On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress enacted China’s Personal Information Protection Law (PIPL)(Translation available here). Taking effect on November 1, 2021, the PIPL will serve as China’s first comprehensive privacy law.
The PIPL clarifies and consolidates obligations on processing of personal information at a national law level. Together with the Cybersecurity Law and the Data Security Law, the PIPL forms an over-arching framework to govern data protection, cybersecurity and data security in China. As with many laws in China, the PIPL is drafted as aspirational principles; additional guidelines will be published in the coming months covering the practical compliance steps organizations should take when building and maintaining their China data privacy programs.
While the PIPL resembles the European Union’s General Data Protection Regulation (GDPR), it includes certain substantive obligations that differ from the GDPR, and there are also obligations found in the GDPR that are not included in the PIPL. Given China’s unique status in the world, the PIPL is likely to be interpreted and enforced differently than the GDPR and other data privacy laws.
1. General concepts and key definitions
Like many privacy laws, the PIPL includes the general concepts of fairness, consent (with limited exemptions), openness/transparency, purpose limitation and data minimization.
Under the law, “personal information” is defined as any kind of information relating to an identified or identifiable natural person, either electronically or otherwise recorded, but excluding information that has been anonymized. “Anonymization” refers to the process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing.
The PIPL defines “sensitive personal information” as personal information that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, including, but not limited to: (1) biometric data; (2) religion; (3) specific social status; (4) medical health information; (5) financial accounts; (6) tracking/location information; and (7) data of minors under age 14.
The PIPL uses the term “personal information processing entity” to refer to “organization or individual that independently determines the purposes and means for processing of personal information” (similar to the concept of the “data controller” under the GDPR) and “entrusted party” to refer to “data processor” under the GDPR.
2. Territorial scope
Similar to the GDPR, the PIPL has extra-territorial effect, and applies to (1) data processing activities within Mainland China; and (2) processing of Mainland China residents’ data outside of Mainland China:
- for the purposes of providing products or services to China residents;
- for analytics or evaluation of behavior of China residents; or
- for any other reasons as required by law or regulations.
The PIPL applies to both the public and private sectors.
Similar to the GDPR’s requirement for an EU representative, the PIPL requires offshore personal information processing entities subject to the PIPL to establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes.
3. Lawful basis for processing
The PIPL requires organizations to have a lawful basis to process personal information. Unlike the GDPR, the PIPL does not include “legitimate interests” as a lawful basis for processing personal information. Instead, in addition to consent, the PIPL offers the following non-consent bases:
- Performance of a contract to which the individual is a party, or where necessary to conduct human resources management;
- Responding to a public health emergency, or in an emergency to protect the safety of individuals’ health and property;
- Performance of legal responsibilities or obligations;
- To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests;
- Processing of personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope; and
- Other circumstances as required by laws.
The definition of consent under the PIPL aligns with the consent requirements of the GDPR – i.e., it must be informed, freely given, demonstrated by a clear action of the individual, and may later be withdrawn. However, the PIPL requires a “separate consent” for certain processing activities, namely if a processing entity (1) shares personal information with other processing entities; (2) publicly discloses personal information; (3) processes sensitive personal information; or (4) transfers personal information overseas.
4. Personal information rights
The PIPL mostly mirrors the GDPR with respect to personal information rights, though it lacks more precise language addressing such rights, including where restrictions or exemptions may apply. In addition, the PIPL does not provide a specific timeline for responding to requests; it only requires processing entities to “timely” respond to them.
Under the PIPL, individuals have the following rights:
- Right to access and copy of data;
- Right to transfer (similar to the right to data portability);
- Right to correct or supplement;
- Right to deletion in certain circumstances;
- Right to limit or withdraw consent;
- Right to request details of processing (including for automated decision making) and of handling rules;
- Right to de-register an account;
- Rights to access, copy, correct or delete personal information of a deceased individual can be requested by a close relative for legitimate and proper interests.
The PIPL clarifies situations where data controllers can refuse to comply with certain data subject rights, and how to respond to/reject data subject requests.
Importantly, individuals have the right under the PIPL to bring lawsuits against processing entities if they reject the individuals’ requests to exercise their rights.
5. Data controller obligations
The PIPL creates a new designation of data controller called the Critical Information Infrastructure Operator (CIIO), which has certain obligations under the law. Chinese regulators are currently developing regulations and notifying companies whether they qualify as a CIIO.
Under the PIPL, organizations that are (1) important internet platform providers; (2) data controllers processing data of a “large volume of users”; or (3) complex businesses (terms have not yet been defined) must comply with the following measures when processing personal information:
- Set up personal information protection compliance mechanisms;
- Establish platform regulations;
- Establish and publish processing obligations and processing rules that regulate products and service providers in an open and fair manner;
- Set up external independent data protection organizations to supervise data protection mechanisms;
- Stop the provision of products or service providers if they violate the law or regulations as regards processing of personal information; and
- Publish social responsibility reports regarding the processing of personal information.
In addition, all data controllers have the following obligations:
- Disclosure to overseas authorities: Data controllers must not provide personal information stored within China to overseas legal or enforcement authorities unless they obtain approval from a designated Chinese authority. Chinese authorities may provide personal information stored within China to overseas legal or enforcement authorities upon request if there are international treaties or regulations in place.
- Disclosure to data processors or joint/independent data controllers. For other disclosures, data controllers must put in place a contract covering specified measures designed to safeguard the data.
- Minors’ data: Organizations processing minors’ personal information must establish specific information processing regulations.
- Accuracy: Data controllers must ensure that personal information is accurate and up to date.
- Retention: Data controllers must not retain personal information for longer than is needed for the purpose(s) for which the personal data is collected, unless required or permitted by applicable law. Once no longer needed, the data should be de-identified or deleted/destroyed.
- Automated decision making: Analytics or evaluation based on computer program around behavior, interests, hobbies, credit information, health or decision making activities, must be transparent, open and fair, and should not discriminate between individuals.
6. Data processor obligations
The PIPL specifies that any organisation that is appointed as a data processor must act in accordance with the PIPL. In addition, the PIPL specifically requires data processors to do the following:
- Adopt necessary data security measures to protect the safety of personal information;
- Assist data controllers to comply with obligations of this PIPL;
- Process data only as requested by data controller unless with concept;
- Return or delete data upon completion of the data processing; and
- Put in place a contract with the data controller.
7. Cross-border transfer of personal information
Regarding the cross-border transfer of personal information, a processing entity that plans to transfer personal information to entities outside of mainland China is required to (1) provide individuals with certain specific information about the transfers and obtaining separate consent; (2) adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL (including, among others, the Chinese version of standard contractual clauses, which are not yet available); and (3) carry out a personal information protection impact assessment (see below). In addition, certain entities that process a large amount of personal information are required to store personal information locally and must pass a security assessment administered by the Cyberspace Administration of China (CAC) before transferring the information overseas. One should note that the regulations around cross-border transfers are still evolving.
In addition, the following categories of data must remain in mainland China:
- Personal information processed by CIIO’s, unless a CAC-conducted security assessment has been completed
- Personal information processed by data controllers above a threshold/volume to be identified by the CAC (not yet published), unless a CAC-conducted security assessment has been completed
- Certain data under industry-specific regulations
- Certain restricted data categories (such as “state secrets”, some “important data”, geolocation and online mapping data etc.)
8. Governance obligations
Organizations processing data must put in place the following:
- Internal governance policies and procedures: Organizations must establish internal management regulations or standards.
- Compliance audits: Organizations must conduct compliance audits on a regular basis.
- Training: Organizations must provide data privacy training to employees.
- Data classification and management mechanisms: Organizations must implement data classification and management mechanisms.
9. Security and confidentiality
Organizations must also put in place the following security measures:
- Personal information must be kept confidential, and security measures must be deployed, as prescribed by China’s Cybersecurity Law and Data Security Law and their underlying measures, guidelines and technical standards.
- Additional safeguards must be applied for sensitive personal information and processing by organizations handling large amounts of data.
- Data controllers must adopt corresponding encryption or deidentification technologies, and adopt access controls and training.
10. Personal information protection impact assessment
The PIPL requires personal information processing entities to carry out personal information protection impact assessments (PIAAs) for the following processing activities:
- Processing of sensitive personal information;
- Processing of personal information for automated decision making;
- Appointing data processor to process data;
- Providing personal information to other data controllers;
- Disclosing personal information to the public;
- Transferring personal information overseas;
- Conducting processing activities that may have a significant impact on an individual’s interest.
Unlike the GDPR, under the PIPL, there is no obligation to consult a regulator in the event that an organization concludes – after completing such an assessment – that it cannot remediate certain residual risks identified.
Organizations must keep all PIIA and processing records for at least three years.
11. Incident management
Organizations must implement and test a data incident contingency plan and take immediate remedial action in the event of any suspected or actual data disclosure, loss or tampering. If an incident occurs, they must provide immediate notification internally (to the DPO) and externally (to the regulator). Such notification should include (1) affected data categories; (2) reasons for the incident, and potential consequences; (3) remedial measures, and mechanisms required by data controller to minimize impact; and (4) contact information for the data controller.
If the data controller can effectively avoid the disclosure, loss or tampering of data, there is no need to notify data subjects. Otherwise, data subjects may also need to be notified under other laws and regulations within the data protection framework.
12. Enforcement
The PIPL provides a range of enforcement options, including:
- Enforcement notices and warnings;
- Criminal sanctions (corporate/individual);
- Civil claims from affected individuals/class actions;
- Operational sanctions (including credit score loss, blocking of systems and suspension of services);
- Breach of contract claims; or
- Fines up to 50 million RMB or 5% of an organization’s annual revenue for the prior financial year and confiscation of unlawful income. The PIPL does not specify whether the annual revenue refers to revenue generated in China or worldwide.
13. Next steps
If you do business in mainland China or collect personal information from individuals there, you should take the following actions:
- Assess your data handling practices in China
- Map Chinese data
- Develop data governance program
- Consider the impact of data localization and other restrictions
- Update privacy notices/consents
- Implement governance measures to safeguard regulated data
- Designate and register responsible officers (DPO/cyber and now data security as well
- Conduct regular important data risk assessments (and report)
- Align security to local China standards
- Conduct regular data security training
- Formulate/update internal guidelines for different data processing and transfer activities
- Data classification ( in anticipation of DSL tiered data scheme
- Cross-border data transfer
- Data breach notification
- DPIAs
- Overseas government data requests
- Update DPAs (but await SCCs)
- Monitor developments
- DSL and PIPL implementing guidelines
- “Important data” guidance (for specific industries automotive already published)
- CIIO indications
- CSL guidelines. (e.g. data localisation)