October 8, 2021
The Personal Information Protection Law of the People’s Republic of China (the “PIPL”), the first comprehensive framework for the protection of personal information in China, was passed by the Standing Committee of China’s National People’s Congress in August 2021, and will become effective on November 1, 2021. The PIPL, together with two other laws on cybersecurity and data protection — the Chinese Cybersecurity Law of 2016 and the Data Security Law of the People’s Republic of China — constitute a new data protection legal regime in China. This article outlines key PIPL compliance considerations for entities subject to the law.
1. Scope of the PIPL
The PIPL applies to (1) entities processing personal information of individuals within China or (2) foreign entities processing personal information outside of China (a) where the entity collects and processes personal information to (i) provide products or services to individuals in China or (ii) analyze or assess the activities of individuals in China; or (b) pursuant to “other circumstances provided in laws and administrative regulations.” For entities subject to the PIPL, the law imposes a number of compliance obligations on “personal information handlers,” (“PI Handlers”) which is defined as “any organization or individual that independently determines the purpose and method of processing of any personal information.”1 The PIPL defines “personal information” as “information, recorded by electronic or other means, related to identified or identifiable natural persons,” excluding anonymized data.
To comply with the PIPL, a PI Handler should manage its data assets and identify the different processing activities in which it is engaged, including the types of personal information it processes, the purposes of processing, how it collects personal information, with whom the personal information is shared, and how long the personal information is retained with respect to each processing activity. The most common processing activities include, but are not limited to, the processing of employees’ personal information for HR purposes, processing customer data for business purposes, and engaging entrusted parties to process personal information on the PI Handler’s behalf.
3. Privacy Notice
Prior to processing personal information, a PI Handler must provide notice to individuals of how their personal information will be processed. Under the PIPL, a privacy notice must contain:
4. Key Issues Relating to Personal Information Processing
4.1 Legal Basis for Processing Personal Information
A PI Handler may process personal information only where it has a legal basis to do so, namely:
4.2 Consent Requirements
To meet the standard of consent required under the PIPL, an individual must provide his or her voluntary and explicit indication of intent on a fully informed basis. Individuals have the right to withdraw their consent, but a withdrawal of consent must not affect the validity of any processing activity that was performed prior to the withdrawal.
4.3 Separate or Written Consent
The PIPL requires separate or written consent of individuals in certain circumstances. A PI Handler must obtain separate or written consent from individuals for the:
While, to date, no implementing regulations or regulatory guidance have been issued on what would constitute separate or written consent under the PIPL, a PI Handler likely could not obtain such consent if bundled with consent to other processing activities. A pop-up window or a separate checkbox to obtain consent for one or more of the specific processing activities described above, however, may suffice as separate consent under the PIPL. Additionally, where written consent is required pursuant to other administrative laws and regulations, such provisions would prevail.
5. Data Protection Principles
The PIPL contains several data protection principles. These principles are largely identical to those found within the GDPR and include:
6. Rights of individuals
The PIPL provides individuals with a number of rights. PI Handlers must allow individuals to exercise the following rights with respect to their personal information:
The PIPL imposes several accountability requirements on PI Handlers, including the requirement to take necessary measures to ensure the personal information processing complies with applicable law and administrative regulation, including:
8. Appointment of a Data Protection Officer
Under Article 52 of the PIPL, if the volume of personal information processed reaches a threshold level as stipulated by the Cyberspace Administration of China, a PI Handler must appoint a data protection officer. The volume of personal information triggering the threshold has not yet been defined.
9. Personal Information Protection Impact Assessment
Under Article 55 of the PIPL, a PI Handler must conduct a personal information protection impact assessment (PIPIA) prior to (1) processing “sensitive” personal information; (2) using personal information in automated decision-making; (3) engaging an entrusted party to process personal information on the PI Handler’s behalf; (4) providing personal information to another PI Handler; (5) disclosing personal information to the public; (6) transferring personal information outside of China; or (7) any processing activity that will have a material impact on the personal rights and interests of an individual.
The PIPIA must specify (1) whether the purpose(s) and method(s) of processing are lawful, legitimate and necessary; (2) the impact of the processing on individuals’ rights and interests, and the level of risk involved; and (3) whether the protective measures undertaken are lawful, effective and commensurate to the degree of such risk. PIPIA reports and records of processing must be retained for at least three years.
The Guideline of Personal Information Security Impact Assessment (GB/T 39335-2020) provides guidance on how to conduct a PIPIA.
10. Data Breach
Under the PIPL, in the event of a suspected or actual data breach, a PI Handler must immediately undertake remedial measures and notify affected individuals and relevant regulators. The PIPL requires specific content to be included in the notification, including (1) the type(s) of personal information affected; (2) the cause of, and possible harm that may result from, the breach; (3) any remedial measures taken by the PI Handler and measures individuals can adopt to mitigate harm; and (4) the contact information of the PI Handler. The PIPL does, however, provide a risk of harm threshold for notice to affected individuals. If the measures taken by a PI Handler can effectively mitigate the harm caused by the data breach, a PI Handler would not be required to notify affected individuals, unless a regulator determines otherwise.
11. Obligations for Certain Specified PI Handlers
PI Handlers that provide important online platform services, have a large number of users or operate a complex type of business are subject to a higher standard of personal information protection under the PIPL. Such PI Handlers are required to:
12. Cross-Border Transfer of Personal Information
The PIPL provides three methods for the cross-border transfer of personal information. First, critical information infrastructure (CII) operators and PI Handlers that process personal information beyond the (to be determined) threshold amount prescribed by the Cyberspace Administration of China are subject to data localization requirements. Where it is necessary for such entities to transfer personal information out of China, the entities must pass a mandatory security assessment organized by the Cyberspace Administration. For non-CII operators or PI Handlers that process personal information below the (to be determined) threshold amount prescribed by the Cyberspace Administration, there are two other options for cross-border data transfers. One option is to obtain a personal information protection certification awarded by a recognized institution in accordance with regulations to be published by the Cyberspace Administration. The other option, and the most likely to be used, is to execute a data transfer agreement with the recipient located outside of China, in compliance with a standard contract to be provided by the Cyberspace Administration.
For cross-border transfers of personal information, in addition to the above requirements, a PI Handler must also inform individuals of the identity and contact information of the data recipient(s), the purpose(s) and method(s) of data processing, the type(s) of personal information to be transferred, and how individuals can exercise their rights under the PIPL with respect to the data recipient(s). PI Handlers must also obtain separate consent from individuals for the cross-border transfer of their personal information.
Additionally, cross-border transfers of personal information made for the purpose of providing international judicial and law enforcement assistance must first be approved by a competent Chinese authority.
13. Joint Processing and Vendor Management
PI Handlers who jointly determine the purpose and means of processing of personal information are considered joint PI Handlers under the PIPL. Joint PI Handlers bear joint and several liability in the event of a violation of the PIPL, and must stipulate their respective rights and obligations in an agreement.
Where a PI Handler contracts with an entrusted party to process personal information on its behalf, the PI Handler must execute a processing agreement with the entrusted party that includes (1) the purpose(s) of processing; (2) the period and method(s) of processing; (3) the type(s) of personal information to be processed; (4) any protective measures to be taken; and (5) both parties’ rights and obligations under the PIPL. PI Handlers are responsible under the PIPL for supervising the processing activities of entrusted parties, but the PIPL does not specify prescribed supervision requirements. Upon the completion or termination of a PI Handler’s agreement with an entrusted party, the entrusted party must return or delete the personal information to the PI Handler.
14. Penalties for Non-Compliance
PI Handlers who violate the PIPL with respect to their processing of personal information may be subject to penalties including (1) an order to correct the alleged violations; (2) the disgorgement of profits; or (3) the provisional suspension or termination of the electronic applications found to be in violation of the PIPL. Entities that refuse to fail to correct the alleged violations may be subject to a fine of not more than 1 million RMB, and responsible personnel may be subject to fines between 10,000 to 100,000 RMB.
In the event of “grave” violations of the PIPL (which term is not defined under the law), entities and responsible personnel may be subject to fines of up to 50 million RMB, or 5% of annual revenue. Additionally, the offending entity’s business or related business activities may be suspended pending rectification of the alleged violations, and the entity may be required to report to the relevant authorities regarding such suspension. Further, individuals directly responsible for “grave” violations of the PIPL may be fined between 100,000 and 1 million RMB, and may be prohibited from holding certain positions, including director, supervisor, high-level manager or data protection officer, for a certain period of time.
Given the PIPL’s fast-approaching compliance deadline of November 1, 2021 and associated penalties of non-compliance, PI Handlers should carefully consider their compliance obligations under the law, and seek to leverage existing compliance efforts for other similar privacy laws where possible.
For further information or questions regarding the PIPL, please contact us.
1 The definition of “personal information handler” under the PIPL is similar to the concept of a “data controller” in other privacy laws (such as the GDPR). While the GDPR distinguishes between a data controller, who determines the means and purposes of processing personal data, and a data processor, who processes personal data on behalf of the controller, the PIPL does not formally define the concept of a data processor. Under the PIPL, when a PI Handler entrusts a third party (i.e., a data processor under the GDPR) to process personal information on behalf of the PI Handler, such third party will be referred to as the “entrusted party” or the “contracting party.”
2 “Sensitive” personal information refers to personal information that, if breached or illegally used, would be likely to cause harm to individuals or their property, including biometric data, religious beliefs, specially-designated status, medical or health-related data, financial account-related data, precise geolocation data, and children’s personal information (under the age of 14).