China's new privacy law: Its impact on SA organisations
South African businesses with links to China need to be aware of the country’s recently passed Personal Information Protection Law (PIPL), which comes into force in November 2021.
By Peter Grealy, Cindy Liebowitz from Webber Wentzel. Alex Roberts from Linklaters (Shanghai)
South African Revenue Service statistics show that China is South Africa's main trading partner. In July 2021, imports from China to South Africa accounted for the majority of the country’s imports (19.4%), while exports to China from South Africa accounted for the majority of South Africa’s exports (12.6%).
In addition, Chinese investment into the South African economy has been steadily increasing over the years. Chinese organisations have injected funds into some of South Africa's key economic sectors such as energy and electricity and other infrastructure development initiatives. The relationship between the two countries is likely to be further strengthened in the immediate future following the China-South Africa Trade and Investment Roundtable that took place in China in July 2021.
China's laws and regulations are of significance to South African organisations that do business with organisations in and from China. Of particular importance is a new privacy law that has been passed in China, entitled the "Personal Information Protection Law" (PIPL). The PIPL will come into force on 1 November 2021. In many respects, the PIPL is similar to the EU's General Data Protection Regulation and South Africa's Protection of Personal Information Act (POPIA). However, the PIPL contains some unique features.
South African organisations that fall within the categories described below will need to consider the PIPL. We have included some key considerations (note that the list is not exhaustive).
- South African organisations that provide products or services to natural persons in China.
- South African organisations that analyse and evaluate the behaviour of natural persons in China.
- Potential need to establish a dedicated entity or designate a representative in China to be responsible for data protection matters.
- Provide China's data protection regulator(s) with the details of such entity or representative.
- South African organisations that receive personal information of natural persons from Chinese personal information handlers (the equivalent of a "responsible party" under POPIA).
- Enter into a standard data transfer agreement with the individual or organisation which is transferring the natural person's personal information from China.
- Ensure the transferor has completed a government security assessment or obtained a personal information protection certificate from a professional institution in China.
- Review the transferor's disclosures in its privacy notices and check that it has obtained all necessary consents.
- South African organisations that conduct certain business operations in China or have a presence in China.
- Critical information infrastructure (CII) operators* and organisations processing a certain (undetermined) volume of personal information must store such personal information in China.
- CII operators and organisations that trigger the threshold requirement above must undergo a government security assessment to transfer personal information from China.
- South African organisations that are counter-parties to contracts with CII operators may be contractually prohibited or restricted from certain actions involving personal information.
* It is unclear what type of companies will be classified as CII operators but they may include, for example, public communication and information service providers; military suppliers, etc.
South African organisations that engage in trade relations with China or form part of a Chinese group of companies or have other business ties with China should be mindful of the compliance requirements contained in the PIPL, in light of the impending 1 November 2021 compliance deadline.
Webber Wentzel and its alliance partner Linklaters have a number of expert data protection lawyers, both in South Africa and China, that are well-placed to give advice on these matters.