On April 29, 2021, China released the second draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments, which replaced the first draft issued in October 2020. The PIPL is regarded as the “Chinese GDPR” and widely believed to have significant influence on the development of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 15 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.
Different requirements on the controller and the processer of personal information/data is major part of many data privacy legislations around the world including the PIPL. Similar to the GDPR, the PIPL also imposes most personal information protection obligations on the controller, that is, the “personal information handler” in the PIPL language. The handler shall follow a series of processing principles and adopt organizational, technical, and other measures to protect personal information. As required by the PIPL, the handler should also abide by specific rules when it is engaging with a joint handler, a processor, or other handlers.
I. “Handler” means controller
Compared with the GDPR and data privacy laws of some other jurisdictions, the term of "personal information handler" in the PIPL seems unique. In fact, despite the adoption of a different word, the role of such personal information handler can be understood as the personal information controller as used in the GDPR. Article 72 of the PIPL defines such a “handler” as organizations and individuals that independently determine the processing purpose, method, and other matters of personal information processing.
Although it may seem not compatible with the common discourse of data privacy, as a matter of fact, the PIPL is consistent with the Civil Code that came into effect in early 2021, which does not adopt the term of controller either but only the concept of “handler”. To avoid confusion, readers of this article please bear in mind that under the PIPL, a handler means a controller.
II. Obligations of handler
First and above all the substantial obligations, Articles 5 and 6 stipulate several general principles of personal information processing, including the principles of legitimacy, fairness, necessity, openness and transparency, and accuracy. Specifically, the PIPL requires that personal information shall be processed in a legal and legitimate manner and in line with the principle of good faith and shall not be processed in a fraudulent or misleading way. The purpose for processing shall be clear, reasonable, and limited to the minimum scope necessary.
Second, the handler must have a lawful basis for processing personal information, such as: consent, necessary for entering into or performance of a contract, performing statutory duties, responding to emergencies etc. (Article 13)
Third, the retention period of personal information should be minimum. Article 20 of the PIPL stipulates that the retention period should be the shortest time necessary for achieving the purpose of processing. But if there are separate provisions on the retention periods in laws and regulations, such provisions shall prevail.
Fourth, the handler is obligated to protect the rights of personal information subjects, including the right to be informed, the right to access and copy, the right to decisions, the right to correction, the right to erasure, the right to portability, the right to withdraw consent, the right to refuse automated decision-making, and the right to restrict or refuse processing by other parties (Article 16 and 44-48.). A mechanism to respond to individuals’ rights requests should also be established (Article 50).
In addition to the aforementioned obligations on the handler across various Chapters of the PIPL, Chapter V also specifically provides other obligations that the handler should comply with, including organizational, technical, and other measures. These obligations are summarized in the below table.
- Internal management policy and protocol
- Data classification
- Encryption and pseudonymization
- Access control
- Employee training
- Incident Response
- Appoint a person in charge of personal information protection (“DPO”)
- Disclose the name and contact of the DPO
||Appointment of Representative
- Handler outside China shall appoint a specialized agency or a representative within China
- Notification to authority
- Risk assessment for specific personal information processing activities
||Data Breach Response
- Immediate mitigation measures
- Notification to authority and individuals
||“Doorkeeper” obligations of Internet giants
- Indepedent committee
- Stop providing service to operators infringing personal information
- Social responsibility reports
III. Engaging with other parties
1. Joint Handlers
Though joint handlers are not explicitly defined by the PIPL. Article 21 of the PIPL provides that if two or more personal information handlers jointly decide on the purpose and method of personal information processing, they shall provide for their respective rights and obligations, which, however, shall not affect the rights of an individual to request any of the handlers to exercise provisions under the PIPL. If joint handlers infringe upon the rights and interests of individuals, they shall bear joint and several liabilities.
2. Handler-processor relationship
As mentioned above, the handler assumes most obligations of personal information protection under the PIPL. It is typical the case in the handler-processor relationship. The handler needs to take measures to clarify the purpose, method, types of personal information, protection measures, and the rights and obligations of both parties, and supervise the processing activities of the processor (Article 22).
The processor shall process personal information in accordance with the agreement, and shall not go beyond the agreed processing purpose, method, etc. The processor shall also “return” the personal information to the handler or delete it after the contract is fulfilled or the entrusted relationship is terminated (Article 22). Without the consent of the handler, the processor shall not delegate the processing of personal information to a third party (Article 22).
3. Handler-handler relationship
As a common practice, personal information may be shared between independent handlers. Under the PIPL, if a handler provides personal information to a third party, it shall inform individuals of the third party’s identity, contact information, purpose, method, and types of personal information for processing, and obtain the specific consent of the individual (Article 24). The third party, as another handler, will need to stay within such a scope of processing purpose, method, types of personal information, etc. If the third party changes the original processing purpose or method, it shall inform the individuals and re-obtain their consent (Article 24).
IV. Other observations
In terms of the handler and processor, although the PIPL is similar to GDPR in many parts, there are still unclear issues to be clarified. For example, in determining who is the handler, how to evaluate "determining" the purpose and method of processing personal information and how much degree of autonomy does it require? This can be vital for assessing whether the parent company and the subsidiary are independent handlers or joint handlers. We hope that the PIPL can provide clearer guidance in the subsequent legislation procedure or through the promulgation of supporting regulations.
- For discussion purpose of this article only, we will use the term “personal information handler” to highlight the original term-using of the PIPL. But in discussing the rest topics of the series articles, we will still controller and processor in line with the GDPR.↩