China’s first comprehensive law governing the protection and regulation of personal information takes effect on 1 November 2021. But unlike the major changes wrought by the introduction of the Data Security Law, the Personal Information Protection Law (PIPL) is expected to present fewer challenges for companies.
However, because there was already a relatively complete regulatory system in place governing personal information protection, regulators have extensive experience in enforcing those rules, regulations and industry standards – which makes it imperative that companies ensure compliance with the PIPL by November.
The PIPL marks a step-up in China’s personal information protection efforts, as companies adapt to better-structured but also stricter rules and guidelines. Here we take a look at several key issues in compliance with the new law.
Q: What is personal information?
A: The main consideration is in its personal identifiability. In practice, both direct identifiers, such as ID, health insurance number, bank card and address, and indirect identifiers, such as a licence plate, order number and browsing history, are considered personal information.
De-identification, such as privacy-preserving computing, is not necessarily entitled to an exemption from personal information regulation. While the PIPL provides that personal information does not include anonymised data, de-identified personal information may still fall under its regulatory scope. Also, whether the PIPL applies to aggregate data is a matter of judgment based on the specific business scenario. For example, if informed consent has been obtained that would lend some legitimacy to data processing.
It is possible for personal information under the PIPL to overlap with key data under the Data Security Law. For example, in automotive data, where vehicle-tracking involves more than 100,000 users it simultaneously constitutes both key data and personal or sensitive personal information.
Q: How to attach legitimacy to personal information processing?
A: Informed consent remains the most fundamental basis of legitimacy in personal information processing. In practice, even when the processing of personal information is deemed essential for contract fulfillment or HR management, or is otherwise legitimate, obtaining informed consent is still critical for the company to enjoy the widest possible berth.
It is common for personal information processing to be essential for contract fulfillment, but not all scenarios would be recognised by the regulators. For example, in e-commerce, a consumer’s order history and address are necessary personal information to complete sales contracts and for logistics. However, if the company wishes to further process such information for automated decision-making, data sharing or other purposes, it must obtain further consumer consent.
The need to process personal information for HR management does not mean the company is given carte blanche to handle such information without personal consent. For example, when maintaining attendance records with facial recognition or verifying sick leave, as facial identifiers and information on personal health or disease fall under sensitive personal information, obtaining personal consent cannot be exempted. In fact, preference ought to be given to securing separate consent. We advise companies to delicately weigh their approach to personal information for HR management by considering the type of information, the purpose of collection, and usage.
Q: How to identify sensitive personal information? What are the rules for authorisation?
A: Industry-specific law enforcement involving sensitive personal information is expected to be one of the key regulatory scenarios triggering the upper-tier penalty under the PIPL.
Sensitive personal information generally includes biometrics, medical health, financial accounts, whereabouts of and information on minors. Companies should note that the level of sensitivity differs with the type of information.
To process sensitive personal information, companies should obtain separate personal consent. The exact method is a matter of judgment and selection based on industry characteristics, type of business, technical operability and other factors.
Q: Is cross-border transfer of personal information permitted?
A: For critical information infrastructure operators (CIIOs) whose processing of personal information reaches the volumes prescribed by the state cyberspace administration, such information should be stored within the PRC. Where outbound transfer is explicitly required, it will be subject to security assessment by the state cyberspace administration.
Cross-border transfer of personal information by non-CIIO companies is permitted as long as the company has obtained professional certification for personal information protection or adopts China’s standard contractual clauses. However, outbound transfer of sensitive personal information or a certain amount of data by non-CIIO companies will trigger a security assessment, filing for security review and other such obligations. It should be noted that regulators adopt a generally broad definition for “cross-border transfer”, including accessing data of domestic entities by overseas entities via cloud interfaces.
Q: What are the legal consequences of violating the PIPL?
A: Article 66 of the PIPL stipulates that violators will be ordered to make rectification or suspend or terminate their operations, with all illegal gains confiscated. Failure to make rectification will prompt “dual penalties”, namely the company and the directly responsible persons will be fined a maximum of RMB1 million (USD150,000) and RMB100,000, respectively. In cases of serious violation, article 66 further provides that violators will be ordered to make rectification and fined for a maximum of RMB50 million or 5% of the turnover of the previous year, in addition to possible suspension or termination of operations and revocation of business licences.
It is worth bearing in mind that a violation of the PIPL may trigger further penalties under the Data Security Law, the Banking Supervision Law, Biosecurity Law, Export Control Law, Administration Regulations on Human Genetic Resources and other relevant laws and regulations.
Michael Gu is a founding partner and Charles Xiang is an associate at AnJie Law Firm
19/F Tower D1, Liangmaqiao Diplomatic Office Building
19 Dongfang East Road
Beijing 100600, China
Tel: +86 10 8567 5988
Fax: +86 10 8567 5999