China’s New Data Privacy Law Triggers Legal Tech Response

The world has seen a raft of data privacy rules emerge in recent years, and now it’s China’s turn. Their new Personal Information Protection Law (PIPL) is strict and can result in fines of 5% of annual turnover. One law firm, Wilson Sonsini, and its legal tech division, SixFifty, have launched an expert system to help.

First, what is PIPL? Put simply it’s China’s version of the EU’s GDPR rules and comes into force 1 November. It affects data inside of China, but also where that data related to people there is processed outside of the country. Aside from fines, foreign companies – including law firms – could face some serious challenges if found to be ignoring the rules.

As another law firm, Morgan Lewis, noted in a recent update about PIPL: ‘Foreign organisations or individuals may be put on a ‘blacklist’ that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens, or harm the national security or public interest of China.’ And that sounds open to some quite broad interpretations.

There are a lot of US, UK and EU, and APAC companies operating in China, often through local subsidiaries, and plenty of larger law firms have offices there also. Moreover, there is a debate about how this will impact Hong Kong. Technically, Hong Kong has its own set of data rules, but inevitably with such close economic ties there is a lot of potential for issues to emerge. And, a lot of foreign law firms have offices in Hong Kong as well.

So, potentially this is a big deal for anyone connected to doing business in China. Now, back to SixFifty, which has done a lot of work on legal automation tasks in the past.

The tech group, which is formed as a separate corporate entity, but ‘powered by Wilson Sonsini’, has made a solution that allows organisations to quickly draft customised responses in English and Chinese to comply with China’s new regulations.

The group stated that using their system ‘most organisations can complete the process in a few hours’, rather than spend $10,000s on a team of lawyers drawing up bespoke responses.

To do this it uses a form of expert system that asks companies a series of questions about their business and how they handle personal information from China.

Based on that information, SixFifty’s product drafts customised policies, contractual clauses, privacy notices, and impact assessments in English and Chinese that are required by the new law. SixFifty will then keep the documents up to date as the law evolves, they explained.

Kimball Dean Parker, CEO of SixFifty, said: ‘China’s new data privacy law will affect thousands of organisations in the United States. Most of those companies won’t have the money to use a law firm to help them figure it out. We wanted to give organisations of all sizes an easy and affordable way to generate the legal paperwork they need to comply.’

Data privacy rules have generated a lot of work for lawyers around the world, and for those who have clients with business in China this is a major development.

That law firms are now looking to expert systems to help makes a lot of sense, and we will no doubt see other law firms developing similar tools for their clients.

The other aspect here is the approach Wilson Sonsini/SixFifty is taking in terms of billables. They could have ignored the tech opportunity in the hope that the firm would bag a lot of new incoming work in this area. Instead they’ve made an automated solution that will help clients, but potentially not generate as much up-front revenue for them – unless some of those clients who use the tool then ask for additional and more complex advice.

More Info on PIPL

Here’s a couple of short briefs from two other law firms, the UK’s Bird & Bird and US-based Morgan Lewis.

Bird & Bird

‘Non-compliance with the PIPL may lead to administrative fines of up to 5% of the annual turnover or RMB50 million (approx. US$7.7 million) and persons directly responsible may also be subject to fines between RMB100,000 (approx. US$15,000) to 1 million (approx. US$154,000) and more significantly, such persons may be prohibited from assuming managerial positions in relevant organisations for a certain period.

Although there are still a number of question marks in relation to some key considerations as noted above, organisations should start to take implementation steps including updating their privacy policy and consent mechanisms for personal information processing, reviewing data processing agreements with third parties as well as adopting a set of comprehensive internal data compliance policies. In relation to organisations that operate outside of China, or may export personal information outside of China, it will also be important to assess the extra-territorial application of the PIPL and implement appropriate cross border data transfer mechanisms.’

Morgan Lewis


In addition to activities within China, the PIPL exerts certain exterritorial jurisdiction over data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviors of individuals located in China.

Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities.

Foreign organizations or individuals may be put on a “blacklist” that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens, or harm the national security or public interest of China.

Previously, exterritorial jurisdiction was only provided in draft regulations and national guidelines did not have a binding effect. For the first time, the PIPL explicitly specifies the broad reach of its purported exterritorial jurisdiction. The impact on foreign companies and overseas parent companies of Chinese subsidiaries that process personal information collected from the Chinese market will be significant, as the data collected in China will now be subject to the various personal information protection requirements under the PIPL.’

1 Trackback / Pingback

  1. Pressespiegel 14.9. | Future-Law

Comments are closed.