Personal Information Protection Law of China: Key Compliance Considerations

The Personal Information Protection Law of the People’s Republic of China (the “PIPL”), the first comprehensive framework for the protection of personal information in China, was passed by the Standing Committee of China’s National People’s Congress in August 2021, and will become effective on November 1, 2021. The PIPL, together with two other laws on cybersecurity and data protection — the Chinese Cybersecurity Law of 2016 and the Data Security Law of the People’s Republic of China — constitute a new data protection legal regime in China. This article outlines key PIPL compliance considerations for entities subject to the law.

1. Scope of the PIPL

The PIPL applies to (1) entities processing personal information of individuals within China or (2) foreign entities processing personal information outside of China (a) where the entity collects and processes personal information to (i) provide products or services to individuals in China or (ii) analyze or assess the activities of individuals in China; or (b) pursuant to “other circumstances provided in laws and administrative regulations.” For entities subject to the PIPL, the law imposes a number of compliance obligations on “personal information handlers,” (“PI Handlers”) which is defined as “any organization or individual that independently determines the purpose and method of processing of any personal information.”¹ The PIPL defines “personal information” as “information, recorded by electronic or other means, related to identified or identifiable natural persons,” excluding anonymized data.

2. Managing Data Processing Activities

To comply with the PIPL, a PI Handler should manage its data assets and identify the different processing activities in which it is engaged, including the types of personal information it processes, the purposes of processing, how it collects personal information, with whom the personal information is shared, and how long the personal information is retained with respect to each processing activity. The most common processing activities include, but are not limited to, the processing of employees’ personal information for HR purposes, processing customer data for business purposes, and engaging entrusted parties to process personal information on the PI Handler’s behalf.

3. Privacy Notice

Prior to processing personal information, a PI Handler must provide notice to individuals of how their personal information will be processed. Under the PIPL, a privacy notice must contain:

• the name and contact information of the PI Handler;
• the purpose(s) and method(s) of processing, the categories of personal information to be processed, and the retention period of the personal information;
• the name and contact information of any other PI Handler that will have access to the personal information, the purpose(s) and method(s) of processing by such other PI Handler, and the categories of personal information provided to such other PI Handler;
• if applicable, the use of automated decision-making;
• if applicable, the necessity of processing “sensitive” personal information² and the impact of such processing on individuals’ rights and interests;
• if applicable, special notice with respect to the processing of children’s personal information (under 14 years old);
• for data transfers outside of China, the name and contact information of the data recipient(s), the purpose(s) and method(s) of processing by the recipient(s), the type(s) of personal information transferred and the method and procedure for individuals to exercise their rights under the PIPL with respect to the data transfer recipient(s); and
• if applicable, contact information of the personal information protection officer.

4. Key Issues Relating to Personal Information Processing

4.1 Legal Basis for Processing Personal Information

A PI Handler may process personal information only where it has a legal basis to do so, namely:

• where the PI Handler obtains the consent of the individual;
• where the processing is necessary to perform a contract;
• for HR management purposes, or pursuant to an employment policy or collective contract;
• where the processing is necessary to comply with a legal obligation or duty;
• where the processing is necessary to respond to a public health emergency or to protect the life, health or property of an individual;
• for public interest purposes to carry out news reporting or supervision by public opinion;
• where the PI Handler processes personal information already disclosed by individuals or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of the PIPL; or
• under other circumstances as stipulated by applicable law or administrative regulation.

4.2 Consent Requirements

To meet the standard of consent required under the PIPL, an individual must provide his or her voluntary and explicit indication of intent on a fully informed basis. Individuals have the right to withdraw their consent, but a withdrawal of consent must not affect the validity of any processing activity that was performed prior to the withdrawal.

4.3 Separate or Written Consent

The PIPL requires separate or written consent of individuals in certain circumstances. A PI Handler must obtain separate or written consent from individuals for the:

• cross-border transfer of personal information;
• disclosure of personal information to another PI Handler;
• public disclosure of personal information;
• use of personal images and identification information captured by video devices for purposes other than maintaining public security; or
• processing of sensitive personal information.

While, to date, no implementing regulations or regulatory guidance have been issued on what would constitute separate or written consent under the PIPL, a PI Handler likely could not obtain such consent if bundled with consent to other processing activities. A pop-up window or a separate checkbox to obtain consent for one or more of the specific processing activities described above, however, may suffice as separate consent under the PIPL. Additionally, where written consent is required pursuant to other administrative laws and regulations, such provisions would prevail.

5. Data Protection Principles

The PIPL contains several data protection principles. These principles are largely identical to those found within the GDPR and include:

• Lawfulness: Personal information must be processed in accordance with the principles of legality, legitimacy, necessity and good faith, and not in any manner that is misleading, fraudulent or coercive.
• Purpose Specification: Processing must be conducted (1) for a specified and reasonable purpose, (2) for a purpose directly relevant to the purpose of processing, and (3) in a way that has the least impact on personal rights and interests.
• Data Minimization: The collection of personal information must be limited to the minimum scope necessary for achieving the purpose of processing, and must not be excessive.
• Storage Limitation: The storage period of personal information must be the minimum period necessary for achieving the processing purpose, unless any applicable law or administrative regulation stipulates otherwise.
• Transparency: Processing must be conducted in accordance with the principles of openness and transparency (i.e., provision of notice, described above).
• Accuracy: PI Handlers must ensure the quality of personal information processed, to avoid any negative impact on personal rights and interests due to the inaccuracy or incompleteness of the personal information processed.
• Data Security: PI Handlers must take necessary measures to ensure the security of the personal information processed.

6. Rights of individuals

The PIPL provides individuals with a number of rights. PI Handlers must allow individuals to exercise the following rights with respect to their personal information:

• access and copy;
• rectification;
• deletion;
• withdrawal of consent;
• restriction of processing;
• objection to processing;
• data portability; and
• objection to the use of automated individual decision-making (as well as an explanation for automated decisions that have a material impact on the individual).

7. Accountability

The PIPL imposes several accountability requirements on PI Handlers, including the requirement to take necessary measures to ensure the personal information processing complies with applicable law and administrative regulation, including:

• developing an internal management system and operating procedures;
• classifying personal information;
• implementing appropriate technical security measures, such as encryption and de-identification;
• implementing appropriate access controls and conducting security training for employees on a regular basis;
• developing and implementing incident response plans;
• appointing a data protection officer under certain circumstances (see below);
• conducting regular audits of processing activities;
• conducting personal information protection impact assessments;
• maintaining records of processing; and
• taking any other measure as required by applicable law or administrative regulation.

8. Appointment of a Data Protection Officer

Under Article 52 of the PIPL, if the volume of personal information processed reaches a threshold level as stipulated by the Cyberspace Administration of China, a PI Handler must appoint a data protection officer. The volume of personal information triggering the threshold has not yet been defined.

9. Personal Information Protection Impact Assessment

Under Article 55 of the PIPL, a PI Handler must conduct a personal information protection impact assessment (PIPIA) prior to (1) processing “sensitive” personal information; (2) using personal information in automated decision-making; (3) engaging an entrusted party to process personal information on the PI Handler’s behalf; (4) providing personal information to another PI Handler; (5) disclosing personal information to the public; (6) transferring personal information outside of China; or (7) any processing activity that will have a material impact on the personal rights and interests of an individual. 

The PIPIA must specify (1) whether the purpose(s) and method(s) of processing are lawful, legitimate and necessary; (2) the impact of the processing on individuals’ rights and interests, and the level of risk involved; and (3) whether the protective measures undertaken are lawful, effective and commensurate to the degree of such risk. PIPIA reports and records of processing must be retained for at least three years.

The Guideline of Personal Information Security Impact Assessment (GB/T 39335-2020) provides guidance on how to conduct a PIPIA.

10. Data Breach

Under the PIPL, in the event of a suspected or actual data breach, a PI Handler must immediately undertake remedial measures and notify affected individuals and relevant regulators. The PIPL requires specific content to be included in the notification, including (1) the type(s) of personal information affected; (2) the cause of, and possible harm that may result from, the breach; (3) any remedial measures taken by the PI Handler and measures individuals can adopt to mitigate harm; and (4) the contact information of the PI Handler. The PIPL does, however, provide a risk of harm threshold for notice to affected individuals. If the measures taken by a PI Handler can effectively mitigate the harm caused by the data breach, a PI Handler would not be required to notify affected individuals, unless a regulator determines otherwise.

11. Obligations for Certain Specified PI Handlers

PI Handlers that provide important online platform services, have a large number of users or operate a complex type of business are subject to a higher standard of personal information protection under the PIPL. Such PI Handlers are required to:

• establish a personal information protection compliance system (i.e., privacy program);
• appoint a data protection officer and establish a compliance department to implement the privacy program;
• establish an independent body consisting of external members to monitor personal information processing activities and increase the transparency of processing;
• develop platform rules to be followed by product suppliers or entrusted parties operating on the platform;
• monitor the processing activities on the platform and suspend services to product suppliers and entrusted parties on the platform where such entities commit a serious violation of any law or administrative regulation in the processing of personal information; and
• publish social responsibility reports of personal information protection on a regular basis to enable public supervision.

12. Cross-Border Transfer of Personal Information

The PIPL provides three methods for the cross-border transfer of personal information. First, critical information infrastructure (CII) operators and PI Handlers that process personal information beyond the (to be determined) threshold amount prescribed by the Cyberspace Administration of China are subject to data localization requirements. Where it is necessary for such entities to transfer personal information out of China, the entities must pass a mandatory security assessment organized by the Cyberspace Administration. For non-CII operators or PI Handlers that process personal information below the (to be determined) threshold amount prescribed by the Cyberspace Administration, there are two other options for cross-border data transfers. One option is to obtain a personal information protection certification awarded by a recognized institution in accordance with regulations to be published by the Cyberspace Administration. The other option, and the most likely to be used, is to execute a data transfer agreement with the recipient located outside of China, in compliance with a standard contract to be provided by the Cyberspace Administration.

For cross-border transfers of personal information, in addition to the above requirements, a PI Handler must also inform individuals of the identity and contact information of the data recipient(s), the purpose(s) and method(s) of data processing, the type(s) of personal information to be transferred, and how individuals can exercise their rights under the PIPL with respect to the data recipient(s). PI Handlers must also obtain separate consent from individuals for the cross-border transfer of their personal information.

Additionally, cross-border transfers of personal information made for the purpose of providing international judicial and law enforcement assistance must first be approved by a competent Chinese authority.

13. Joint Processing and Vendor Management

PI Handlers who jointly determine the purpose and means of processing of personal information are considered joint PI Handlers under the PIPL. Joint PI Handlers bear joint and several liability in the event of a violation of the PIPL, and must stipulate their respective rights and obligations in an agreement.

Where a PI Handler contracts with an entrusted party to process personal information on its behalf, the PI Handler must execute a processing agreement with the entrusted party that includes (1) the purpose(s) of processing; (2) the period and method(s) of processing; (3) the type(s) of personal information to be processed; (4) any protective measures to be taken; and (5) both parties’ rights and obligations under the PIPL. PI Handlers are responsible under the PIPL for supervising the processing activities of entrusted parties, but the PIPL does not specify prescribed supervision requirements. Upon the completion or termination of a PI Handler’s agreement with an entrusted party, the entrusted party must return or delete the personal information to the PI Handler.

14. Penalties for Non-Compliance

PI Handlers who violate the PIPL with respect to their processing of personal information may be subject to penalties including (1) an order to correct the alleged violations; (2) the disgorgement of profits; or (3) the provisional suspension or termination of the electronic applications found to be in violation of the PIPL. Entities that refuse to fail to correct the alleged violations may be subject to a fine of not more than 1 million RMB, and responsible personnel may be subject to fines between 10,000 to 100,000 RMB.

In the event of “grave” violations of the PIPL (which term is not defined under the law), entities and responsible personnel may be subject to fines of up to 50 million RMB, or 5% of annual revenue. Additionally, the offending entity’s business or related business activities may be suspended pending rectification of the alleged violations, and the entity may be required to report to the relevant authorities regarding such suspension. Further, individuals directly responsible for “grave” violations of the PIPL may be fined between 100,000 and 1 million RMB, and may be prohibited from holding certain positions, including director, supervisor, high-level manager or data protection officer, for a certain period of time.

Given the PIPL’s fast-approaching compliance deadline of November 1, 2021 and associated penalties of non-compliance, PI Handlers should carefully consider their compliance obligations under the law, and seek to leverage existing compliance efforts for other similar privacy laws where possible.

For further information or questions regarding the PIPL, please contact us.
 

¹ The definition of “personal information handler” under the PIPL is similar to the concept of a “data controller” in other privacy laws (such as the GDPR). While the GDPR distinguishes between a data controller, who determines the means and purposes of processing personal data, and a data processor, who processes personal data on behalf of the controller, the PIPL does not formally define the concept of a data processor. Under the PIPL, when a PI Handler entrusts a third party (i.e., a data processor under the GDPR) to process personal information on behalf of the PI Handler, such third party will be referred to as the “entrusted party” or the “contracting party.”

² “Sensitive” personal information refers to personal information that, if breached or illegally used, would be likely to cause harm to individuals or their property, including biometric data, religious beliefs, specially-designated status, medical or health-related data, financial account-related data, precise geolocation data, and children’s personal information (under the age of 14).