To print this article, all you need is to be registered or login on Mondaq.com.
China recently introduced a new data protection legislation that
has significant impact for foreign businesses with operations in or
sales to China, such as web shop businesses domiciled in the
Nordics or Baltics selling products to customers based in
The long-awaited Personal Information Protection Law (the
“PIPL”) took effect on 1 November 2021 and is together
with the Cyber Security Law and the Data Security Law providing a
more comprehensive cyberspace governance and data protection in
In this article, we analyze what impact there will be from the
PIPL to Nordic and Baltic web shops conducting sales activities to
customers in China through their own websites operated in
1. Scope of “Personal Information” and “Sensitive
PIPL to a large extent mirrors the language in EU’s General
Data Protection Regulation (GDPR) in relation to the definition of
personal information. The fairly broad definition covers all kinds
of information relating to identified or identifiable natural
persons recorded by either electronic means or in other forms.
During the ordinary course of business, a Nordic/Baltic web shop
will collect and process its customers’ personal information,
for instance name, gender, address, email, preferences,
identification number, etc. Such information is considered personal
information under the PIPL.
In the PIPL, for the first time, China introduces a concept of
“sensitive personal information”, which refers to
personal information that is likely to infringe the dignity of a
natural person or result in harm to his/her personal safety and
property security if it is disclosed or illegally used. Biometric
identification information, religious beliefs, medical health
information and financial accounts are all deemed as sensitive
As a natural part of engaging with customers Nordic/Baltic web
shops are likely to collect sensitive personal information during
the transaction process, such as identification number, bank
account information and so on.
2. Scope of Application
The PIPL adopts the concept of “personal information
processor” which means to cover organizations and individuals
that independently determine the processing purpose and method in
personal information processing.
In addition to the processing of personal information within
China, the PIPL also applies to such processing outside China where
it is for the purpose of providing products and services to natural
persons in China, such as Nordic/Baltic web shops selling products
from overseas to customers located in China.
For that reason, Nordic/Baltic web shops selling into China must
3. Legal Basis of Processing – Consent
One of the welcoming changes introduced by the PIPL is a broad
and expanded legal basis of personal information processing, which
is quite similar to the GDPR.
The processing of personal information must satisfy the
processing conditions provided for in the PIPL:
§ Clear consent
For a Nordic/Baltic web shop, the most critical issue is to
obtain consent from natural person customers.
Consent must be a clear and voluntary declaration of intent as a
prerequisite to the full knowledge of the natural persons. A bundle
of consent covering all the processing purpose is also not allowed
while the processor is required to obtain a separate consent under
For a Nordic/Baltic web shop to sell products to Chinese
customers, the following separate consents will be necessary: (a)
processing sensitive personal information, and (b) providing
personal information to a third party (such as banks and courier
As such a Nordic/Baltic must set up a special consent gathering
process for Chinese customers or align its general consent
gathering process to the requirements set out in the PIPL.
§ Limited to smallest scope
The collection of personal information must be limited to the
smallest scope necessary for achieving the purpose of processing,
and personal information cannot be collected excessively.
For a Nordic/Baltic web shop, it is permitted to collect
necessary information from the customers for the ordinary business
purpose such as delivery and marketing purpose; however, if the web
shop asks for excessive information unrelated to its sales business
(e.g. family members’ information, social media account, etc.),
it will be caught as a breach of the PIPL.
4. Cross-border data transfer
Cross-border transfer of personal information can only be made
for legitimate and solid reasons (e.g. business needs).
A number of compliance conditions much be met in relation to the
cross-border data transfer, including that the transferor:
§ is obligated to take the necessary measures to ensure
that such processing activities satisfy the legally required
§ must pass the security assessment by the authority
§ must obtain person information protection certification
issued by a qualified organization
§ must enter into a contract with the overseas
as well as comply with other conditions stipulated by the
authorities from time to time.
Further, as written under Section 3 above, a separate consent on
the cross-border transfer must be obtained by the processors before
the transfer. In such situation the consent requirement is enhanced
to include more details about the transfer, such as (i) name and
contact information of the overseas recipient, (ii) purpose of
processing, (iii) processing methods, etc.
In terms of a Nordic/Baltic web shop processing a large volume
of personal information, it should store the data collected and
generated within China, however the threshold for this has not yet
been clarified. In such case, any transfer of the personal
information to its off-shore entity will trigger the cross-border
transfer and the relevant conditions and compliance requirements
must be met.
If the Nordic/Baltic web shop is running a smaller size of
business, strictly speaking, it may still be caught by the
cross-border transfer regime, however, under the current rules and
in practice, the compliance conditions as described under the first
paragraph of this section may not be necessarily implemented as
long as a clear and concise consent is obtained.
Cross-border data transfer is always a matter of essence in the
data protection regime, and details in this regard are yet to be
specified by future regulations.
5. Compliance Requirements
The PIPL requires offshore “personal information processing
entities” subject to the PIPL to establish a “dedicated
office” or appoint a “designated representative” in
China for personal information protection purpose.
That is to say, if a Nordic/Baltic web shop does not have any
business presence in China now, but is selling products to Chinese
customers, the web shop is required to have an office or a
representative located in China to be responsible for data
In addition, for a Nordic/Baltic web shop having huge number of
users in China, there are extra compliance requirements to be
complied with, including but not limited to:
§ having data stored within China and transferring such
personal information out of China subject to a series of
§ formulating platform rules according to the principles of
openness, fairness and impartiality, and clarifying the standards
for personal information processing by the web shop
§ regularly publishing report on social responsibility for
personal information protection and accepting social supervision.
The definition of “huge number of users” has not been
clarified in the PIPL and is awaiting further clarification.
6. Our take
The PIPL reshapes the handling of personal information in China
and marks that protection of personal information is “there to
stay” in China.
Consideration and understanding of the scope and application of
the PIPL is an ongoing process, and we expect there will be more
details and clarity coming out from future regulations.
For now, for a Nordic/Baltic webshop selling products to Chinese
customers, it is time to set up proper internal
risk-control/compliance measures and policies to fulfill the
regulatory requirements set out in the PIPL, including how you
gather consent from Chinese consumers. Internal compliance due
diligence and training to staff may also be considered.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.