China’s Personal Information Protection Law: things you need to know
China Data Protection Alert
Recently, China formally passed the Personal Information Protection Law (PIPL), which is the first comprehensive national level personal data protection law of this country. PIPL will become effective as of November 1, 2021, leaving a short time for the companies operating in China (and even certain foreign companies) to become fully compliant to the new personal data protection regime.
We have already covered the main aspects of the previous draft of PIPL (see here). In this article, we provide you with our comments on the highlights of the law focusing on newly introduced changes in the final version compared to such second draft.
1. Scope of application
PIPL does not only apply to the activities of processing personal data within the PRC, but also applies to data processing outside of the PRC, provided that it concerns the processing of personal data of any Chinese resident for the purposes of:
- Providing goods or services to the Chinese residents;
- Analyzing or evaluating the Chinese residents’ behavior; or
- Other circumstances under the laws and regulations.
Similar to the EU GDPR, the PIPL requires the offshore data processors that falls within its scope of application to establish special organization or representative to handle the personal data protection affairs and report the information of such organization or representative to the Chinese authority.
Although it is not clear how the Chinese authorities will be able to enforce the PIPL against a foreign entity if such entity has not established any business presence in China, such extra-territorial power will provide the Chinese authorities with a legal ground to restrict the data processing concerning the data of Chinese residents.
2. Data categorization
According to the PIPL, “personal information” refers to any kind of information relating to an identified or identifiable natural person (whether electronically recorded or otherwise) but does not include anonymized data.
In addition, “sensitive personal information” refers to personal information which, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, including (but not limited to) biometric data, health information, financial account information, location data and minors’ data (i.e. those aged 14 or below) etc. PIPL has provided additional requirements for the processing of sensitive personal information.
3. Lawful processing ground
The final version of PIPL has introduced a new lawful data processing ground by expressly allowing the employers to process the personal information of the employees for the purpose of human resources management. However, it should be noted that, such processing shall be in accordance with the employment regulations of the employer or the collective contract made according to the laws. To this end, it is of significance that the employers should strictly follow the legal requirements of the Chinese labor laws and regulations in making the employment regulations binding to the employees.
In the meantime, data subject’s consent is still an important lawful processing ground. PIPL further created the concept of “separate consent” which is required for the following types of processing:
- Processing sensitive personal information;
- Provision of personal information to another data processor for processing;
- Personal images and identification information collected in public venues are used for purposes other than public security;
- Publicizing of personal information; and
- Cross border transfer of personal information.
The exact meaning of “separate consent” has not be provided in PIPL and will be subject to further clarification from the Chinese authority.
4. Processing criteria
Regarding the legal criteria in data processing, it is worth to mention the following rules:
- PIPL has provided specific rules for the processing of personal information in different situations. In particular it distinguishes between joint processing, entrusted processing and the provision of personal information to other processors, and imposed corresponding legal obligations on the data processors.
- PIPL has specifically regulated the use of personal information for automated decision-making. For the use of automated decision-making methods to evaluate the economic and credit status of individuals, it is necessary to conduct a security impact assessment before use, and provide explanations and provide alternative solutions at individual’s request. In case of using information push and commercial marketing to individuals through automated decision-making methods, it is required to provide the data subjects with options that are not specific to their personal characteristics, or provide individuals with convenient ways to refuse.
- PIPL has provided four methods to allow cross border transfer of personal information:
- passing the security assessment conducted by the state cyberspace authorities, i.e. Cyberspace Administration of China (CAC);
- obtaining certification in relation to personal information protection from professional institutions according to the regulations of CAC;
- entering into a standard contract as prescribed by CAC with the overseas receiving parties to stipulate the rights and obligations of both parties;
- fulfilling the requirements stipulated in other laws or regulations, or in the rules set by the state cyberspace authorities.
At present, these four methods still lack practical details. Chinese authority may provide more information before the formal implementation of PIPL.
5. Data portability
Compared with the previous draft, the final version of PIPL newly added the right to data portability as a data subject’s right. This right enables data subjects to request the transfer of their personal data from one data processor to another. However, the ability to move data among different data processors will be subject to the conditions further provided by the Chinese authority.
6. Small data processor
Most of the legal obligations under the PIPL are imposed on personal information processor, which refers to an organization or individual that autonomously determines the purpose and method of processing in personal information processing activities. PIPL also empowered CAC to coordinate relevant departments to formulate special personal information protection rules and standards for “small personal information processors”. It is reasonable to anticipate that such “small personal information processors” will be subject to rules and standards that are less strict.
7. Legal liabilities
Last but not least, PIPL has provided significant legal penalties to the violations. Where the violations are “severe”, the fines could go up to CNY 50 million or 5% of annual revenue. The relevant authorities may also suspend the offending business activities, stop all business activities entirely, or cancel all administrative or business licenses. Individuals responsible for “severe” violations may be fined between CNY 100,000 and CNY 1 million, and may also be prohibited from holding certain job titles, including director, supervisor, senior manager or personal information protection officer, for a period of time.
With the enactment of PIPL, China has laid the foundation of its general legal regime on the protection of personal data. It would be reasonable to expect that the data protection authorities (mainly the CAC and Ministry of Public Security) will draft and publish more administrative regulations, rules and national standards to further interpret the laws. It has been made very clear that those supporting regulations, rules and standards will not be only generally applicable to all companies nationwide, but there also will be regional and sectorial regulations and rules that should be observed by firms in certain province or industry.
Now, companies will have to start assessing the legal implications of PIPL, reviewing the existing contracts and internal policies and make necessary adaptations to be compliant the new law. In this regard, it is also important to understand that legal compliance to China’s new data protection regime will not be an effort of once and for all since there are still many questions without clear answers. Instead, it will most likely to be an continuous work, starting with the establishment of a compliance program based on the current laws and keep it updated according to the constant legal developments and best practice in this area. Garrigues will watch closely at the future development of Chinese data protection and security laws and practice.