Key Point: China’s Personal Information Protection Law is a complex regulatory regime that will require U.S. entities subject to its requirements to undertake substantial compliance efforts.
As of November 1, 2021, China will become the last country to pass a national data privacy law similar to Europe’s General Data Protection Regulation (GDPR). The new law – titled the Personal Information Protection Law of the People’s Republic of China or “PIPL” – will require foreign companies, including US companies, to operate in China (and in some cases, only operating outside of China. China) to undertake further compliance efforts. .
To facilitate this process, below is a general discussion of the PIPL and some of its most notable provisions. For reference, PIPL has been translated into English through DigiChina, which has a wealth of resources available on its website for those who wish to learn more about this new law.
Which entities does the PIPL apply to?
The law generally applies to “personal information managers” (“PIHs”) which are comparable to GDPR controllers. More specifically, Article 73 defines PIHs as “organizations and individuals who, in the context of personal information processing activities, autonomously decide on the purposes of processing”. The PIPL does not apply to natural persons processing personal information for personal or family purposes (Article 72).
Similar to GDPR, PIPL claims to have extraterritorial jurisdiction.
Article 3 states that the law applies to “activities of processing personal information of natural persons within the borders of the People’s Republic of China”. It also states that it applies to “processing activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China” when (1) “the purpose is to provide products or services to natural persons within borders “, (2) when” analyzing or evaluating the activities of natural persons within borders “, or ( 3) “other circumstances prescribed by laws or administrative regulations”.
Those familiar with the GDPR will certainly recognize the similarities between the two laws. It remains to be seen to what extent this provision will be interpreted and applied by Chinese regulators.
What information does the PIPL apply to?
PIPL applies to the processing of “personal information”, which is defined in article 4 as “all kinds of information, recorded by electronic or other means, relating to identified or identifiable natural persons, to the exclusion of information after anonymization processing “. Article 4 further explains that “[p]the processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.
Does the PIPL require a legal basis for the processing of personal data?
Yes. PIHs are required to have an appropriate basis for processing personal data.
Some of the bases identified in Article 13 are: (1) consent; (2) if necessary to enter into or perform a contract in which the individual is an interested party, or if necessary to conduct the management of human resources in accordance with legally formulated labor rules and structures and legally concluded contracts; (3) when necessary to fulfill statutory duties and responsibilities or statutory obligations; and (4) when processing personal information disclosed by individuals themselves or already legally disclosed, within a reasonable scope in accordance with the provisions of the PIPL.
PIPL does not have a provision similar to the “legitimate basis” provision of the GDPR.
How is consent defined?
Consent must be given by individuals “under the precondition of full knowledge” and in “a voluntary and explicit declaration” (Article 14). Consent must be obtained again if there is a change in the purpose of processing, the processing method or the categories of personal information. Consent must be revocable (article 15).
What about sensitive personal data?
PIHs must obtain the “separate consent” of an individual to process sensitive information (or the consent of a parent or guardian for those under the age of 14) (Articles 29 and 31). HSPs must also have a “specific purpose and need to be fulfilled”, put in place “strict safeguards” and provide additional information to individuals (Articles 28 and 30).
Sensitive information is defined in Article 28 as “personal information which, once disclosed or used unlawfully, can easily offend the dignity of natural persons and seriously endanger the security of persons or property, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as personal information of minors under the age of 14. “
What rights does PIPL grant to data subjects?
Before processing personal information, PIHs should inform individuals of the PIH’s name and contact method, the purpose of processing personal information and processing methods, the categories of personal information processed, the period retention and methods for individuals to exercise their confidentiality. rights (Article 17). These disclosures must be truthful, accurate, and in clear, easy-to-understand language.
Data retention periods “are the shortest period necessary to achieve the purpose of processing personal information” unless otherwise provided by law or regulations (Article 19).
In addition, Chapter IV (Articles 44-50) grants natural persons the following rights: right to know, right to object to processing, right to access and copy personal information, right to data portability, right rectification of inaccurate information, right to complete incomplete information. information, the right to erasure and the right to have PIHs explain the rules for processing personal information. Notably, individuals can file a complaint with a court when the PIHs deny individuals’ requests to exercise their rights.
Does PIPL require data processing agreements?
Yes. Article 21 provides that if the PIHs transfer personal information to “authorized persons” “they must enter into an agreement with the authorized person on the purpose of the entrusted processing, the deadline, the method of processing, the categories of personal information. , protective measures, as well as the rights and duties of both parties, etc., and supervise the personal information processing activities of the person appointed. “
Article 21 also requires that the persons empowered to abide by the terms of the contract, return personal information upon conclusion of the relationship, and not transfer personal information to others without the consent of the PIH.
PIPL regulates the transfer of information between PIHs differently. In this case, the PIH must inform individuals, provide certain required information and obtain separate consent (Article 23).
Finally, Article 25 generally states that PIHs “may not disclose the personal information they process unless they obtain separate consent”.
What about international data transfers?
Similar to the GDPR, Chapter III (Articles 38 to 43) regulates international transfers of personal information. To engage in such transfers, PIHs must meet one of the following conditions:
- Pass a security assessment organized by the State Cyber Security and Computerization Directorate in accordance with Article 40;
- Submit to a certification of protection of personal information conducted by a specialized organization according to the provisions of the department of cybersecurity and computerization of the State;
- Conclude a contract with the foreign receiving party in accordance with a standard contract formulated by the department of cyberspace and computerization of the State, agreeing on the rights and responsibilities of both parties; Where
- Other conditions provided by laws or administrative regulations or by the cybersecurity and computerization service of the State.
International treaties or agreements concluded by China and other countries may also provide for such a transfer mechanism.
In addition, if PIHs provide personal information outside of China, they are required to inform the person of the name or personal name of the foreign receiving party, the method of contact, the purpose of processing, processing methods and categories of personal information, as well as the means or procedures for individuals to exercise their rights with the foreign host party.
Finally, additional data localization requirements apply to critical information infrastructure operators and PIHs handling personal information reaching amounts provided by the state’s cybersecurity and computerization department.
What other tasks do PIHs have?
Chapter V identifies a number of additional duties for PIHs. These include implementing appropriate information security measures to protect personal information from unlawful disclosure, appointing data protection officers in certain circumstances, appointing a representative in China (if operates outside the country), regularly auditing their information practices and carrying out data protection impact assessments for certain processing activities. Article 57 also defines the obligations in the event of a data breach.
What are the penalties for non-compliance?
Among other remedies, regulators can impose fines of up to 50 million RMB (or about 7.7 million US dollars) or 5% of annual revenues for “serious” offenses.
This discussion aims to provide a general overview of some (but certainly not all) of the provisions of PIPL. As with the GDPR, PIPL is a complicated law that will require in-depth analysis by any US entity subject to its application.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.