24/7 National Hotline: 0860 163 272 | Email: info@neasa.co.za
PRESS RELEASE
14 October 2021
POPI ACT
HOW CHINA’S NEW PRIVACY LAW WILL IMPACT BUSINESSES IN SOUTH AFRICA
In the case of South Africa-China ties, 2021 marks 23 years of diplomatic and economic relations between the two allies. As of July 2021, imports from China to South Africa accounted for 19.4% of South Africa’s imports, while exports to China from South Africa amounted to 12.6%.
From the above statistics it can be safely deduced that South Africa will seek to protect and maintain all trade relations it has with China, and considering South Africa’s current economic climate, it has become heavily reliant on trade with, and investment from China, for economic growth and development.
One of the latest developments regarding global data protection, is the implementation of the Protection of Personal Information Act (POPIA) in South Africa, and the passing of the Personal Information Protection Law (PIPL) in the People’s Republic of China (‘China’).
Therefore, South African businesses who have trade relations with China, and who fail to comply with its data privacy laws, run the risk of dire financial implications.
PIPL was passed by the National People’s Congress on 20 August 2020 and is expected to come into force on 1 November 2021.
The purposes of PIPL are:
- to protect personal information rights and interests;
- to standardise personal information handling activities;
- to safeguard the lawful, orderly, and free flow of personal information; and
- to stimulate the reasonable use of personal information.
China’s new data privacy law calls for all foreign businesses to become PIPL-compliant when handling personal information of Chinese data subjects. This may introduce more challenges to foreign businesses who will have to determine how to exercise their own domestic data privacy laws, while also complying with the provisions of PIPL, in the hope of maintaining any trade relations they may have with China.
The common purpose between POPIA and PIPL, is that both pieces of legislation aim to protect the personal information and rights of data subjects, highlights the importance of having justified legal grounds for the processing of personal information, and provides guidance on how to process said personal information.
The key difference between the two is that PIPL allows for the processing of information (through stringent provisions) of its data subjects beyond its borders, whereas POPIA allows for the processing of data within South Africa. Although Section 72 of POPIA makes provision for transfers of personal information of its data subjects outside of South Africa, the security around it is not as stringent as PIPL.
IMPACT OF PIPL ON SOUTH AFRICAN BUSINESSES IN TERMS OF POPIA
While South African businesses (with Chinese trade relations) should study the entire PIPL document, there are four key provisions they should take cognisance of: Article 3 (second paragraph) read in conjunction with Article 52, Article 38 and Article 40:
Article 3 (second paragraph)
South African businesses will be bound by PIPL if they are involved in:
- providing products or services to natural persons in China;
- conducting analysis or assessment activities of natural persons in China; or
- other circumstances provided for in laws or administrative regulations.
Article 52
South African businesses conducting business as mentioned in Article 3 above, will be required to establish a dedicated entity or appoint a representative in China who will be responsible for matters related to the handling of such personal information. South African businesses will need to provide the information of the established entity or appointed representative to the Chinese departments fulfilling personal information protection duties and responsibilities.
Processes regarding the relevant entity / individual that needs to be appointed are still unclear and we await further guidance hereon.
Article 38
When personal information handlers (responsible parties), situated in China, provide personal information outside the borders of China, for business or other required purposes, they will need to comply with one of the following:
- pass a security assessment organised by the ‘Chinese State Cybersecurity and Informatisation Department’;
- undergo personal information protection certification conducted by a specialised body according to provisions by the ‘Chinese State Cybersecurity and Informatisation Department’;
- conclude an agreement with a foreign receiving party, agreeing on both sides’ rights and obligations, and supervising their personal information handling activities to the satisfaction of the personal information protection standards provided in PIPL; or
- follow other conditions provided in laws or administrative regulations or by the ‘Chinese State Cybersecurity and Informatisation Department’.
Article 40
Critical information infrastructure (CII) operators and personal information handlers (responsible parties) situated in China, who handle personal information of Chinese data subjects are required to, once the collection and production of that personal information reaches a specific quantity, store it within China. When this quantity threshold is reached, and the personal information is to be provided abroad, those responsible parties handling the personal information will need to pass a security assessment organized by the ‘Chinese State Cybersecurity and Informatisation Department’. However, where laws or administrative regulations and the regulations of the ‘Chinese State Cybersecurity and Informatisation Department’ indicate that the security assessment need not be conducted, then no such assessment is required.
In a recent webinar, the Centre for Chinese Law advised that the threshold is still unclear, and that these questions are expected to be answered over time.
IMPLICATIONS OF NON-COMPLIANCE
In terms of PIPL, Chinese departments fulfilling personal information protection duties and responsibilities, will order correction or confiscate any unlawful income, where personal information is handled in violation of PIPL or where personal information is handled without adopting the necessary security measures. In instances where correction from the department is ordered and in turn refused, a fine of not more than CN¥1 000 000 (currently converted to R2 341 000) will be imposed, and the directly responsible person / personnel in charge, will be fined between CN¥10 000 – ¥100 000 (currently converted to R23 410 – R234 100).
In instances where violations in the above circumstances are grave, the department may either impose a fine of not more than CN¥50 000 000 (currently converted to R116 615 000), or 5% of annual revenue (whether it is a local or global turnover is still unclear). The department may also order the suspension of related business activities, cessation of business for rectification, and report to the relevant competent department for cancellation of corresponding professional licenses or cancellation of business permits. Further, the directly responsible person / personnel in charge will be fined between CN¥100 000 – CN¥1 000 000 (currently converted to R234 100 – R2 341 000).
WHAT CAN SOUTH AFRICAN BUSINESSES DO TO ENSURE COMPLIANCE
As we await further clarity on the interpretation of certain PIPL provisions, South African businesses can, in the interim, do the following to prepare and ensure compliance:
- ensure that the business is compliant with POPIA and that an Information Officer is registered with the Information Regulator;
- engage with Chinese trading partners for guidance and advice, and gain interim insight on the practicality of the process on how to be PIPL compliant; and
- revisit and update any current trade contract terms between the business and Chinese trading partners, to ensure that all relevant POPIA and PIPL provisions are included.
South African businesses with Chinese trade relations are therefore encouraged to familiarise themselves with PIPL, and to ensure that they are compliant with all data privacy laws in both South Africa and China.
If you require NEASA to send you a soundbite, please contact our Communications Manager, Jeanne Boshoff.
MEDIA CONTACT
JEANNE BOSHOFF
NEASA MEDIA LIAISON
083 455 7298