How China’s new privacy law will impact businesses in South Africa

In the case of South Africa-China ties, 2021 marks 23 years of diplomatic and economic relations between the two allies. As of July 2021, imports from China to South Africa accounted for 19.4% of South Africa’s imports, while exports to China from South Africa amounted to 12.6%.

From the above statistics it can be safely deduced that South Africa will seek to protect and maintain all trade relations it has with China, and considering South Africa’s current economic climate, it has become heavily reliant on trade with, and investment from China, for economic growth and development.

One of the latest developments regarding global data protection, is the implementation of the Protection of Personal Information Act (POPIA) in South Africa, and the passing of the Personal Information Protection Law (PIPL) in the People’s Republic of China.

Therefore, South African businesses who have trade relations with China, and who fail to comply with its data privacy laws, run the risk of dire financial implications.

PIPL was passed by the National People’s Congress on 20 August 2020 and is expected to come into force on 1 November 2021.

The purposes of PIPL are:
To protect personal information rights and interests
To standardise personal information handling activities
To safeguard the lawful, orderly, and free flow of personal information and
To stimulate the reasonable use of personal information.

China’s new data privacy law calls for all foreign businesses to become PIPL-compliant when handling personal information of Chinese data subjects. This may introduce more challenges to foreign businesses who will have to determine how to exercise their own domestic data privacy laws, while also complying with the provisions of PIPL, in the hope of maintaining any trade relations they may have with China.

The common purpose between POPIA and PIPL, is that both pieces of legislation aim to protect the personal information and rights of data subjects, highlights the importance of having justified legal grounds for the processing of personal information, and provides guidance on how to process said personal information.

The key difference between the two is that PIPL allows for the processing of information (through stringent provisions) of its data subjects beyond its borders, whereas POPIA allows for the processing of data within South Africa. Although Section 72 of POPIA makes provision for transfers of personal information of its data subjects outside of South Africa, the security around it is not as stringent as PIPL.

Implications of non-compliance
In terms of PIPL, Chinese departments fulfilling personal information protection duties and responsibilities, will order correction or confiscate any unlawful income, where personal information is handled in violation of PIPL or where personal information is handled without adopting the necessary security measures. In instances where correction from the department is ordered and in turn refused, a fine of not more than CN¥1 000 000 (currently converted to R2 341 000) will be imposed, and the directly responsible person / personnel in charge, will be fined between CN¥10 000 to ¥100 000 (currently converted to R23 410 to R234 100).