HOW CHINA’S NEW PRIVACY LAW WILL IMPACT BUSINESSES IN SOUTH AFRICA

The implementation of the Protection of Personal Information Act (POPIA) in South Africa and the passage of the Personal Information Protection Law (PIPL) in the People's Republic of China ('China') are two recent advancements in global data protection.

PIPL was passed by the National People’s Congress on 20 August 2020 and is expected to come into force on 01 November 2021.

The purposes of PIPL are:

a) to protect personal information rights and interests;

b) to standardise personal information handling activities;

c) to ensure the legitimate, orderly, and free flow of personal information; and

d) to encourage the reasonable use of personal information.

When managing the personal information of Chinese data subjects, China's new data privacy law requires all overseas enterprises to become PIPL-compliant. This may provide further issues for international organisations, who will have to figure out how to comply with their own domestic data privacy laws while simultaneously complying with the rules of PIPL in order to continue whatever economic contacts they may have with China.

POPIA and PIPL have the same goal in that both pieces of legislation strive to safeguard personal information and data subjects' rights, emphasize the significance of having justifiable legal reasons for processing personal information, and give direction on how to handle said personal information.

The main distinction between the two is that PIPL permits for the processing of information about its data subjects beyond its boundaries (through rigorous requirements), whilst POPIA only allows for data processing inside South Africa. Although Section 72 of the POPIA allows for the transmission of personal information of data subjects outside of South Africa, the security surrounding it is less strict than that of the PIPL.

WHAT CAN SOUTH AFRICAN BUSINESSES DO TO ENSURE COMPLIANCE

• While we await more clarification on the meaning of some PIPL rules, South African firms may do the following to prepare for and maintain compliance in the meantime:
• Ensure that the business is POPIA compliant and that an Information Officer is registered with the Information Regulator; 
• •Engage with Chinese trading partners for guidance and advice, as well as to gain interim insight into the practicality of the process of becoming PIPL complaint; and 
• Revisit and update any current trade contract terms between the business and Chinese trading partners, to ensure that all relevant POPIA and PIPL provisions are included.

South African enterprises having Chinese commercial contacts are thus advised to become acquainted with PIPL and to guarantee compliance with all data privacy rules in both South Africa and China.

“Chanté du Preez is an Assistant Policy Advisor at the National Employers' Association of South Africa (NEASA).”