Overview of China's Personal Information Protection Law (PIPL)

China passed its first data protection law - Personal Information Protection Law (PIPL) on 20 August 2021, which will take effect from 1 November 2021, allowing companies just over two months to prepare. The PIPL will affect any company with data or conducting business in China.

The new law will reshape the handling of personal data in China, and might require organizations to revisit their existing practices and procedures. While PIPL is said to be “China’s GDPR”, the law differs in legal grounds, rights, obligations and cross-border data transfers to fit China’s own purposes.

What does "personal information" entail?

PIPL defines “personal information” as all kinds of information relating to identified or identifiable natural persons recorded by electronic or other form, excluding anonymized information. “Processing of personal information” includes activities such as the collection, storage, usage, transmission, provision, public disclosure and deletion of personal information.
‍

What are the rights of a data subject according to PIPL?

• The right to know about and to decide upon activities relating to their personal information.
• The right to restrict or object to the processing of their personal information.
• The right to consult and copy their personal information from the processors.
• The right to portability of their personal information.
• The right to request that the data processors correct or complete their personal information.
• The right to request deletion of their personal information (under certain circumstances).
• The right to withdraw consent.
• The right to request the processors to explain the processing rules.
  ‍

What are the data processor's obligations according to PIPL?

• To formulate internal management systems and operation procedures.
• To implement classified management of personal information.
• To adopt corresponding technical security measures such as encryption and de-identification.
• To determine the operational authorizations for personal information, as well as to provide regular security education and training for operational staff.
• To formulate and implement response plans for security incidents relating to personal information.
• To conduct regular compliance audits.
• To adopt other security measures as stipulated by laws and regulations.
• To take “immediate” remedial measures and notify the Personal Information Protection Authorities and any affected individuals in the event of a data incident.
  ‍

What is PIPL's extraterritorial effect?

1. The processing of personal information within China, of PRC individuals.

2. The processing of personal information outside of China, of PRC individuals, if such processing is:

• For the purpose of providing products or services to PRC individuals.
• To analyze/evaluate the behavior of PRC individuals.
• Covered under circumstances prescribed by laws and administrative regulations.

If a company outside of China conducts processing activities as described in (2) above, the PIPL requires that it establish an entity or designate a representative in China in charge of personal information protection matters, and the name and contact details of such entity or representative must be filed with the relevant Chinese authorities.

What are PIPL's legal bases for processing?

• When consent is voluntarily given by data subjects.
• When the data is necessary for executing or performing contracts.
• When the data is necessary for performing legal duties and obligations.
• When the data is necessary for responding to public health emergencies, or for the protection and safety of an individual's life and property.
• When data is necessary for conducting news reports, public opinion supervision, and other acts for the public interest, within reasonable scope.
• In accordance with the PIPL, when the data has been made public by data subjects or through other lawful means, within reasonable scope.
• Other circumstances as stipulated by laws and administrative regulations.
  ‍

What about cross-border transfers of personal information?

This can only be made for "legitimate purposes" such as business needs, and the transferor is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards set forth in the PIPL. In addition, both a proper legal basis and consent by the data subjects will be required in order for such transfer to be lawful.

(1) Legal bases

The legal bases for cross-border transfers of personal information under the PIPL include:

• By passing a security review organized by the cyberspace administration if the transferor is an operator of critical information infrastructure (CII) or the volume of the affected personal information reaches the threshold specified by the CAC.
• By obtaining a personal information protection certification from a professional agency in accordance with the rules of the CAC.
• By entering into an agreement with the overseas recipient based on a standard contract form formulated by the CAC.
• By other conditions provided by laws, administrative regulations or the CAC.

(2) Consent

Data subjects must be notified of the following matters and give their separate consent to the cross-border transfer of their personal information:

• The name, contact details of the overseas recipient.
• The purposes and methods of the processing.
• The types of affected personal information.
• The methods and procedures for exercising the rights provided in the PIPL with the overseas recipient.

However, companies are strictly prohibited from providing personal information stored within China to foreign judicial or law enforcement institutions without the approval of Chinese authorities, regardless of legal basis and consent. This will be a difficult issue to navigate for international companies with reporting obligations to regulators in their own jurisdictions.
‍

What are the penalties for violations of PIPL?

Violations of the PIPL may lead to an administrative fine of up to RMB 50 million, or 5% of the processor’s turnover in the last year (it is unclear if this is local or global). Other penalties include order for rectification, warning, confiscation of illegal gains, suspension or cessation of service, cessation of operation for rectification, and revocation of operating permits or business licenses. The person-in-charge or other directly liable individuals may also be individually liable and fined or prohibited from acting as directors, supervisors, senior managers or personal information protection officers.

If the processing activity violates the rights or interests of a large number of individuals, a public interest action may be initiated by the authority responsible for criminal prosecution, consumer protection organizations or other organizations designated by the cyberspace administration.

‍

DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.

‍

‍