China’s Personal Information Protection Law (“PIPL”) will come into effect on 1 November 2021. The PIPL, Cybersecurity Law and Data Security Law (which came into effect on 1st June 2017 and 1 September 2021 respectively) collectively form a three-pillar framework for China’s comprehensive data protection and cybersecurity regime. This article highlights the key principles and obligations in relation to the collection, processing and protection of personal data under the PIPL which will impact businesses operating in or doing business with China.
The PIPL governs not only the processing of personal information within China but has extra-territorial effect in the following circumstances:
Where the purpose of the processing of personal information outside China is for:-
the provision of products and services to natural persons in China
the analysis/assessment of the behaviour of natural persons in China
other circumstances as provided for by law and/or regulations.
The PIPL defines ‘personal information’ as “all information related to identified or identifiable natural persons” save for information which is anonymised.
The obligations imposed by the PIPL are upon the ‘personal information handler’ which is defined as “the organisations and/or individuals who independently determine the processing purpose and method in the processing of personal information”.
A. Basic Principles
The PIPL refers to the following Basic Principles in the processing of personal information:
The principle of lawfulness, legitimacy, necessity and good faith: the processing of personal information must not be misleading, fraudulent or coercive. Furthermore, it is restricted to information which is necessary for the relevant purpose
Clear and reasonable purpose: the processing of information must be directly related to a legitimate purpose and the collection of such information must be restricted to all that is necessary for that purpose
Transparency is required in terms of the rules, purpose, method and scope in the processing of personal information
Accuracy – the collection and retention of information must be accurate, complete and kept up to date
Security – personal information handlers must ensure and take all necessary steps to safeguard the security of all personal information processed by them.
B. Criteria for the processing of all personal information
The PIPL provides that the following conditions must be complied with before personal information may be processed:
The clear express consent of the relevant individual must be given.
Such consent must be given on a fully informed and voluntary basis. Separate/individual consent (as opposed to “bulk” consent) is required in each of the following circumstances:
the provision of personal information to a third party
the processing of “sensitive” personal information
the publication of personal information processed
the use of personal information which has been collected for reasons of public security
the transfer of personal information outside China
Consent can be withdrawn at any time by the relevant individual and the personal information handler is required to set up and provide a convenient mechanism for the withdrawal of such consent.
In addition, a personal information handler cannot refuse to provide products/services on the grounds that the relevant individual has refused to give his/her consent or has withdrawn the same unless the processing of such information is necessary for the provision of products/services.
Processing is necessary for the conclusion or performance of a contract with the data subject or for ‘Human Resources Management’ (i.e. for an employer)
Processing is necessary for the performance of statutory duties or for compliance with legal obligations
Processing is necessary for dealing with public health emergencies or for the protection of life or property of natural persons
Reasonable processing of personal information which has been made public by the individuals/data subjects themselves or through other legal means
Reasonable processing of personal information relating to matters which are in the public interest such as news reporting and the “supervision” of public opinion
Other circumstances as provided for by law/regulations.
C. Sensitive information
The PIPL affords “sensitive personal information” a higher level of protection since such information, if leaked or used illegally, would cause serious harm to persons/property.The type of information which falls within this category include:
specific designated status
personal information relating to minors under 14
Separate consent (as opposed to “bulk” consent) is required before sensitive personal information can be processed. Furthermore, there must be a specific, necessary and legitimate purpose for which processing of the same is necessary. Protective measures to safeguard the security of such information must be taken (which may require requisitioning a Personal Information Protection Impact Assessment). The relevant individuals must be informed of the necessity for processing such information and how this affects his/her rights or interests.
D. Automated decision-making
Personal information handlers who use personal information for automated decision-making must ensure that:
the transparency and results of such automated decision-making are “fair and just”
no unreasonable or differential treatment is afforded to individuals in respect of pricing and/or contractual terms
where automated decision-making is used in direct marketing with individuals, the personal information handler must provide options which are not tailored to the relevant individual’s personal characteristics and there must be a convenient mechanism to opt to refuse.
E. Cross-border transfers of personal information
Under the PIPL, strict conditions must be met before transfer of personal information can be effected outside China. The personal information handler must:
obtain the individual/data subject’s separate informed consent;
conduct a Personal Information Protection Impact Assessment and make/maintain records
comply with one or more of the following special conditions:
pass the relevant security assessment laid down by the Cyberspace Administration of China
obtain the relevant certification from a specialised agency
the relevant contract was concluded with a recipient party outside China
comply with other conditions imposed by PRC law/regulations.
Furthermore, the PIPL provides that the express approval of the competent PRC authority must be obtained before personal information stored in China can be transferred to any overseas judicial authorities or agencies.
F. The governance and security of personal information
Personal information handlers are under strict obligations to safeguard and ensure the security and protection of personal information.Key duties include the following:
ensuring that a system is in place which protects personal information from unauthorized access, leakage and loss
the appointment of a Personal Information Protection Officer (“PIPO”) who will be accountable and responsible for the supervision of matters and obligations under the PIPL
where the PIPL has extra-territorial effect, a representative/a designated office in China must be appointed
Compliance audits are required to be conducted on a regular basis
Personal Information Protection Impact Assessments must be undertaken before the processing of personal information in certain stated circumstances:
where personal information is to be used for automated decision-making
involves sensitive personal information
where third party providers are instructed to process personal information and/or where there is public disclosure of personal information
where there is cross-border transfer of personal information
where processing personal information will have a significant effect on an individual/data subject’s rights.
G. Mandatory reporting of data breaches
The PIPL imposes immediate mandatory reporting of data breaches to the relevant authority on a personal information handler. In certain circumstances, the affected individuals may need to be informed.
The data breach notification must contain details of the following:
the type of personal information which is subject of the data breach
the reason/cause of the leakage, loss or illegal access
the damage sustained
remedial measures which have been and will be taken
contact details of the personal information handler.
H. Rights of individuals/data subjects
Data subjects are entitled to the following rights before their personal information handlers can process their personal information:
details of the name and contact information of the personal information handler
details of the purpose/method of processing the relevant personal information and period of retention
details of the procedure by which that individual/data subject can exercise his/her rights under the PIPL
subject to any laws/regulations to the contrary, to restrict/object to the processing of his/her personal information
to access and/or copy the relevant personal information
to correct or rectify the content of his/her personal information
to request deletion of his/her personal information in certain given circumstances (for example, after withdrawal of consent).
I. General breaches
The following orders may be made against an individual for breach of the PIPL:
confiscation in respect of any illegal gains
suspension/termination of the application programmes which processed such personal information
fine of an amount not exceeding RMB1 million (USD154,856)
responsible personnel may be subject to a fine of between RMB10,000 (USD1,548) and RMB100,000 (USD15,485).
J. Serious breaches
In the case of severe breaches, a fine in the sum of up to a limit of RMB50 million (USD7,742,815) or 5% of the previous year’s business revenue can be ordered.
Entities/companies may be subject to an order of suspension of activities/closure of business or revocation of their business licence/permit.
Responsible personnel are subject to a fine of between RMB100,000 (USD15,485) and RMB1 million (USD154,856); an order can be issued banning such individuals from holding directorships, supervisory or senior managerial positions or to act as a PIPO for a stated period.
The PIPL is a significant piece of legislation with far reaching effects. There are parallels to the EU’s General Data Protection Regulation. Due to the fact that it applies to data handling activities in China as well as those outside China (in certain stated circumstances), it is critical that corporations take the necessary steps to prepare for 1 November 2021 when the PIPL comes into effect.