Very soon, organizations both inside and outside of China will receive a new set of rules around the collection, processing, and protection of personal information. On November 1, 2021, China's first comprehensive data protection law – the Personal Information Protection Law (PIPL) – will go into effect. Passed on August 20, 2021, by the National People's Congress (NPC), the PIPL is China's first law dedicated to defining and regulating the handling of personal information. The PIPL imposes a range of obligations and enforcement mechanisms for both organizations and individuals, potentially causing major implications for companies located in China that rely on data for their business operations.
Privacy rights under the PIPL were inspired by the EU's General Data Protection Regulation (GDPR), and the new law has often been regarded as China's version of the GDPR, despite their differences. In combination with the Cybersecurity Law (CSL) and the Data Security Law (DSL), the PIPL will complete China's foundational data governance legal regime, establishing the framework for managing data protection, cybersecurity, and data security in China.
At the time the PIPL was approved, organizations were provided less than three months to prepare and comply with this new law. With fines harsher than the GDPR, staying on top of compliance efforts is crucial. Below, we explore the key requirements of the PIPL, so you can better understand how to achieve and remain compliant with this new law.
Background of the PIPL
In recent years, regulatory scrutiny of China’s technology sector has grown significantly, and several laws that govern the collection, storage, use, and transfer of data (e.g., the CSL and DSL) have been implemented. With the passing of the PIPL on August 20, 2021, China created its first comprehensive national law managing how organizations handle the personal information of individuals, ushering in a "new age of data compliance" for technology companies.
The PIPL aims to achieve four key objectives:
- To protect the rights and interests of individuals
- To regulate personal information processing activities
- To safeguard the lawful and “orderly flow” of data
- To facilitate the reasonable use of personal information
Although only minimal time was allotted between the law’s passing and the effective date, the PIPL's passing was not too unexpected. The first draft of the PIPL was submitted to the NPC on October 13, 2020, and was published and opened for public commentary a week later. China issued a second version of the draft PIPL on April 29, 2021, which remained open for public comments until May 28, 2021. Less than three months later, the PIPL was adopted and will become effective on November 1, 2021.
Overview of the PIPL
Before the PIPL was passed, China did not have a single legislation regulating the protection of personal information. Instead, data protection in China was governed by various provisions found in other laws, including the Cybersecurity Law (2017), the Civil Code (2021), and the Data Security Law (2021). The PIPL fills this void by defining personal information and the obligations around it, mandating requirements on security controls and increasing the penalties for violations.
The four main objectives of the PIPL can be found within the 74 provisions that are spread across its eight chapters:
- General Provisions
- Personal Information Handling Rules
- Rules on the Cross-Border Provision of Personal Information
- Individuals’ Rights in Personal Information Handling Activities
- Personal Information Handlers’ Duties
- Departments Fulfilling Personal Information Protection Duties and Responsibilities
- Legal Liability
- Supplemental Provisions
Highlights of the PIPL
The Personal Information Protection Law clarifies the rules for processing personal information, the obligations of data processors, and the rights for Chinese individuals.
Below, is a summary of the key provisions of the Personal Information Protection Law.
The PIPL primarily regulates how personal information is handled within the borders of China, even if the entity conducting the data processing activities is located outside of the country. All data processing activities conducted involving the personal information of individuals within China, including both citizens and residents, are subject to the PIPL. Therefore, regardless of whether the processing is conducted by Chinese companies or local multinational organizations, they will be subject to the PIPL so long as they are based in China.
The law also has extraterritorial applicability, so it applies to the data processing activities that take place outside of China involving the personal information of individuals located inside China's borders, as well, but only under the following circumstances:
- The processing is for the purpose of providing goods/services to persons in China.
- The processing is for analyzing or assessing activities of persons in China (i.e., evaluating the behavior of individuals).
- Under circumstances prescribed by other laws and administrative regulations (unspecified in the PIPL).
Additionally, the PIPL will extend beyond the protection of Chinese individuals to include foreign nationals in China.
Under the PIPL, personal information refers to any information related to identified or identifiable natural persons that have been recorded by electronic or other means. However, while de-identified information is still considered personal information, anonymized data is not. The handling of personal information includes, but is not limited to, its collection, storage, use, processing, transmission, disclosure, and deletion.
Sensitive Personal Information
The PIPL imposes strict controls on the handling of sensitive personal information, which includes information such as race, ethnicity, religious beliefs, biometric information, medical health, financial accounts, individual location tracking, or other similar information. Organizations are only able to process sensitive personal information when necessary and for specific purposes. They must also obtain separate consent from the individual, as well as provide the individual with the reason for processing their sensitive personal information and how such processing could impact their personal interests.
Rights of Individuals
The PIPL further strengthens the protection of personal information by providing Chinese citizens with a number of rights regarding their data and how companies process it:
- Right to Know: Individuals have the right to know and make decisions about the processing of their personal information.
- Right to Access: Individuals have the right to request access to or a copy of their personal information from the personal information processor in a timely manner.
- Right to Rectification: An individual can request the correction of inaccurate or incomplete information, which is to be made a timely manner.
- Right to Deletion: Personal information handlers shall delete the personal information of relevant individuals under the following circumstances: 1) the purpose of processing has been achieved or is no longer necessary to achieve the purpose of processing; 2) the personal information processor no longer provides the product or services, or the retention period has ended; 3) the individual withdraws their consent; 4) the personal information processor is in violation of laws, regulations, or agreements; or 5) any other circumstances stipulated by laws and administrative regulations.
- Right to Object: Individuals have the right to refuse the processing of their personal information.
- Right to Request: Individuals have the right to request that handlers explain their personal information processing rules.
- Right to Data Portability: Individuals have a right to data portability to a designated personal information processor if certain conditions determined by the Cyberspace Administration of China (CAC) are met.
- Right to Withdraw Consent: Individuals have a right to withdraw their consent, and personal information handlers must provide a convenient method for doing so.
- Right to Not Be Subjected to Automated Decision-Making: Personal information handlers must guarantee the transparency of decision making and the fairness and justice of processing when personal information is used to make automated decisions.
Legal Basis for Processing
With the passing of the PIPL, organizations are required to have a proper legal basis for the processing of an individual's personal information. Personal information can only be processed if an entity has a specific and reasonable purpose for doing so, it is directly related to such purpose, and only the minimum amount of data required to fulfill the purpose is collected. The PIPL does not provide "legitimate interests" as a justified legal basis for processing, which can be found in other regulations like the GDPR. Instead, the PIPL has extended the legal basis for processing personal information without consent to include information that is necessary to perform legal responsibilities, respond to a public health emergency, perform a contract containing the individual, or if the personal information is already publicly available.
For the PIPL, consent must be informed, freely given, and capable of being revoked. The PIPL also requires "separate consent" for certain processing activities such as when sharing personal information with other processing entities, publicly disclosing personal information, processing sensitive personal information, or transferring personal information overseas.
Cross Border Transfers
As one of the most noteworthy provisions in the law, the PIPL sets strict requirements on cross-border transfers of personal information. The law will potentially limit such transfers of personal information outside of China, especially for data related to critical information infrastructure (CII) due to national security implications. In order to transfer personal information outside of China, three conditions need to be met:
- Obtain separate informed consent from the individual: An individual must provide "separate consent" after they have been informed about the identity of the oversees recipient, the contact information of the recipient, the purpose and method for processing, the types of their personal information that will be involved, and the ways they can exercise their rights against the recipient.
- Conduct a personal information protection impact assessment: Personal information processors must assess the impact of certain processing activities and keep a record of such processing for three years. The impact assessment should include the legitimacy, justifiability, and necessity of the purpose for collecting personal information, the method for transferring personal information outside of China, the impact and security risks on an individual's rights and interests, and whether the security measures taken are effective and appropriate.
- Satisfy at least one of four special conditions:
- The passing of a security assessment conducted by the CAC.
- A security certification for the protection of personal information is obtained.
- An agreement with an oversees recipient is entered into in accordance with the standard contract set by the CAC (which is yet to be issued) defining each entity's rights and obligations.
- The transfer is in accordance with other laws, administrative regulations, or conditions set by the CAC.
Data Processor Obligations
Most of the requirements and responsibilities found in the PIPL are imposed on personal information processors (i.e., data controllers under the GDPR). A personal information processor is any organization or individual that independently determines the purpose and means of processing of personal information. The processor is required to adopt the necessary measures to protect the personal information provided to them and must assist the data controller in complying with the obligations of the PIPL. Personal information processors are also tasked with developing internal policies, drafting emergency plans and procedures, adopting technical measures (such as encryption and de-identification), establishing internal classification rules on personal information, and providing regular training.
At this time, the PIPL does not have an independent data protection authority. Instead, the law grants several departments and their local counterparts law enforcement powers over personal information protection related issues:
- The Cyberspace Administration of China: Responsible for the overall planning and coordination of personal information protection duties and related administrative and management work.
- Relevant departments of the State Council: Responsible for personal information protection, supervision, and management work within their respective scope of duties (e.g., the Ministry of Public Security, the People's Bank of China, the National Health Commission, etc.).
- Relevant departments of county-level and higher local governments: Responsible for performing personal information protection duties according to related regulations.
China has set severe penalties to enforce the PIPL. Organizations that violate the law can face fines up to 5% of annual revenue from the previous year or CNY 50 million. Besides monetary fines, penalties can include warnings, the suspension of business operations, the cancellation of business certificates, rectification orders, the confiscation of illegal income, and the entering of the data controller into China's national social credit system.
Violations that are not remedied can result in a fine of up to CNY 1 million for the organization and a fine of CNY 10,000 – 100,000 for the responsible personnel. A "grave violation" (flagrant, intentional, or repeated violation) will incur a fine of CNY 100,000 – 1 million for the responsible personnel, and they will be prohibited from holding leadership positions within the company or personal information protection related roles in a different company for a certain period. With such high penalties and the potential for personal liability, China is striving for a strong deterrence on the misconduct of managers and business leaders.
China comprises of almost a fifth of the world's population, which means the PIPL's regulations will essentially impact one out of every five individuals. Due to its extensive reach, the PIPL will impact almost every business and cannot be ignored by companies operating globally. While uncertainties still remain in the applicability of certain provisions in the PIPL, your company should take prompt action to comply with this new data protection law to avoid heavy compliance penalties.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.