On August 20, 2021, China adopted the Personal Information Protection Law of the People’s Republic of China (“PIPL”), its first comprehensive national data privacy law and one of the most sweeping and restrictive national privacy laws to date. Modeled largely off the GDPR and set to go into effect on November 1, the PIPL regulates personal information collected or transferred both inside and outside of China. It also comes with harsh penalties for non-compliance and gives broad powers to China’s state authorities to enforce the law.
The PIPL is expected to significantly impact how companies (especially tech companies) do business in China. Aimed at protecting the online user data of Chinese citizens, the law will directly affect companies located in China that handle personal data. But even companies operating outside of China may be subject to the law if they provide products or services to people in China, analyze or evaluate activities of people in China, or fall under circumstances described in certain other laws or administrative regulations.
Without further ado, let’s quickly dive into some of the law’s major provisions:
The PIPL defines personal information to include, similar to the GDPR, “all kinds of information related to an identified or identifiable natural person, recorded electronically or by other means, excluding anonymized information.”
The handling of personal information includes “collection, storage, use, processing, transmission, provision, disclosure, or deletion of personal information.”
Under the PIPL, personal information should only be processed for a clear and reasonable purpose, to the smallest scope possible related to that purpose, and in a method with the least impact on personal rights. Personal information processing must also follow principles of openness and transparency, as well as rules of disclosure. These general principles largely mirror GDPR principles of fairness, transparency, and limitations on processing of personal data.
Personal information handlers (the PIPL equivalent of data processors under the GDPR) must obtain personal consent from the data subject to process personal information unless the data is processed under a specific listed exception. Those exceptions include contract performance, statutory duties or obligations, public health emergencies, news reports or public interest, legally disclosed information, or other circumstances stipulated by laws and regulations.
Personal consent must also be obtained for any cross-border transfer of personal information (for more on this, see the section below that discusses notification requirements).
These express consent requirements break from the GDPR, which technically doesn’t require personal consent to use personal data unless (i) it is relied upon as one of the six legal bases to process personal data under Article 6 of the GDPR, or (ii) is used as an exemption to transfer personal data abroad (in absence of one of the required transfer mechanisms laid out in Chapter 5 of the GDPR).
Similar to the GDPR, the retention of personal information under the PIPL must be the shortest time necessary to achieve the purpose of processing. This time may vary depending on the data processed and any laws or regulations that specify specific periods.
Before processing personal information, personal information handlers must inform the data subject of the information being processed and the data subject’s rights concerning this information. For sensitive information, personal information handlers must also notify the data subject of the processing’s necessity.
For any information processed outside of China, a personal information handler must inform the data subject of the overseas recipient, their contact information, and certain processing information such as processing purpose, processing method, and the types of personal information being processed. The personal information handler must also obtain the individual’s specific consent to process after giving notice.
Cross-border Transfer of Information
Before a handler can transfer personal information outside of China, they must first meet one of the following requirements:
- pass a security assessment organized by the Cyberspace Administration of China (“CAC”), the country’s central internet control agency;
- conduct a personal information protection certification;
- form a contract with the overseas recipient that stipulates the rights and obligations of both parties, or
- meet other conditions required by law, administrative regulations, or the CAC.
Further, personal information handlers must ensure that any personal information processing by overseas recipients meets PIPL standards.
Also, operators of “critical information infrastructure” and personal information handlers processing personal information up to an as-of-yet unspecified threshold (which will be prescribed by the national cybersecurity and informatization department) must store the personal information collected and generated within the territory of the People’s Republic of China. This information may not leave China unless it first passes a security assessment organized by the national cybersecurity and informatization department.
Moreover, personal information handlers may not provide personal data stored in China to foreign judicial or law enforcement agencies without first receiving approval from a competent authority within the Chinese government. This requirement will certainly result in conflicts between Chinese authorities and non-Chinese courts as well as plenty of judicial wrangling among litigants in lawsuits involving Chinese companies.
Just like under the GDPR, data subjects in China have various rights concerning their personal information. These include the right to: know and make decisions about their information’s processing; consult and copy their personal information; request that personal information be corrected or supplemented; request deletion (in certain cases); and request the personal information processing rules of personal information handlers.
Obligations of personal information handlers
Personal information handlers must implement internal management systems and security measures to protect personal data. Processors of personal information up to the threshold must appoint a person in charge of personal information protection. Processors outside of China must establish designated agencies or representatives within Chinese territories to handle intra-territorial personal data processing matters.
Personal information handlers must also regularly conduct compliance audits as well as impact assessments for things like processing sensitive personal data, using personal data in automated decision-making, or providing information to other personal information handlers. These impact assessments must be kept for at least 3 years.
If any personal information has been leaked, tampered with, or lost, the personal information handler must immediately notify the relevant departments (the CAC or relevant departments of the State Council) and individuals performing personal information protection duties. In some cases, personal information subjects might also be notified.
Legal Liability and Penalties
The department performing personal information protection duties has the power to order corrections, give warnings, confiscate illegal gains, and issue fines for information processed in violation of the law. Fines can range to up to 1 million yuan for offenders who refuse to make corrections, and between 10,000 and 100,000 yuan for directly responsible persons.
For serious violations, fines can be issued for up to 50 million yuan or up to 5 percent of the processor’s previous year turnover. Furthermore, the department can order the suspension of a business or notify a relevant competent authority to revoke a business permit or license, in addition to issuing additional fines.
Moreover, foreign organizations that violate the personal information rights of Chinese citizens or harm China’s national security or public interests can be blacklisted by the CAC. This also will result in the offending organization being restricted or prohibited from possessing personal information. In addition to everything else, illegal acts will be recorded in the social credit system and publicized.
In some cases, where the rights and interests of many individuals have been infringed, certain entities may file a lawsuit in the people’s court. These entities include the people’s procuratorate, consumer organizations specified in the PIPL, and organizations identified by the CAC.
The law does not apply to natural persons handling personal information for personal or family affairs.
We have yet to see exactly how the PIPL will impact the way we conduct business generally, but it is on course to significantly affect companies large and small, both inside and outside of China. If you are doing business in China or with people in China, it may well be worth your while to proactively study up on the law, determine what type of impact it might have on your business, seek legal guidance as necessary, and prepare and implement PIPL-compliant policies and strategies to manage Chinese personal data processed within your organization. A bit of up-front planning can go a long way in giving peace of mind – not to mention helping to avoid costly legal or compliance concerns down the road.
Contact Zasio to explore the various software and consulting solutions we offer, to address your personal data and privacy needs.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.