, and procedures enabling consumers to correct inaccurate personal information held by the organization.
5. Conduct risk assessments in preparation for CPRA’s mandatory audits.
6. Proactively building a contact list and building relationships with the new California Privacy Protection Agency.

Read more about CPRA in Privacy Regulatory Trends: Preparing for CPRA and Beyond.

PIPEDA

The Personal Information Protection and Electronics Document Act (PIPEDA) is the Canadian federal-level law protecting personal information. The law went into effect November 1, 2018.

According to the Office of the Privacy Commissioner of Canada, “organizations covered by PIPEDA must generally obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy. Personal information can only be used for the purposes for which it was collected.”

The mandatory breach notification and recordkeeping requirements under PIPEDA are an example of the impact of the GDPR on international data breach notification requirements.

Read the Comparison Guide: PIPEDA, GDPR, and U.S. State and Federal Data Breach Notification Requirements for an overview of the definitions of personal data and regulated forms, risk of harm standards, and notification requirements.

Stay Compliant

While data privacy laws are complicated, data breach notification doesn’t have to be. Radar is the only platform that provides automated multifactor risk assessments and decision support guidance for both U.S. and global data breach notification laws — privacy incident response in half the time. After all, who doesn’t want to streamline compliance with data breach regulations?

Click here to learn more about simplifying compliance with automated multi-factor risk assessment.

You might also be interested in: