Menu
Search through site content What are you looking for?
Menu
Search
Close
  1. Insights

China’s Personal Information Protection Law

  • Legal Development 11 October 2021 11 October 2021

China’s Personal Information Protection Law (“PIPL”) will come into effect on 1 November 2021. The PIPL, Cybersecurity Law and Data Security Law (which came into effect on 1st June 2017 and 1 September 2021 respectively) collectively form a three-pillar framework for China’s comprehensive data protection and cybersecurity regime. This article highlights the key principles and obligations in relation to the collection, processing and protection of personal data under the PIPL which will impact businesses operating in or doing business with China.

China’s Personal Information Protection Law

The PIPL

The PIPL governs not only the processing of personal information within China but has extra-territorial effect in the following circumstances:

Where the purpose of the processing of personal information outside China is for:-

  1. the provision of products and services to natural persons in China
  2. the analysis/assessment of the behaviour of natural persons in China
  3. other circumstances as provided for by law and/or regulations. 

The PIPL defines ‘personal information’ as “all information related to identified or identifiable natural persons” save for information which is anonymised.

The obligations imposed by the PIPL are upon the ‘personal information handler’ which is defined as “the organisations and/or individuals who independently determine the processing purpose and method in the processing of personal information”.

A. Basic Principles

​​The PIPL refers to the following Basic Principles in the processing of personal information:

  • The principle of lawfulness, legitimacy, necessity and good faith: the processing of personal information must not be misleading, fraudulent or coercive.  Furthermore, it is restricted to information which is necessary for the relevant purpose
  • Clear and reasonable purpose: the processing of information must be directly related to a legitimate purpose and the collection of such information must be restricted to all that is necessary for that purpose
  • Transparency is required in terms of the rules, purpose, method and scope in the processing of personal information
  • Accuracy – the collection and retention of information must be accurate, complete and kept up to date
  • Security – personal information handlers must ensure and take all necessary steps to safeguard the security of all personal information processed by them.

B. Criteria for the processing of all personal information

The PIPL provides that the following conditions must be complied with before personal information may be processed:

  1. The clear express consent of the relevant individual must be given.
    Such consent must be given on a fully informed and voluntary basis. Separate/individual consent (as opposed to “bulkconsent) is required in each of the following circumstances:
  • the provision of personal information to a third party
  • the processing of “sensitive” personal information
  • the publication of personal information processed
  • the use of personal information which has been collected for reasons of public security
  • the transfer of personal information outside China

    Consent can be withdrawn at any time by the relevant individual and the personal information handler is required to set up and provide a convenient mechanism for the withdrawal of such consent.

    In addition, a personal information handler cannot refuse to provide products/services on the grounds that the relevant individual has refused to give his/her consent or has withdrawn the same unless the processing of such information is necessary for the provision of products/services.
  1. Processing is necessary for the conclusion or performance of a contract with the data subject or for ‘Human Resources Management’ (i.e. for an employer)
  2. Processing is necessary for the performance of statutory duties or for compliance with legal obligations
  3. Processing is necessary for dealing with public health emergencies or for the protection of life or property of natural persons
  4. Reasonable processing of personal information which has been made public by the individuals/data subjects themselves or through other legal means
  5. Reasonable processing of personal information relating to matters which are in the public interest such as news reporting and the “supervision” of public opinion
  6. Other circumstances as provided for by law/regulations.

C. Sensitive information

The PIPL affords “sensitive personal information” a higher level of protection since such information, if leaked or used illegally, would cause serious harm to persons/property.The type of information which falls within this category include:

  • biometrics
  • religious beliefs
  • specific designated status
  • medical/health
  • financial
  • personal information relating to minors under 14

Separate consent (as opposed to “bulk” consent) is required before sensitive personal information can be processed.  Furthermore, there must be a specific, necessary and legitimate purpose for which processing of the same is necessary.  Protective measures to safeguard the security of such information must be taken (which may require requisitioning a Personal Information Protection Impact Assessment).  The relevant individuals must be informed of the necessity for processing such information and how this affects his/her rights or interests.

D. Automated decision-making

Personal information handlers who use personal information for automated decision-making must ensure that:

  • the transparency and results of such automated decision-making are “fair and just”
  • no unreasonable or differential treatment is afforded to individuals in respect of pricing and/or contractual terms
  • where automated decision-making is used in direct marketing with individuals, the personal information handler must provide options which are not tailored to the relevant individual’s personal characteristics and there must be a convenient mechanism to opt to refuse.

E. Cross-border transfers of personal information

Under the PIPL, strict conditions must be met before transfer of personal information can be effected outside China.  The personal information handler must:

  1. obtain the individual/data subject’s separate informed consent;
  2. conduct a Personal Information Protection Impact Assessment and make/maintain records
  3. comply with one or more of the following special conditions:
  • pass the relevant security assessment laid down by the Cyberspace Administration of China
  • obtain the relevant certification from a specialised agency
  • the relevant contract was concluded with a recipient party outside China
  • comply with other conditions imposed by PRC law/regulations.

Furthermore, the PIPL provides that the express approval of the competent PRC authority must be obtained before personal information stored in China can be transferred to any overseas judicial authorities or agencies.

F. The governance and security of personal information

Personal information handlers are under strict obligations to safeguard and ensure the security and protection of personal information.Key duties include the following:

  • ensuring that a system is in place which protects personal information from unauthorized access, leakage and loss
  • the appointment of a Personal Information Protection Officer (“PIPO”) who will be accountable and responsible for the supervision of matters and obligations under the PIPL
  • where the PIPL has extra-territorial effect, a representative/a designated office in China must be appointed
  • Compliance audits are required to be conducted on a regular basis
  • Personal Information Protection Impact Assessments must be undertaken before the processing of personal information in certain stated circumstances:
    • where personal information is to be used for automated decision-making
    • involves sensitive personal information
    • where third party providers are instructed to process personal information and/or where there is public disclosure of personal information
    • where there is cross-border transfer of personal information
    • where processing personal information will have a significant effect on an individual/data subject’s rights.

G. Mandatory reporting of data breaches

The PIPL imposes immediate mandatory reporting of data breaches to the relevant authority on a personal information handler. In certain circumstances, the affected individuals may need to be informed.

The data breach notification must contain details of the following:

  • the type of personal information which is subject of the data breach
  • the reason/cause of the leakage, loss or illegal access
  • the damage sustained
  • remedial measures which have been and will be taken
  • mitigation measures
  • contact details of the personal information handler.

H. Rights of individuals/data subjects

Data subjects are entitled to the following rights before their personal information handlers can process their personal information:

  1. details of the name and contact information of the personal information handler
  2. details of the purpose/method of processing the relevant personal information and period of retention
  3. details of the procedure by which that individual/data subject can exercise his/her rights under the PIPL
  4. subject to any laws/regulations to the contrary, to restrict/object to the processing of his/her personal information
  5. to access and/or copy the relevant personal information
  6. to correct or rectify the content of his/her personal information
  7. to request deletion of his/her personal information in certain given circumstances (for example, after withdrawal of consent).

I. General breaches

The following orders may be made against an individual for breach of the PIPL:

  1. rectification
  2. warning
  3. confiscation in respect of any illegal gains
  4. suspension/termination of the application programmes which processed such personal information
  5. fine of an amount not exceeding RMB1 million (USD154,856)
  6. responsible personnel may be subject to a fine of between RMB10,000 (USD1,548) and RMB100,000 (USD15,485).

J. Serious breaches

In the case of severe breaches, a fine in the sum of up to a limit of RMB50 million (USD7,742,815) or 5% of the previous year’s business revenue can be ordered.

Entities/companies may be subject to an order of suspension of activities/closure of business or revocation of their business licence/permit.

Responsible personnel are subject to a fine of between RMB100,000 (USD15,485) and RMB1 million (USD154,856); an order can be issued banning such individuals from holding directorships, supervisory or senior managerial positions or to act as a PIPO for a stated period.

Conclusion

The PIPL is a significant piece of legislation with far reaching effects. There are parallels to the EU’s General Data Protection Regulation. Due to the fact that it applies to data handling activities in China as well as those outside China (in certain stated circumstances), it is critical that corporations take the necessary steps to prepare for 1 November 2021 when the PIPL comes into effect.

 

End

Download Insight

Themes:

Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!

Subscribe here