It’s finally here. On 20 August 2021, the People’s Republic of China enacted the Personal Information Protection Law. The law is comprehensive, comprising 74 articles in eight separate chapters. Like the EU’s General Data Protection Regulation, it is now the fundamental regulatory regime for personal information in its jurisdiction. It becomes effective on 1 November 2021, a little under two months away.
The PIPL promises to have a profound effect on how personal data is regulated in mainland China, and in other countries where personal information from China is processed. Here is a brief overview (or cheat sheet) of some of the salient points of the law.
A broad meaning of personal information
Under Article 4, the PIPL broadly defines personal information as data “related to identified or identifiable natural persons recorded by electronic or other means.” The definition excludes data processed anonymously. “De-identification” under the law “refers to the process in which the personal information is processed so that it is impossible to identify certain natural persons without the use of additional information” (Article 73). “Anonymization” means “the process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be recovered” (Article 73).
Article 28 separately defines “sensitive personal information” as personal information that can “easily” lead to the infringement of a data subject’s dignity or harm of his or her safety or property if such data is leaked or used lawfully. Examples of sensitive information provided by the law include biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14. The processing of sensitive personal carries with it heightened requirements (discussed below).
Processing personal information
Legal bases
Processing means the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information (Article 4). A personal information processor under PIPL refers to a data controller, i.e., any organization or individual that independently determines the purpose and method of processing in personal information processing activities (Article 73).
Like GDPR, in order to process personal information, a company must have a legal basis under Article 13. The legal bases are:
- The data subject’s consent;
- Where processing it is necessary to fulfill a contract with the data subject, or is employment-related;
- Where it is necessary to fulfill a statutory obligation;
- Where it is necessary for public health emergencies or for the protection of the life, health, and property safety of a natural person;
- Where the processing is within a reasonable scope to carry out such activities as news reporting and supervision by public opinions for the public interest;
- Where the personal information disclosed by individuals themselves or other legally disclosed personal information is processed within a reasonable range in accordance with the PIPL; or
- Circumstances provided under other laws or regulations.
Similar to the GDPR’s transparency requirements, under Article 7, the PIPL requires “principles of openness and transparency.” The law also incorporates data minimization principles, stating under Article 19 that companies shall retain personal information only for “the minimum period necessary” to achieve the purpose of the processing.
Meaning of consent
Under Article 14, consent must be voluntary and explicit, and given with full knowledge. If other laws or regulations require the data subject’s “separate consent” or written consent, those requirements govern. If the purpose or method of processing, or the type of personal information processed, changes, new consent must be obtained.
Under Article 15, a data subject may withdraw his or her consent at any time, and the company processing the data must provide a convenient means to withdraw consent. A company may not refuse to provide products or services to a data subject because he or she has withdrawn consent. (Article 16.)
Even where consent or another legal basis for processing personal information has been obtained, an organization must obtain a “separate consent” form the data subject where:
- The organization wishes to disclose the personal information to a third party;
- The organization is processing of “sensitive” personal information (see below); and/or
- The organization intends to transfer the personal information outside of China.
Processing sensitive personal information
Also similar to the GDPR, the PIPL provides heightened protections for “sensitive personal information.” They include:
- Individual consent should be obtained for processing sensitive personal information. Where laws and regulations require written consent, written consent is required (Article 29).
- Additional notification to data subjects of the processing’s necessity and how it may impact his or her rights and interests (Article 30).
- Consent from a parent or guardian for the processing of personal information of a minor below the age of 14, and the creation of special procedures for handling such personal information (Article 31).
- Where required by law, other restrictions may apply (Article 32).
Cross-border transfers and data locality requirements
In 2017, the PRC’s Cybersecurity Law required critical information infrastructure operators (CIIOs) to store personal information in China and undergo security assessments approved by the Cyberspace Administration of China (CAC) for cross-border data transfers. PIPL extends the scope of these locality requirements.
Under Article 40, both CIIOs and organizations that process a certain threshold of personal information exceeding an amount determined by the CAC must locally store in China the personal information they collect and generate in China, and pass a CAC security assessment. For organizations processing personal information below the volume threshold, Article 38 requires a company may transfer personal information outside of the PRC for business needs if:
- The organization obtains a certification for personal information protection from a professional institution,
- Executes and transfers the data subject to standard contractual clauses formulated by the CAC. (Note, the standard contractual clauses has not yet been published by the CAC.), and/or
- It has satisfied any other requirements established by the CAC.
Disclosures and privacy notices
Under Article 17, before a company may process personal information, it must “truthfully, accurately, and completely” inform the data subject, “in an eye-catching manner and with clear and understandable language,” the following:
- The processor’s name and contact information;
- The purpose and method of processing;
- The type of personal information processed;
- The retention period of the personal information processed; and
- The method and procedure for the individual to exercise his or her data subject rights (discussed further below).
The PIPL also requires companies to disclose additional activities as required under other applicable PRC laws. An exception for pre-notice exists in cases of emergency of life, health, property, or safety (Article 17).
Extraterritorial reach
Under Article 3, the PIPL applies to the processing of the personal information of data subjects located within the PRC. However, it also has broad reach to processing activities engaged outside of the PRC of personal information of data subjects located in the PRC where:
- The purpose is to provide products or services to data subjects in the PRC;
- The purpose is to analyze and evaluate the activities of data subjects in the PRC; or
- Other circumstances provided by laws and administrative regulations.
Critically, a business need not be located in the PRC in order for the law to govern its activities. The law applies to companies outside the PRC if the organization processes personal information of data subjects located in the PRC and where the organization either offers goods or services to data subjects in China, or analyzes and evaluates their behavior, or both. In this sense, the law’s extraterritorial reach is similar to that expressed in GDPR.
Data subject rights
Under Articles 44 and 50, data subjects have the right to know about and limit the processing of their personal information, and companies must provide convenient means to exercise these rights. Explicit data subject rights are the rights of:
- Access and data portability (Article 45);
- Correction and verification (Article 46);
- Disclosure of processing (Article 48); and
- Deletion (Article 47).
Article 49 provides the same rights to a data subject’s relatives upon the death of the data subject.
Cybersecurity programs
Data security (or cybersecurity program) requirements under PIPL are considerable. Under Article 9, companies are responsible for the security of the personal information they process. Article 51 provides greater detail of what companies must do. The article requires companies to, based on the type of data processed, the processing’s method and purpose, the impact on the data subject’s interest, and possible security risks, undertake the following protective measures to ensure legal compliance under PIPL and prevent unauthorized access, acquisition, disclosure, alteration, or loss:
- Formulate internal management system and operational procedures;
- Manage personal information by classification;
- Implement technical security measures such as encryption and de-identification;
- Reasonably determine the authority to process personal information and conduct security education and training for employees on a regular basis;
- Formulate, organize, and implement incident response plans; and
- Take other measures as prescribed by laws and administrative regulations.
In addition, Article 54 requires companies to undertake periodic (or regular) risk assessments (or audits) of their cybersecurity programs. (This is not very different from requirements under GDPR or the New York Department of Financial Services cybersecurity regulation.) Further, in advance of processing personal data, Article 55 requires companies to conduct a data protection impact assessment of the following:
- The processing sensitive personal information;
- Making use of personal information to make automatic decisions;
- Entrusting others to process personal information, providing other personal information processors with personal information, and disclosing personal information;
- Providing personal information to overseas parties; and
- Other personal information processing activities that have a significant impact on individuals’ rights and interests.
The impact assessment must include (i) whether the purpose and method of processing personal information are legitimate, justifiable, and necessary; (ii) the processing’s impact on individuals’ rights and interests and the security risks; and (iii) whether the security protection measures taken are legitimate, effective, and appropriate to the degree of risks (Article 56). The assessment report and processing record must be kept for at least three years.
Where an incident has taken place, the company must “immediately” undertake remedial measures and inform Chinese regulators (i.e., the department performing duties of personal information protection and the individuals concerned) (Article 57). Notice of the event must include:
- The types and causes of personal information involved and the possible harm caused;
- Remedial measures taken by the company and measures taken by individuals to mitigate harm;
- Company contact information.
Similar to GDPR and some US data breach notification laws, reasonable harm thresholds may limit the requirement to notify consumers. Under PIPL, if the company sustaining the breach has taken measures to effectively avoid harm caused by the incident, it need not notify the data subjects. The decision to notify consumers under this threshold, however, ultimately is subject to any determination rendered by PRC officials.
Third-party management, mergers, and bankruptcy
Article 21 requires that upon hiring a sub-processor, the company must agree on the purpose, duration, and method of the processing, the type of personal information to be processed, and the data protection measures employed. The sub-processor may not process personal information beyond the agreed purpose and method, and must return the data upon completion or termination of the agreement. Further, the sub-processor may not engage another processor without the consent of the original processor.
Article 23 requires a company providing personal information to another processor to (a) disclose the contact information of the processor, (b) disclose the type of personal information to be processed, and the purpose and method of processing, and (c) obtain the data subject’s separate consent. The sub-processor, in turn, must restrict its processing to the stated disclosures. If there are any changes, the sub-processor must inform the data subject and obtain requisite consent. Under Article 20, liability among joint processors is joint and several.
Where personal information is to be transferred because of a merger, division, dissolution or bankruptcy, under Article 22, the company must provide the recipient’s contact information to the data subject. The recipient organization may continue to process the personal information. However if there is a change in the original purpose and method of processing, the new organization must obtain consent from the data subject.
Regulators and fines
Under PIPL, several regulators or state authorities, including the CAC, departments of the State Council, and local government departments, possess supervisory, planning, coordinating, and administrative responsibilities. Penalties for serious violations of the PIPL include fines of 50 million RMB (about $7.7 million USD) or 5% of an entity’s worldwide revenue from the prior fiscal year (Article 66).
Apparent shift in the burden for proof for controllers
Under Article 69, creates a presumption of liability on the Data Controller. Specifically, the article states that “Where the right and interests of personal information are infringed upon due to personal information processing and causes damages, and the personal information processor cannot prove that it is not at fault, it shall bear the tort liability for damages” (emphasis added). Thus, companies should maintain detailed records to demonstrate non-fault and that proper precautions have been undertaken to maintain PIPL compliance.
Further analysis of the new law will be provided under separate alerts. Given PIPL’s rapidly approaching 1 November 2021 effective date, businesses should take steps now to consider how their business operations will be impacted.