On October 21, 2020, China released the first draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments. The PIPL is regarded as the “Chinese GDPR” and widely believed to have significant influence on the business operation of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 14 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.
In the PIPL, Article 1 to 4 specify the application scope including: natural persons as the protected subjects; the definition of personal information, and the territorial scope of the law.
I. Protected subjects: Natural persons
As one of the most important statues in force on personal information protection, the Cybersecurity Law of China (“CSL”) does not adopt the concept of natural person to define the protected subjects. Instead, the CSL uses terms including “individuals”, “users”, and “persons whose data is collected” and declares “protecting the legitimate interests of citizens” as part of its legislation purpose (Article 1). Therefore, it is not clear under the CSL that whether the personal information of foreign nationals in China is also protected.
Article 2 of the PIPL explicitly provides that “personal information of natural persons is protected by the law”. This provision aligns with the Civil Code of China which takes effect since January 2021. Under such an approach of the protected subjects, the PIPL will extend the protection beyond Chinese citizens and to cover foreign nationals in China.
II. Definition of personal information
A. “Identified”, “associated”, and the New Approach
Overall speaking, there are two defining approaches of personal information under Chinese laws, the “identified” and the “associated”. The Cybersecurity Law and the Civil Code both adopt the “identified” approach and consider personal information as information that “can identify a natural person directly or in combination with other information”. However, the judicial interpretation of the Criminal Law on “crimes of infringing on citizens' personal information” as well as the national standard Personal Information Security Specification (GB/T 35273-2020) both include the information that is “associated with activities of specific natural persons” as also within the scope of personal information.
The PIPL goes beyond the above two approaches and borrows language from the EU GDPR to define personal information as “all information related to identified or identifiable natural persons”, which seems to be a broader definition than all the current ones. But not like the GDPR, the PIPL does not further explain what an identifiable natural person is.
B. Exception: Anonymized information
Article 4 of the PIPL explicitly stipulates that personal information does not include anonymized information. Anonymization is defined as “the process of personal information undergoing handling to make it impossible to identify specific natural persons and impossible to restore” by Article 69. Similar to the GDPR, the PIPL also distinguish de-identified (pseudonymized) information from anonymized information, and de-identified information still falls under the category of personal information.
III. Territorial scope
The most notable provisions of the PIPL is probably Article 3 on the territorial scope, which extends the application of PIPL beyond processing of personal information in China to processing outside China subject to specific conditions.
A. Processing in China
Similar to the “establishment” threshold under the GDPR, the PIPL applies to “processing activities of personal information of natural persons conducted by organizations and individuals within the territory of China.” (Article 3) In other words, regardless of whether it is it is processing personal information of Chinese or foreign natural persons, as long as the “processing” is within China, it is subject to PIPL regulation - we understand that this can refer to the processing conducted by a controller or a processor in China.
B. Extraterritorial effect
The PIPL also applies to the processing of personal information outside China where it is for (1) the purpose of providing products and services to natural persons in China; or (2) analyzing/assessing the behavior of natural persons in China; or (3) such other circumstances as provided by laws and administrative regulations (unspecified in the PIPL) (Article 3).
Then further questions will be what is for the purpose of providing products or services to person in China and what constitute analyzing or assessing the behavior of persons in China? A clear answer to these questions can be vital to the actual territorial scope of PIPL. However, the PIPL does not provide the answers. In the next round of review and deliberation procedure of the law, it can be possible that the PIPL may borrows opinions from other Chinese rules, such as a national standard on data export, which considers scenarios including the use of Chinese language, acceptance of Chinese yuan for payment, and maintaining delivery to China as “providing products or service to China”. As one can see, it also echoes the regulatory perspective of the GDPR to some degree.
IV. Final remarks
As China's first omnibus law regulating the collection and processing of personal information, the PIPL is a big step forward in terms of the scope of application. Multinational corporations that collect personal information as part of their businesses in China but that do not have a presence in the country, will need to monitor the extraterritorial applicability provisions of the PIPL and prepare accordingly.
- See the Judicial Interpretation on Infringement of Personal Information in Criminal Cases (effective since June 1, 2017) released by China’s Supreme People’s Court (SPC) and the Supreme People’s Procuratorate (SPP).↩
- See the Information Security Technology - Guidelines for Data Cross-border Transfer Security Assessment (Draft for Comments) released by the National Information Security Standardization Technical Committee (TC260) on August 25, 2017. ↩