On 20 August 2021, the Standing Committee of the National People’s Congress passed the Personal Information Protection Law (PIPL). With the PIPL, China is stepping into a more robust and comprehensive personal information protection regime by establishing a unified, cross-sector legislation, as the EU does with the General Data Protection Regulation (GDPR).
The PIPL establishes a regime similar to the GDPR, but imposes stricter requirements in some areas. For instance, the PIPL requires disclosure of more details to individuals for processing sensitive personal information. And for cross-border provision of personal information, the PIPL requires disclosure of every foreign recipient’s name and contact details, and separate consent from the individuals.
The PIPL mandates controllers to conduct security impact assessments under several scenarios. It imposes a data localisation requirement on operators of critical information infrastructure and controllers that process an over-the-threshold volume of personal information (the threshold will likely be one million personal information subjects). The PIPL also exerts more rigid control over cross-border data transfers.
Being GDPR-compliant does not warrant being PIPL-compliant. Companies are advised to take action as soon as practically feasible to ensure that their China-related privacy practices are compliant with the requirements prescribed under the PIPL, as the PIPL will take effect from 1 November 2021.
With the enactment of the PIPL, the Chinese legislature has promulgated all of the “three horse carriages” for data protection and cybersecurity regimes of the new age, namely: (1) the Cybersecurity Law, governing the construction, operation, maintenance, use and security of (cyber) networks in China; (2) the Data Security Law, principally dealing with data security, governance and trading, with a focus on data other than personal information; and (3) the PIPL, which regulates personal information and related matters. Cybersecurity, non-personally identifiable data and personal information will be regulated separately under these three principal laws.
The Cyberspace Administration of China (CAC) will be the regulatory authority in charge of the protection of personal information. To be compliant with the regulations, companies should:
-
- Develop a data governance framework and an in-house data compliance programme;
- Conduct data mapping and data inventory checks, system profiling, as well as security risk identification and profiling;
- Review and update existing privacy notices that apply to Chinese residents by measuring against the requirements (especially considering the heightened notification and consent requirements) under the PIPL;
- Develop and update internal policies, protocols, standard operating procedures, and response mechanisms regarding the protection of personal information including, among others, conducting security impact assessments and establishing a channel of responding to requests of personal information subjects;
- Review and prepare for data localisation to the extent applicable;
- Review and prepare for cross-border data transfers, restrictions and formalities; and
- Maintain and document appropriate contractual, technical, organisational and physical privacy and security measures for China, including the performance of due diligence of vendors, the management of vendor agreements, the monitoring of vendor compliance, and the administration of regular data privacy and security training for personnel.
AN OVERVIEW
What is regarded as personal information and sensitive personal information?
The PIPL defines personal information as all types of information, whether recorded in electronic or other formats, relating to an identified or identifiable natural person, excluding anonymised information. This definition is similar to the GDPR, but the GDPR does not define the term in relation to any particular format.
Personal information in the Chinese law context is intended to be defined and delineated in a rather broad fashion, and with such broad definition the exact scope of personal information would be dynamic, and depend greatly on the exact context of each case in question.
Chinese personal information protection rules do not make a distinction between business contact information and personal contact information, as some of the other jurisdictions may do. Therefore, business contact information that is collected and processed in a B2B context – e.g. a contact person’s name, position or title, business landline and telephone number, business email address – will unexceptionally fall into the parameters of the broadly delineated personal information under Chinese law.
Sensitive personal information is defined by the PIPL as personal information that, once divulged or illegally used, may easily cause harm to the dignity of natural persons or endanger personal or property safety.
What types of processing are regulated?
Similar to the GDPR, the PIPL defines “processing” as collection, storage, use, processing, transmission, provision, public disclosure, deletion and any operation that is performed on personal information. Under this broad definition, all types of processing throughout the lifecycle of personal information will be covered, and regulated.
How does the PIPL distinguish between controllers and processors?
The PIPL creates a distinction between controllers and processors, although it adopts different naming conventions for the same. Specifically, the PIPL establishes the term “personal information processor” (PIP) and defines it as an organisation or individual that independently determines the purposes and means of the processing of personal information in the course of personal information processing activities. This concept is akin to the controller in the GDPR.
The PIPL also establishes a concept similar to joint controllers under the GDPR. The PIPL adopts the term “entrusted person” and provides that a PIP may entrust a person to process personal information on its behalf, with the PIP still being responsible for compliance with the majority of personal information processing obligations under the PIPL. The concept is similar to the processor stipulated in the GDPR.
How does the PIPL apply extra-territoriality? Will foreign PIPs have to appoint a local representative in China?
The PIPL and other Chinese personal information protection rules aim to protect the personal information of natural persons residing in China.
Apart from the domestic jurisdiction, China is expanding the geographical scope of application of its personal information protection regime by making the PIPL apply to processing activities conducted outside of the PRC involving the personal information of Chinese residents, where the processing activities: (1) are for the purpose of offering products or services to individuals in China; (2) analyse and evaluate the behaviour of individuals in China; or (3) meet other circumstances provided under the laws or administrative regulations. These closely parallel the circumstances in which the GDPR provides that it has an extraterritorial effect.
A foreign PIP that is subject to extraterritorial application of the PIPL should establish a dedicated local organisation or representative in China, similar to the requirement in the GDPR, except that the requirement only applies to PIPs.
Who does the PIPL apply to?
The PIPL applies to all sectors, all types of organisations (including government agencies) and all processing activities except for: (1) processing of personal information by PRC government agencies when carrying out statistical or records or archive management activities, which may be governed by special sets of rules; and (2) the processing of personal information by an individual for personal or family reasons.
The level of obligations can differ among PIPs based on the volume of personal information that they process.
Operators of critical information infrastructure (CII) and PIPs that process personal information above a certain prescribed volume – likely to be one million personal information subjects – will be subject to heightened obligations, e.g. they are obligated to: (1) store in China personal information collected and generated in the PRC territory; and (2) pass a CAC-administered security assessment before such personal information can be exported overseas, unless the laws, administrative regulations and CAC rules otherwise provide that security assessment is not needed.
What rights may personal information subjects exercise?
The PIPL gives individuals a broad suite of rights pertaining to their personal information, as the GDPR does. In particular, the law would permit individuals to:
-
- Know about and decide on the processing of their personal information, including to restrict or refuse the processing of their personal information, unless otherwise provided by laws and administrative regulations;
- Access and make copies of their personal information, unless the processing is required by law to be kept confidential, or notification is otherwise not required;
- Request that a PIP transfer their personal information to another PIP designated by them (this is equivalent to the right of data portability provided under the GDPR);
- Request that a PIP update or supplement their personal information if it is inaccurate or incomplete;
- Request to withdraw consent with future effect, where personal information is processed based on their consent; and
- Request that a PIP provide an explanation of the rules governing the processing of their personal information.
Individuals may also request that their personal information be deleted where:
-
- The purposes of the processing have been achieved or cannot be achieved, or if such personal information is no longer required to achieve such purpose;
- The PIP has ceased to offer the products or services, or the retention period has expired;
- Individuals have withdrawn their consent and the processing is based on their consent;
- The PIP has processed personal information in violation of laws or administrative regulations, or in breach of their agreement (e.g. a privacy notice) with individuals; or
- Other circumstances provided by laws or administrative regulations apply.
If the retention period stipulated in law has not expired, or if it is technically impossible to delete the personal information concerned, the PIP should cease any unnecessary processing of personal information except for storage and adoption of necessary security protection measures.
The PIPL also provides any organisation or individual who may not be personal information subjects with the right to lodge a complaint with or report to Chinese personal information protection authorities in respect of an illegal personal information processing activity. The authorities must handle the case and inform the person who lodged the report of the outcome. This type of mechanism resembles the reporting or complaint mechanisms used in the EU.
In what circumstances is the appointment of a data protection officer (DPO) required?
PIPs that process an aggregate volume of personal information that surpasses certain thresholds have to designate a DPO. Also, all CII operators will have to designate a DPO. The DPO position under the PIPL is similar in scope to the DPO position under the GDPR, which also requires entities to designate a DPO if it meets certain conditions, such as processing special categories of personal information “on a large scale”.
Will GDPR-like sanctions be applicable to breaches of the PIPL?
Contravening the PIPL may result in regulatory and administrative fines, civil liability and criminal liability.
Regulatory and administrative penalties
Like the GDPR, the PIPL establishes fines for serious breaches that are measured in proportion to the yearly turnover of the institutional offender. For a severe violation of the law, or in the absence of required data security measures, authorities may impose a fine of up to the greater of: (1) RMB50 million (USD7.8 million); or (2) 5% of the offending entity’s annual turnover in the preceding year.
The leading officer directly in charge, or other directly responsible persons, may be subject to a fine of up to RMB1 million, and may further be prohibited to take on director, supervisor, senior management or DPO roles in the relevant company within a certain period.
Civil liability
Under the PIPL, where the processing of personal information infringes upon the rights and interests of individuals and causes harm, and the PIP cannot prove that it was not at fault, the PIP shall bear liability for the infringement, such as liability for damages. The liability for damages should be principally determined according to the loss suffered by the individual, or the gain obtained by the PIP as a result of the infringement. In civil proceedings, the burden of proof is shifted to the PIP in proving that it has no misconduct.
Criminal liability
Under the Criminal Code, a perpetrator who illegally sells or otherwise illegally provides personal information to third parties may be subject to fixed-term imprisonment of not more than three years, or criminal detention (or in a severe case, fixed-term imprisonment of not less than three years but not more than seven years) and/or penalty.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by e-mailing Howard Wu (Shanghai) at howard.wu@bakermckenzie.com
