On August 20, 2021, the Standing Committee of the National People's Congress of the People's Republic of China ("PRC") passed the Personal Information Protection Law ("PIPL"), which will come into effect on November 1, 2021.
The PIPL will work together with the Cybersecurity Law ("CSL") and the Data Security Law ("DSL") to establish a broader regulatory architecture governing cybersecurity and data privacy protection in China. Once effective, this new law will have a significant impact on the data compliance practices of both domestic and multinational companies to the extent they process or use the personal information of individuals located within China.
As the first comprehensive legislation on personal information protection in China, the PIPL specifies the scope of personal information; clarifies the legal bases for processing personal information; lays down the obligations and responsibilities imposed on processors; and imposes stringent requirements on data localization, safeguarding the interest of China in the case of cross-border transfer of personal information. Below is a summary of key aspects of the law.
Extra-Territorial Application of the PIPL
In addition to covering processing of personal information by processors carried out within the PRC, PIPL also has extraterritorial application to cover processing of personal information of people located within the PRC, where such processing is undertaken outside the PRC under any of the following circumstances:
- for providing a product or service to natural persons located within China;
- for analyzing or assessing the behavior of natural persons located within China; or
- any other circumstance as provided by law or regulations.1
Therefore, under the PIPL, foreign companies (even with no presence in China) engaging in the processing of personal information of individuals located within China are bound by the law, and are required to establish a dedicated entity or appoint an agent or designated representative in China to be responsible for dealing in related matters. The name and contact details of such local agent or representative will need to be provided to the relevant authority.2
Scope of Personal Information, Sensitive Personal Information, and Processor
Under the PIPL, personal information is defined to encompass any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information.3
For the first time, the PIPL puts forward the concept of "personal information processor", referring to organizations and individuals who independently decide the purpose and method of processing personal information.4 "Personal information processing" is defined to include, but not limited to, the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.5
In addition to personal information as defined in the CSL, the PIPL defines "sensitive personal information" as the personal information of which the leakage or illegal use could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety.6 This is the first national law in the PRC that defines sensitive personal information and, more importantly, sets out relevant obligations on processors handling such information.7
Legal Bases for Processing Personal Information
Since the release of the CSL, "notification and consent" had long been the only legal basis for processing personal information. The PIPL, for the first time on the national law level, broadens the grounds for processing personal information by adding the following bases:
- where it is necessary to conclude or perform a contract or carry out human resources management;
- where it is necessary to perform statutory responsibilities or statutory obligations;
- where it is necessary to respond to a public health emergency or protecting individual's interest or safety in an emergency;
- where it is necessary to carry out activities in the public interest;
- where the relevant personal information, which has either been disclosed by the relevant individual or otherwise been legally disclosed, is processed within a reasonable scope according to law; and
- other circumstances as provided by laws or administrative regulations.8
Moreover, the PIPL sets out detailed requirements for notification and consent. In particular personal information processor must obtain specific consents from the individual involved where: (a) sensitive personal information is processed; (b) the personal information is provided by the processor to another processor; (c) the personal information processed is disclosing publicly; or (d) the personal information is transferred outside of China.9
How these provisions will be interpreted and enforced remains to be seen. For example, in the context of an internal investigation, if such investigation is assisted by the human resources department, does it constitute human resources management exemption? Further, does an intra-group transfer (e.g., from one group company to another) constitute a transfer to "another processor" that may require specific consent by the individual involved? Another grey area is the transfer of data from a portfolio company controlled by a private equity fund to the fund itself. In addition, it is not clear what circumstances may fall within the legal bases of "emergency" and "individual's interest or safety". Multinational companies and financial sponsors will need to closely track the relevant regulations and implementation rules of the PIPL for further guidance.
The PIPL sets forth a regulatory framework that imposes substantial obligations and responsibilities on all personal information processors, including:
- formulating internal management systems and operation procedures;
- implementing classified management of personal information;
- adopting corresponding technical security measures such as encryption and de-identification;
- reasonably determining the operational authorizations for personal information and providing regular security education and training for operational staff;
- formulating and implementing response plans for security incidents relating to personal information;
- conducting regular compliance audits; and
- adopting other security measures as stipulated by laws and regulations.
A personal information processor that provides an important Internet platform service, has a large user base and/or operates complex types of businesses is further required to build a robust data compliance program (including preparing a personal information protection compliance policy) and establish/appoint an independent body to supervise its implementation. Such processors must also actively monitor the behaviors of the service or product providers on their platform who may violate any laws or administrative regulations in conducting processing activities.10 However, it is unclear how many users are considered to be a "large user base" and how to determine the complexity of business types.
Joint Processing and Entrusted Processing
The PIPL also stipulates specific obligations for special processing activities, including joint processing and entrusted processing.
- Joint Processing. The PIPL provides that where two or more processors jointly determine the purpose and method with respect to processing personal information, their respective rights and obligations shall be agreed upon. The law imposes joint and several liability on joint processors if the joint processing activities infringe upon personal information rights and interests and result in damages.11
- Entrusted Processing. Where a processor entrusts a third party to process personal information, under the PIPL: (a) the processor must supervise the processing activities of such third party; and (b) such entrusted third party is required to undertake necessary measures to protect personal information in accordance with the PIPL and to assist the processor to comply with the law.12 Without the consent of the processor, the entrusted party is prohibited from re-entrusting others to process personal information.13 The law does not appear to specify whether joint and several liability would arise in the event of violation of the law by either party.
Such requirements warrant special attention, as in practice, companies may from time to time work with or engage third parties to conduct processing activities.
Requirements on Data Localization and Cross-Border Transfer of Personal Information
In line with the CSL and the DSL, the PIPL also requires that Critical Infrastructure Information operators, as well as processors who process personal information that reaches a certain threshold (which the PIPL does not specify), must store personal information within the territory of China. Where cross-border transfer of personal information is indeed necessary, such transfer must pass a security assessment administered by the Cyberspace Administration of China ("CAC") and other enforcement authorities.14
Other personal information processors may conduct cross-border transfer of personal information upon satisfying one of the following requirements: (a) passing the security assessment by the CAC; (b) obtaining certification of data security by a professional body recognized by the CAC; (c) entering into an agreement with the overseas recipient with provisions governing the rights and obligations of the parties based on a template contract to be released by the CAC; or (d) other requirements as provided by relevant laws and regulations.15
The PIPL imposes enhanced penalties for violations of the law, which may lead to an administrative fine of up to RMB 50 million or 5% of the processor's turnover in the preceding year, confiscation of illegal gains, cessation of operation for rectification, or revocation of operating permits or business licenses.16 The person-in-charge or other directly liable individuals may also be held liable and subject to a fine up to RMB 1 million. Such individuals may further be restricted from serving as a director, supervisor, senior management or personal information protection officer for a stipulated period of time.17
The PIPL also imposes tortious liability on processors infringing upon the rights and interest of personal information. The PIPL imposes the burden of proof on the defendant personal information processor in a civil action to facilitate damage claims.18 If such infringement affects a large number of individuals, then the processors may face civil claims or criminal charges brought by consumer groups, entities authorized by the CAC and/or the prosecutor.19
1 The PIPL, Art. 3.
2 The PIPL, Art. 53.
3 The PIPL, Art. 4.
4 The PIPL, Art. 73.
5 The PIPL, Art. 4.
6 The PIPL, Art. 28.
7 The PIPL, Art. 29, 30, 32, 55.
8 The PIPL, Art. 13.
9 The PIPL, Art. 23, 25, 29, 39.
10 The PIPL, Art. 58.
11 The PIPL, Art. 20.
12 The PIPL, Art. 21, 59.
13 The PIPL, Art. 21.
14 The PIPL, Art. 40. Please note that the security assessment may be waived as provided by laws, administrative regulations or cybersecurity authority.
15 The PIPL, Art. 38.
16 The PIPL, Art. 66.
18 The PIPL, Art. 69.
19 The PIPL, Art. 70.
Michael Li (White & Case, Associate, Hong Kong) and Xue Feng (White & Case, Legal Consultant, Beijing) contributed to the development of this publication.