On April 29, 2021, China released the second draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments, which replaced the first draft issued in October 2020. The PIPL is regarded as the “Chinese GDPR” and widely believed to have significant influence on the development of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 15 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.
In this PIPL update, we address the legal liabilities authorities may impose on organisations that are non-compliant with the PIPL. Among them, the most eye-catching may be the highest fine of up to 5% of a company’s annual turnover, which is even higher than the 4% limitation under the GDPR.
Generally, the legal liabilities under the PIPL include several levels and typically there are administrative, civil, and criminal liabilities. These liabilities may target a company as well as certain individuals of an organisation. For administrative liabilities, judicial remedies are available and administrative litigations against the authority can be brought to the court. In addition, the PIPL also stipulates that violations of this law may be recorded in credit files of an organisation and made public, which may also bring negative impact to corporate development and reputation.
I. Two levels of administrative liabilities
Article 65 stipulates two levels of administrative liabilities under the PIPL, that is, liabilities of general violations and of serious circumstances. First, where personal information is processed in violation of this Law, or the personal information is processed without adopting necessary security protection measures in accordance with the provisions, the authorities performing personal information protection duties shall:
- Order corrections;
- Issue warnings;
- Confiscate illegal incomes;
- Impose a fine of not more than 1 million CNY on those who refuse to make corrections; and
- Impose a fine of not less than 10,000 CNY but not more than 100,000 CNY on the directly responsible person in charge and other directly responsible persons.
Second, where the violations are in serious circumstances, the authorities shall:
- Order corrections;
- Confiscate illegal incomes; and
- Impose a fine of not more than 50 million CNY or 5% of the annual turnover of the prior year.
For these serious violations, the authorities may also impose the suspension of relevant business activities, cessation of business for rectification, and report to the relevant competent agency for cancellation of corresponding professional licenses or business permits. The directly responsible persons in charge and other directly responsible persons shall be subject to a fine of not less than 100,000 CNY but not more than 1 million CNY.
In addition, Article 70 also connects the PIPL with the Law on Administrative Penalties for Public Security and stipulates that PIPL violations constituting breach of public security rules shall also bear corresponding administrative liabilities. For example, infringing one’s privacy through snooping, secret photography, eavesdropping or other means could be subject to administrative detention of up to 10 days and a fine of up to 500 CNY.
II. Civil liabilities
The PIPL provides a specific clause on an individual’s right to seek compensation for personal information controller’ infringement (Article 68). It sets out the standard of “presumptive fault”, which means that a personal information controller shall be liable for the damage caused by processing personal information unless it can prove it is not at fault. This clause would relieve the plaintiff’s burden of proof in a civil action against the controller and facilitate damage claims.
Article 68 also provides that such liability is based on the losses suffered by the individual or the benefits obtained by the personal information controller. Where it is difficult to determine the losses suffered by the individual or the benefits obtained by the controller, the amount of compensation shall be decided based on the actual situation.
The PIPL also includes Article 69 recognizing the public interest litigation based on personal information infringement, which in practice has been an important way of pursuing unlawful processing activities and collecting meaningful compensation.
Our 15th topic of the updates will discuss further into damage claims in civil actions under the PIPL.
III. Criminal liabilities
Article 70 links the PIPL to the Criminal Law and stipulates that where a violation of this law constitutes a crime, the criminal liability shall be pursued. For example, if an organization or individual provides personal information to a third party in an illegal manner, this may also constitute a crime of “infringing on citizens' personal information”. Article 253 of the Criminal Law (amended in 2020) imposes criminal sanctions on anyone who, in violation of relevant State rules, sells or discloses the personal information of third parties. The sanctions imposed by the Criminal Law vary depending on the seriousness of the circumstances of the violation and may be up to 7 years imprisonment plus a fine.
In addition, Article 286 of the Criminal Law stipulates the "crime of refusal to perform cybersecurity obligations": network service providers that fail to perform information network security management obligations and refuse to make corrections in specific circumstances (such as causing a breach of users’ information) will be sentenced to imprisonment of not more than 3 years and/or a fine.
IV. Other legal consequence: negative impact on corporate credit records
Like several other laws related to corporate compliance, the PIPL provides that violations of this law will be recorded in the credit file and made public (Article 66). As China’s credit system continues to improve, violation records in credit files can have a negative impact on corporate development and reputation.
V. Judicial remedies
Under China’s administrative litigation regime, organizations and individuals have the right to bring a lawsuit in the court against administrative penalties made by the authority, such as decisions on revocation of business permits and licenses, suspension of business operations, confiscation of illegal income and illegal properties, fines, warnings, and so on. Depending on the complexity of the issues and the levels of the authorities involved, administrative litigations may be under the jurisdiction of the various levels of the courts, from a court at the primary level to the Supreme People's Court of China.
Next Topic: [15. Damage Claims]
Note: After April 29, 2021, our alerts will be based on the second draft of the Personal Information Protection Law. For those released before April 29, they referred to the first draft.