FREE CONSULTATION
FREE CONSULTATION

China’s Personal Information Protection Law (PIPL)

All About China’s Data Protection Law – China’s Personal Information Protection Law (PIPL)

Since November 1, 2021, China has implemented a comprehensive privacy law to protect its data subjects and their personal information.

China’s Data Privacy Law went into effect on September 1, 2021, and applies to several data processing activities including processing personal information. The PIPL is enforced and administered by the Cyberspace Administration of China and relevant state and local government departments. The law has similarities to the European Union’s General Data Protection Regulation (GDPR), with substantial penalties up to the greater of 5% of the previous year’s revenue (possibly global) or $7.7 million. The PIPL is also a lengthy document, of more than 70 articles spanning eight chapters. Here is the TLDR takeaways and a summary of key provisions of the law are below.

Obligations for Organizations

Organizations should assess their compliance obligations under PIPL if they process personal information within China, for the purpose of providing products or services for individuals within China, or to analyze or evaluate their behavior of individuals data within China. 

These obligations could include:

  • Ensuring the existence of public-facing documentation such as privacy policies, data subject rights request procedures, privacy notices and data processing agreements.
  • Implementing standard contractual clauses (SCCs) in contracts involving personal information that is transferred outside China.
  • Implementing consent mechanisms, which should include multiple layers of consent for certain processing activities or transfers (e.g., transferring personal information outside of China or to another personal information processor).
  • Adding PIPL data breach notification requirements to incident response plans for organizations.
  • Assessing the need to localize data in China and the impact that might have on global operations.
  • Data mapping and other exercises related to compliance can be repurposed to make PIPL compliance less onerous, although some customization will be needed, to suit the organization’s purpose. Overall, PIPL compliance efforts likely will remain a work in progress, given the uncertainty posed by interpretations and enforcement of the lengthy new law, and pending implementing rules and regulations. 

Who must comply with the PIPL?

The PIPL is intended to impose jurisdiction outside of its scope, and perhaps debatably covers companies or individuals that process the personal information of individuals in China (regardless of the individual’s nationality or residency). Additionally, the PIPL requires personal information processors located outside of China to establish dedicated entities or appoint individual representatives in charge of personal information within China. Such organizations or representatives do not need to have any employment relationship or be affiliated with the foreign processor. Furthermore, personal information processors processing a certain threshold of personal information (although the threshold remains undefined in 2022) are required to designate and publish the contact information of an individual in charge of processing and protecting personal information.

Does the PIPL differentiate between ‘controllers’ and ‘processors’ of personal information?

In a designation that is sure to cause some confusion, under the PIPL, “personal information processors” are akin to “controllers” and “entrusted parties” are like “processors” under the GDPR. Personal information processors assume liability and compliance requirements in the PIPL. Meanwhile, joint personal information processors must enter into an agreement that designates the specific rights and obligations for each personal information processor and indicates that joint personal information processors are jointly liable.

Additionally, if the processing of personal information is performed by an entrusted party (e.g., a processor under the GDPR) on behalf of a personal information processor, the parties must enter into an agreement that specifically designates the purpose, duration, method, categories, protection, rights and duties of processing of personal information. In practice, the data processing agreement should include the following based on the requirements in the PIPL:

  • A prohibition against the entrusted party processing personal information outside the agreement.
  • Terms requiring the entrusted party to return or delete personal information upon completion, revocation or expiration of the agreement.
  • Provisions requiring the entrusted party to obtain the personal information processor’s consent before allowing a sub-processor to process personal information.

What type of data is covered under the PIPL?

The PIPL defines personal information as:

  • … various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the anonymized information.8
  • The PIPL also deems anonymized information as nonpersonal and outside the scope of the law. However, the definition of anonymization is strict and may be hard to meet:
  • Anonymization refers to a process in which the personal information is processed so that it is impossible to identify a certain natural person and unable to be reversed.9
  •  The PIPL ambiguously defines “sensitive personal information”:
  • Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.

Sensitive personal information is subject to additional requirements for processing such as:

  • Identifying a specific purpose and sufficient necessity for the processing.
  • Providing notice to the individual of the impact that the processing will have on the individual’s rights and interests.
  • Conducting a privacy impact assessment and creating a record of processing.
  • Obtaining separate individual consent for the processing (and possibly written consent where required by yet-to-be-published regulations).
  • The PIPL also instructs the Cyberspace Administration of China to formulate special personal information protection rules and standards for sensitive personal information processing.

What are the legal bases available for data processing under the PIPL?

Under the PIPL, personal information processors may only process personal information where:

Consent of the individual has been obtained, which must be informed, voluntary and explicit (at thresholds not yet defined), subject to the following:

  • If the purpose, method or categories for processing information changes, new consent must be obtained.
  • Individuals must have the ability to withdraw consent by “convenient means” (not yet defined).
  • The provision of products or services can’t be conditioned on the basis of consent, unless the information being collected is necessary for providing the products or services (which appears to reflect the concept of “freely given” consent under the GDPR).
  • Parental/guardian consent is necessary if the processing involves personal information of a minor below the age of 14.

It is necessary for the conclusion or performance of a contract to which the individual is a party, or to implement human resources management in accordance with labor rules and regulations formulated and collective contracts concluded according to law.

It is necessary for the fulfillment of statutory duties or obligations.

It is necessary for coping with public health emergencies or for the protection of an individual’s life, health or property.

Such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope.

The personal information has already been disclosed by the individual, or other legally disclosed personal information is processed within a reasonable scope in accordance with the provisions of this law.

Other circumstances exist as provided by Chinese laws and regulations.

Notably, the PIPL indicates that individual consent is the default legal basis for processing unless one of the other legal bases applies. Also noteworthy is the absence of a “legitimate interest” processing basis as is available under the GDPR, which has been used by many EU data controllers as a more flexible means of establishing a legal basis for processing. However, it is still possible that Chinese authorities could expand the available legal processing bases via regulation.

What types of notice are required under the PIPL?

  • Privacy notice

Before the processing of personal information, a personal information processor must truthfully, accurately and completely inform individuals in an “eye-catching manner with clear and understandable language” that includes:

  • The name and contact method of the personal information processor.

The purpose and method of processing personal information, and the type and retention period of processed personal information.

What individual rights does the PIPL provide?

The PIPL creates specific rights for individuals with respect to the processing of their personal information, including the right to18:

  • Know, decide on, and limit or object to processing personal information by others.
  • Access and copy (including transfer) their information from personal information processors.
  • Request correction or completion of their personal information.
  • Request deletion in certain circumstances or withdraw consent.
  • Personal information processors must establish a convenient, but undefined, mechanism for individuals to exercise these rights.19 Notably, relatives of a deceased natural person may – for their own lawful and legitimate interests – access, copy, correct and delete the personal information of the deceased.20

What are the potential penalties for failing to comply with the PIPL?

PIPL penalties are graduated depending on the severity of noncompliance, ranging from a warning and order to cure violations, to an order suspending services or revocation of operating permits or business licenses, to the confiscation of illegal gains, to significant administrative fines. Company employees also may be held personally liable and face fines or be banned from serving as directors, supervisors, officers or persons-in-charge of personal information protection matters for the relevant entities.

Companies and/or their employees may even face criminal liability in serious cases.32 For instance, any person who illegally obtains, sells or supplies to third parties more than 500 pieces of information that can affect citizens’ personal and financial safety (such as lodging information, communication records, health and physical information, transaction information, etc.) in violation of the PIPL may be sentenced to up to three years of detention.33

Share this post:

Related Articles