China’s Personal Information Protection Law - What do you need to know?
Locations
The PIPL has eight chapters and 74 provisions. Chapter one is General Provisions and includes Article 1-12. Chapter two is Personal Information Processing Rules and includes Articles 13-37. Chapter three is Personal Information Cross-Border Transferring Rules and includes Articles 38-43. Chapter four is Data Subject’s Rights in Personal Data Processing Activities and includes Articles 44-50. Chapter five is Obligations of Personal Data Processors and includes Articles 51-59. Chapter six is Authorities Performing Personal Information Protection Duties and includes Articles 60-65. Chapter seven is Legal Liability and includes Articles 66-71. Chapter eight is Supplementary Provisions and includes Articles 72-74. In general, the PIPL has been closely influenced by General Data Protection Regulation (“GDPR”).
Before discussing the key issues, one thing needs to be clarified. The PIPL does differentiate controller and processor. However, it uses different terms comparing to the GDPR. Under the PIPL, data processors are similar to controllers under the GDPR, while trustees under the PIPL are similar to processor under the GDPR.
This article will focus on the following key issues:
The Scope
Article 3 of the PIPL lays down the scope of this law. According to Article 3, the PIPL applies to:
(1) the processing activities (of personal information) in China;
(2) the processing activities (of personal information) outside China if any of the following conditions is fulfilled: (a) for the purpose of providing products or services to natural persons in China; (b) analysing and evaluating the behavior of natural persons in China; (c) Other circumstances stipulated by laws and administrative regulations.
Comparing to the GDPR, the PIPL focuses on the location of the processing activities rather the presence/establishment of the entity. In regard to extraterritorial jurisdiction, the PIPL has similar rules compared to those under the GDPR. It is not very common that Chinese laws have extraterritorial jurisdiction. For example, Cybersecurity Law does not have extraterritorial jurisdiction. However, both Data Security Law and the PIPL have extraterritorial jurisdiction. According to Article 3 of the PIPL, an overseas company processing personal data outside China will be subject to the PIPL if it sells goods or provides services to persons in China or analyses behavior of a person in China. These conditions are similar to Article 3 of the GDPR.
Personal Information
According to Article 4 of the PIPL, personal information refers to all kinds of information related to an identified or identifiable natural person recorded electronically or otherwise. Like the GDPR, personal information under the PIPL does not include anonymized information.
According to Article 28, sensitive personal information refers to personal information that, once leaked or illegally used, is likely to infringe the human dignity of natural persons or endanger the personal and property safety, including biometrics, religious beliefs, specific identity, medical health, financial accounts, whereabouts and other information, as well as the personal information of minors under the age of 14. Under the PIPL, therefore, all kinds of minors personal information is considered as sensitive information and subject to strict rules when processing such information.
Principles
Articles 5-9 lay down the principles of processing personal information. Article 5 provides that processing personal information shall follow the principles of legality, legitimacy, necessity and good faith. Article 6 provides that processing personal information shall have a clear and reasonable purpose, be directly related to the processing purpose, and adopt the method that has the minimum impact on personal rights and interests. Excessively processing personal information is prohibited. Article 7 provides that processing personal information shall be transparent. Article 8 provides that the quality of personal information shall be guaranteed to avoid any adverse effects on personal rights and interests due to inaccurate and incomplete personal information. Article 9 provides that personal information processors shall take necessary measures to ensure the security of the personal information processed. From the above, we can see there are some similarities to those under the GDPR.
Lawfulness of Processing
Before the PIPL is adopted, consent is the major legal base of processing personal information. This has been changed under Article 13 of the PIPL. According to Article 13, there are seven legal bases of processing personal information:
- Consent;
- Performing contracts, or a collective labor contract;
- Compliance legal duty or legal obligation;
- Responding to public health emergencies or protecting the life, health and property safety of natural persons in emergencies;
- Within the reasonable scope of implementing news report, public opinion supervision and other actions for the public interests;
- Processing the personal information disclosed by the involved individuals themselves or other legally disclosed personal information in accordance with the PIPL;
- Other circumstances stipulated by laws and administrative regulations.
Consent is only one of the seven methods of lawfully processing personal information. Thus, Article 13 of the PIPL has greatly enlarged the legal bases of lawfully processing personal data. It is a huge relief to the companies which process personal data without data subject consent. Although these legal bases are not identical to the GDPR, there are some similarities. In particularly, consent, performing contracts and compliance legal obligations are identical to those under the GDPR, although the PIPL specifies the situation of performing collective labor contracts. For vital interests and public interests, the PIPL has narrowed the scope to very specific situations, comparing to those under the GDPR.
Data Localisation
It is clear now under the PIPL not every data processor needs to fulfil the data localisation obligations. Before the adoption of the PIPL, many international companies have been misled by concluding that China requires every data processor to localise their data collected in China according to Cybersecurity Law. Obviously, this is not correct and Cybersecurity Law does not have such requirements. Now, the PIPL clarifies this misunderstanding. According to Article 40 of the PIPL, only critical information infrastructure operators (“CIIOs”) and personal information processors who process personal information up to the amount specified by the State cyberspace authority need to fulfil the data localisation obligations. In addition, this only applies to the data collected or generated in China. Non CIIOs have to wait for the detailed rules on the thresholds under which a processor will be required to localise its personal data. The current rumor is that the threshold could be processing one million or more persons' data.
Cross-border Data Transferring
According to Article 38, data processors need to fulfill one of the following conditions when transferring data outside China:
- Passing the security assessment organized by the State cyberspace authority in accordance with the provisions of Article 40 of the PIPL;
- Obtaining personal information protection certification by professional institutions in accordance with the provisions of the State cyberspace authority;
- Signing a contract with the overseas receiving party to stipulate the rights and obligations of both parties according to the standard contract formulated by the State cyberspace authority;
- Other conditions stipulated by laws, administrative regulations or the State cyberspace authority.
Condition 3 is similar to GDPR standard contract clause, although it remains to see what the Chinese standard contract clauses will look like. Nevertheless, it is a huge step for China to bring its cross-border data transfer regime in line with the GDPR style.
According to Article 39 of the PIPL, when transferring personal data outside China, data processor shall inform the individual of the name and contact information of the receiving party, processing purpose, processing method, type of personal information and the ways and procedures for the individual to exercise the rights. Except the above requirements, data processor shall obtain the individual's separate consent. This requirement is very high in particular considering the fact that Article 38 has laid down the conditions for cross-border data transferring. From the current provisions of Articles 38 and 39 it seems that even a processor has fulfilled one of the four conditions provided in Article 38, it still needs to get the individual’s separate consent. If it is true, such burden might be too high for processor when transferring data outside China. Also, it is not clear whether this requirement only applies to the data processed based on consent, since there are seven bases of processing data legally under Article 13 of the PIPL.
Data Subjects’ Rights
Articles 44-49 provide the rights of data subjects. Here I use the GDPR style to summarize the rights provided by Articles 44-49 of the PIPL.
Right to Information, Right to Object and Right to Restriction of Processing
Article 44 provides the right to information, the right to object and the right to restriction of processing. According to Article 44 of the PIPL, data subjects have the right to know and decide on processing their personal information and have the right to object or restrict to process their personal information by processors. These rights are similar to those under the GDPR.
Right of Access and Right to Data Portability
Article 45 provides the right of access and the right to data portability. According to Article 45, data subjects have the right to access and copy their personal information from personal information processors. Where data subjects request accessing to or copying their personal information, the personal information processors shall provide it in a timely manner. This is different with the GDPR rules and the PIPL has no clear timeline for responding such data subjects' requests. In addition, where data subjects request to port their personal data from a personal information processor to another processor who meets the conditions prescribed by the national cybersecurity authority, the current personal information processor shall do so.
Right to Rectification
Under Article 46, data subjects can request the data processor to correct their information. Again, the PIPL only requires the processor to deal with such requests in a timely manner without specifying the responding time period.
Right to Erasure (Right to be Forgotten)
According to Article 47, under any of the following circumstances, data subjects have the right to erasure:
- where the purpose of processing has been completed or is unable to be completed, or the personal information is no longer necessary for achieving the purpose of processing;
- where the processor ceases to provide the product or service involved, or the retention period has expired;
- where the consent is withdrawn by the data subject;
- where the processing violates law, regulations or contracts;
- other circumstances.
Right to Explain Processing Rules
Article 48 provides that data processors shall explain their processing rules on data subjects’requests. Comparing to the GDPR, this is a new right.
Right for Close Relatives of a Dead Person
Article 49 provides in the event of death of a person, a close relative of the dead person may exercise the rights to access, make copies of, correct or delete and other rights to the relevant personal information of the dead person unless the dead person has arranged otherwise before death. The GDPR does not provide any rights to a deceased person. Due to lack of precedent, it remains to be seen how the right under this article is applied.
Obligations of Data Processors
As mentioned at the start of this article, the term of data processor under the PIPL is similar to the term of controller under the GDPR. According the PIPL, the data processor needs to:
- develop internal management systems and operating procedures;
- implement categorized management of personal information;
- take appropriate security technical measures such as encryption and de-identification;
- reasonably determine the operating permission for personal information processing, conduct security education and training for employees on a regular basis;
- develop and organize the implementation of emergency plans for personal information security incidents; and
- take other measures as prescribed by laws and administrative regulations.
Except the requirement for implementing categorized management of personal information, the rest are similar to those under the GDPR. Categorizing personal information processed by processors could be considered as part of security measures.
In addition, a data processor will need to appoint a personnel responsible for personal information protection, if the personal information it processes reach certain amount. The PIPL has not define such amount. Small data processors will be examined from this burden, although it remains to see the detailed thresholds or guidance on this. As mentioned below, the personnel responsible for a processor's personal information protection is also subject to personal penalties if the processor violates the PIPL.
Government Personal Data Processing Activities
Articles 33-37 are specially designed to deal with personal data processing activities by governments and agencies which are designed to perform some government functions. Article 33 provides that personal data processing activities by Chinese governments are subject to the PIPL. This lays down huge compliance burden on Chinese governments’s personal data processing. Although it remains to be seen how government officials to comply the PIPL, it is a mile stone in the history of protecting personal information in China by providing that Chinese governments are subject to the PIPL.
Enforcement Authorities and The Penalties
The current enforcement structure of protecting personal information is very decentralized and many departments at different level of governments have enforcement powers under different laws and regulations. This decentralized structure causes huge problems for companies, such as inconsistency of enforcement. The PIPL fails to address this issue. No centralized authority is established/designed to enforce the PIPL. According to Article 60, the State cybersecurity authority is responsible for overall planning and coordination of personal information protection and relevant supervision and administration. The relevant departments under the State Council shall be responsible for the protection, supervision and administration of personal information within their respective functions and responsibilities. The relevant departments of the local people's governments at or above the county level are responsible for the protection, supervision and administration of personal information.
The highest penalties in terms of fines are no more than RMB 50 million or 5% previous year revenue of the involved companies. Except this, the direct responsible personnel is subject to fines between RMB 100k to one million. This is different with the GDPR.
Conclusions
After years of arguments and waiting, finally China has its own special law on protecting personal information. It is good news for data subjects and good news for companies which treat personal information protection seriously. The PIPL will come into effect on 1 November 2021. Given the short grace period that the PIPL has, it is very important for companies to quickly amend their existing personal data protection compliance policies according the PIPL. In particular the companies which have adopted GDPR compliance style need to analyze the gap between GDPR compliance requirements and the requirements under the PIPL to minimize the workload. As said, the PIPL is greatly impacted by the GDPR, although it is not identical to the GDPR. Thus, it will not be a huge burden for companies to comply the PIPL if they already have the GDPR style compliance rules.