The Personal Information Protection Law In China: A Legal Analysis
China’s Standing Committee of the National People’s Congress announced the Personal Information Protection Law of the People’s Republic of China (hereinafter referred to as “PIPL”) on August 20th 2021, which will soon come into effect on November 1st 2021.
As China’s first law specifically regulating the protection of personal information, the PIPL will have a direct and far-reaching impact on the protection of personal information rights of individuals, as well as data privacy compliance of enterprises.
Moreover, together with the Cybersecurity Law of the People’s Republic of China and the Data Security Law of the People’s Republic of China, the PIPL is building up a more complete, comprehensive, and systematic legal framework in China’s information protection and cybersecurity field.
The PIPL includes eight chapters and 74 articles, clarifying the rights and obligations in personal information processing activities and stipulating specific rules for personal information processing. The vital points to be noted are as follows.
Definitions In Personal Information Protection Law
The PIPL gives definitions of several essential concepts:
- Personal information refers to “all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously”.
- Processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.
- Personal information processor refers to an organization or individual that independently decides the purpose and method of processing of personal information.
Under such definitions, most enterprises will be regarded personal information processors as it will be inevitable that they collect and process such data for the purpose of human resources management at least.
Since they are enabled to “independently decide the purpose and method of processing and other personal information processing matters” of the employees’ personal information, all companies are suggested to pay close attention to the new personal information processing rules in China.
The PIPL sets the extra-territorial application, which grants the “long-arm jurisdiction” of the law.
According to Article 3 of the PIPL, in principle, this Law shall apply to the processing of the personal information of natural persons within the territory of the People’s Republic of China.
But under certain circumstances, the Law shall also be applicable to the activities carried on outside the territory of China in processing personal information of natural persons within the territory of the People’s Republic of China. Such circumstances include:
- Where the purpose of personal information processing is to provide products or services to domestic natural persons;
- Where the purpose of personal information processing is to analyze and evaluate the activities of domestic natural persons; and
- Other circumstances as prescribed by laws and administrative regulations.
The PIPL has provided differentiated consent management rules based on the kind of personal information and the processing activity of the personal information, as stipulated in Article 13, Article 23, Article 29, and Article 39 of the Law.
For general personal information, obtaining the individual’s consent is still the principle, but Article 13 provides some circumstances where consent can be waived:
- Where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management in accordance with labor rules and regulations formulated according to law and collective contracts concluded according to law;
- Where it is necessary for the performance of statutory duties or statutory obligations;
- Where it is necessary for coping with public health emergencies or for the protection of the life, health, and property safety of a natural person;
- Where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope;
- Where the personal information disclosed by individuals themselves or other legally disclosed personal information is processed within a reasonable range in accordance with the provisions of this Law; and
- Other circumstances provided by laws and administrative regulations.
For example, in employment scenarios, where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management in accordance with labor rules and regulations formulated according to law and collective contracts concluded according to law, the employer can process the employee’s personal information without obtaining separate consent.
To be noted, however, such exemption has strict conditions. In certain personal information and processing activities, the personal information processor will still need to obtain separate consent from the person concerned.
|Consent Management Under The PIPL|
|Processing general personal information||Yes, with exceptional circumstances|
|Processing sensitive personal information||Yes, separate consent is required|
|Providing personal information to a third part||Yes, separate consent is required|
|Providing personal information to overseas||Yes, separate consent is required|
Processing Of Sensitive Personal Information
The PIPL sets stricter requirements on data processors to protect sensitive personal information.
Under the PIPL, sensitive personal information refers to the personal information that is likely to result in reputational damage or serious personal or proprietary endangerment, including such information as biometric identification, religious belief, specific identity, medical health, financial account, and whereabouts, as well as the personal information of minors under the age of 14 years. A personal information processor may process sensitive personal information only for a specific purpose and with sufficient necessity, and strict protection measures are in place to prevent abuse or misuse.
Besides, the processing of sensitive personal information of an individual shall be subject to the individual’s separate consent. Where laws and administrative regulations provide that the processing of sensitive personal information shall be subject to the written consent, such provisions shall prevail. To process personal information of a minor under the age of 14 years, the personal information processor shall obtain the consent of the minor’s parents or other guardians.
In addition, for the sensitive personal information of an individual, the personal information processor shall inform the individual of the necessity of processing and the impact on their personal rights and interests, in addition to the normal notification matters, except for the circumstances that may be exempted from informing the individual of such information in accordance with the PIPL.
Cross-border Transmission Of Personal Information
The PIPL stipulates various requirements on the cross-border transmission of personal information, which shall be paid special attention to by relevant enterprises.
First, cross-border transmission of personal information should fulfill the precondition that the personal information processor must provide personal information outside the territory of the People’s Republic of China due to business or other needs. Otherwise, the personal information will not be allowed to be transferred overseas.
If the personal information processor really needs to provide the personal information abroad, it must meet any of the following conditions:
(1) pass the security assessment organized by the Cyberspace Administration of China (“CAC”);
(2) certified by a specialized agency for protection of personal information in accordance with the provisions of CAC; and
(3) adopt CAC’s standard contract into its contract with the overseas recipient, specifying the rights and obligations of both parties.
Before transferring personal information overseas, the data processor is required to inform the individual of the information of the recipient overseas (such as the recipient’s name, contact, purpose of data processing etc.) and obtain the individual’s separate consent.
The PIPL imposes a data localization requirement on Critical Information Infrastructure Operators (“CIIO”), and the processor which process the personal formation up to a certain amount. Principally, the personal information collected is required to be stored in China, if it needs to be transferred overseas, security assessment organized by CAC needs to be passed.
At the time of writing this guide, the Notice of the Cyberspace Administration of China on Seeking Public Comments on the Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad, which provides the detailed standards for security assessment, has not been finalized and promulgated. But according to the draft, among other provisions, where the data to be transmitted abroad contains or contains in aggregate the personal information of more than 500,000 users, or where the quantity of the data to be transmitted abroad is more than 1,000 gigabytes – a security assessment will be required.
Other Highlights Of The Personal Information Protection Law
Diversified Protection Mechanisms
According to Articles 60, 63, and 64, China has implemented a diversified protection mechanism to protect personal data. The CAC is responsible for coordinating the protection of personal information and relevant supervision and administration work. Relevant departments of the State Council are responsible for protecting, supervising, and administering the protection of personal information within the scope of their respective duties in accordance with relevant laws and regulations.
Processing Of Personal Information Of The Deceased
The PIPL also provides protection to the personal information of the deceased. As stipulated in Article 49 of the PIPL, where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting, and deleting the relevant personal information of the deceased. Such statutory protection provides a more complete protection to the deceased and is helpful to solve the personal information related dispute arising from the natural person’s dead.
Prohibition On ‘Big Data Discrimination’
The PIPL also prohibits “big data discrimination”, where personal information processors sometimes use personal information for automated decision-making and individuals are subject to unreasonable differential treatment in trading conditions, such as transaction prices. “Big data discrimination” has become a noted problem in recent years, and the PIPL prohibits it.
According to the PIPL, the penalties imposed on small and medium-sized enterprises shall be up to a maximum of RMB 50 million (US$7.7 million), while for large enterprises, the maximum penalty could be five percent of the previous year’s turnover, or even suspension of business, revocation of business licenses, and direct punishment on the responsible person.
How Should Enterprises Respond To The PIPL?
As PIPL is going to take effect soon, the gradual improvement of relevant legal provisions will give enterprises higher data compliance and internal governance capability on matters of cybersecurity and personal information protection.
As mentioned above, personal information processors will face stricter compliance requirements after the implementation of the PIPL.
It is not so easy to set out how to get ready for PIPL, as much is delegated to future more detailed instruments or regulation and implementing rules. However, if the enterprises follow the policy’s direction and do some preparation work in advance, they can be well-placed to navigate the requirements as they are finalized. Only when an enterprise establishes a systematic personal information protection system and does its best to protect user information can it avoid potential lawsuit and administrative punishment.
In response to the PIPL, the below measures are suggested for enterprises’ consideration:
- Provide due training to managers and employees.
- Conduct a self-assessment in terms of the enterprise’s business and personal information, which may be managed during the enterprise’s operation.
- Make amendments to the organization’s personal information policy.
- Establish a compliance system for the protection of personal information.
- Issue regular reports on the social responsibility for the protection of personal information.
- Improve the collection process of personal information of app users and employees.
- Manage personal information according to its nature.
- Conduct relevant protection measures, such as encryption and de-identification.
- Set reasonable operational controls and provide regular training to staff.
- Formulate a security incident response plan and carry out a simulation exercise.
- Other measures as required by laws and regulations.