As the world continues to work from home in the wake of COVID-19 and companies lean on online technologies to conduct their businesses and service their customers, China (home to the most online users in the world), is one of the latest countries to pass a new omnibus privacy law. Effective November 1, 2021, despite numerous yet-to-be-defined elements, the Personal Information Protection Law (PIPL)1 is China’s first comprehensive law designed to regulate online data and protect personal information.
China’s new Data Security Law (DSL) also went into effect earlier this year, on September 1, 2021. The DSL applies to a wide range of data processing activities including but not limited to processing personal information. With extraterritorial scope and severe fines and penalties, these laws are set to impose an increasingly complex and comprehensive legal framework for doing businesses in China that processes personal information.
The PIPL is enforced and administered by the Cyberspace Administration of China and relevant state and local government departments. The law draws from the European Union’s General Data Protection Regulation (GDPR) with heavy penalties up to the greater of 5% of the previous year’s revenue (possibly global) or $7.7 million. The PIPL consists of over 70 articles spanning eight chapters. Read the full (unofficial) translation of the text. Our takeaways and a summary of key provisions of the law are below.
Given the broad scope, extraterritorial application and potential for substantial fines, organizations that process personal information within China should assess their PIPL compliance obligations, which could include:
- Adjusting public-facing documentation like privacy policies and data subject rights request procedures
- Implementing the forthcoming standard contractual clauses in contracts involving personal information that is transferred outside China
- Implementing consent mechanisms, including multiple layers of consent for certain processing activities or transfers (e.g., transferring personal information outside of the PRC or to another personal information processor)
- Adding PIPL data breach notification requirements to incident response plans
Data mapping and other exercises related to compliance with the GDPR, CCPA and other regulations can likely be repurposed to make PIPL compliance less onerous, although some customization will be needed. Overall, PIPL compliance efforts will likely remain a work in progress given the uncertainty posed by interpretations and enforcement of the lengthy new law. Like the CCPA and GDPR, clients should continue to monitor amendments to the PIPL itself, its implementing regulations and relevant enforcement actions, and adjust their practices accordingly.
Who must comply with the PIPL?
Like the GDPR, the PIPL is intended to impose extraterritorial jurisdiction, and arguably covers any company or individual that processes the personal information of individuals in China (regardless of the individual’s nationality or residency).2 Additionally, the PIPL requires personal information processors located outside of China to establish entities or appoint representatives in charge of personal information within China.3 Furthermore, and similar to the data protection officer concept under the GDPR, processors of personal information that meet certain, undefined thresholds are required to designate and publish the contact information of an individual in charge of processing and protecting personal information.4
Does the PIPL differentiate between ‘controllers’ and ‘processors’ of personal information?
In a designation that is sure to cause some confusion, under the PIPL, “personal information processors” are akin to “controllers” and “entrusted parties” are similar to “processors” under the GDPR. Personal information processors assume both liability and compliance requirements under the PIPL. Meanwhile, joint personal information processors must enter into an agreement which designates the specific rights and obligations for each personal information processor and indicates that joint personal information processors are jointly liable.5
Additionally, if the processing of personal information is performed by an entrusted party (e.g., a processor under GDPR) on behalf of a personal information processor, the parties must enter into an agreement that specifically designates the purpose, method, categories, protection, rights and duties of processing of personal information.6 The data processing agreement must include the following:
- A prohibition against the entrusted party processing personal information outside the agreement
- Terms requiring the entrusted party to return or delete personal information upon completion, revocation or expiration of the agreement
- Provisions requiring the entrusted party to obtain consent of the personal information processor prior to allowing a sub-processor to process personal information
What type of data is covered under the PIPL?
The PIPL defines personal information like the CCPA and GDPR, as:
…various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.7
Like the CCPA (as modified by the CPRA) and GDPR, the PIPL ambiguously defines “sensitive personal information”:
Sensitive personal information refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.8
Sensitive personal information is subject to additional requirements for processing such as 1) identifying a specific purpose and sufficient necessity for the processing, 2) providing notice to the individual of the impacts the processing will have on the individual’s rights and interests; 3) requiring the use of “strict protective measures” (undefined as of yet), 4) conducting a privacy impact assessment and creating a record of processing, and 5) obtaining individual consent for the processing (and possibly written consent where required by yet-to-be-published regulations). The PIPL also instructs the Cyberspace Administration of China to formulate special personal information protection rules and standards for sensitive personal information processing.9
What are the legal bases available for data processing under the PIPL?
Under the PIPL, personal information processors may only process personal information where:
- consent of the individual has been obtained, which must be informed, voluntary, and explicit (thresholds not yet defined), subject to the following:10
- If the purpose, method or categories for processing information changes, new consent must be obtained
- Individuals must have the ability to withdraw consent by “convenient means” (not yet defined)
- The provision of products or services cannot be conditioned on the basis of consent, unless the information being collected is necessary for providing the products or services (which appears to reflect the concept of “freely given” consent under the GDPR)
- Parental/guardian consent is necessary if the processing involves personal information of a minor below the age of 1411
- Necessary for the conclusion or performance of a contract to which the individual is a party, or to implement human resources management in accordance with labor rules and regulations formulated according to law and collective contracts concluded according to law
- Necessary for the fulfillment of statutory duties or obligations
- Necessary for coping with public health emergencies or for the protection of an individual’s life, health or property
- Such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope
- The personal information has already been disclosed by the individual themselves or other legally disclosed personal information is processed within a reasonable scope in accordance with the provisions of this law
- Other circumstances as provided by Chinese laws and regulations
Notably, the PIPL indicates that individual consent is the default legal basis for processing unless one of the other legal bases applies. Also noteworthy is the absence of a “legitimate interest” processing basis as is available under the GDPR, which has been used by many EU data controllers as a more flexible means of establishing a legal basis for processing. However, it is still possible that Chinese authorities could expand the available legal processing bases via regulation.
What types of notice are required under the PIPL?
Privacy notice – prior to processing of personal information, a personal information processor must truthfully, accurately and completely inform individuals in an “eye-catching manner with clear and understandable language” that includes:12
- The name and contact method of the personal information processor
- The purpose and method of processing personal information, and the type and retention period of processed personal information
- Methods and procedure for individuals to exercise the rights provided under the PIPL
- Other items that laws or administrative regulations provide shall be notified
Additionally, individuals must be notified of any changes to these key data processing elements.
Notice for consent purposes13 –where the legal basis for processing of personal information is consent, personal information processors must provide robust notice, in clear and easy to understand language, before processing personal information.
Notice of personal information transfers for business transactions14 – where a personal information processor transfers personal information during a business transaction, it must inform individuals of the name and contact information of the recipient.
Notice for transfers of personal information to another personal information processor15 – if a personal information processor transfers personal information to another personal information processor, it must perform the following:
- Notify the individual of the name and contact information of the new personal information processor
- Notify the individual of the purpose and method of processing as well as the type of personal information being processed by the new personal information processor
- Obtain separate consent for this new processing
The new personal information processor must also adhere to the original scope of the method, purpose and type of personal information communicated to the individual or obtain new consent.
What individual rights does the PIPL provide?
The PIPL creates specific rights for individuals with respect to the processing of their personal information, including the right to:16
- Know, decide on, and limit or object to processing personal information by others
- Access and copy (including transfer) their information from personal information processors
- Request correction or completion of their personal information
- Request deletion in certain circumstances or withdraw consent
Personal information processors must establish a convenient, but undefined, mechanism for individuals to exercise these rights.17 Notably, relatives of a deceased natural person, may, for their own lawful and legitimate interests, access, copy, correct and delete the personal information of the deceased.18
Does the PIPL require data privacy impact assessments
Personal information processors/controllers must conduct (and keep for three years), personal information protection impact assessments (PIPIAs) for certain personal information processing, including: 1) processing sensitive personal information, 2) using personal information to make automated decisions, 3) entrusting others to process or otherwise share or disclose personal information, 4) transferring personal information overseas, and 5) other processing activities that significantly impact an individual’s rights and interests.19
PIPIAs must include a determination of:20
- Whether the purpose and method of processing personal information are legitimate, justifiable and necessary
- The impact on individuals’ rights and interests and the security risks
- Whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks
Does the PIPL (or other Chinese data protection laws) impose data localization and/or restrict cross-border data transfers?
In addition to providing notice of the transfer to relevant individuals and obtaining consent,21 personal information processors must meet one of the following conditions before transferring personal information outside of China:22
- Pass a security assessment organized by the Cyberspace Administration of China
- Obtain a certification issued by the organization as authorized by Cyberspace Administration of China
- Sign a cross-border data transfer agreement with the overseas data receiver(s) according to the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties
- Another mechanism that may be provided for by other laws and regulations
Without elaboration, the PIPL requires personal information processors to take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated under the PIPL.23
Personal information processors must also obtain individual consent for the cross-border transfers after informing individuals of: 1) the contact information of the oversees recipient of their personal information, 2) the purposes, method and type of personal information being transferred oversees, and 3) the procedures for exercising their rights under the PIPL regarding that data.24
- Please note that this blogpost was based on an unofficial English translation of the PIPL.
- Article 3.
- Article 53.
- Article 52.
- Article 20.
- Article 21.
- Article 4.
- Article 28.
- Article 28, Article 29, Article 30, Article 31, Article 32.
- Article 14.
- Article 31.
- Article 17.
- Article 14.
- Article 22.
- Article 23.
- Chapter IV Rights of Individuals in Activities of Processing Personal Information.
- Article 50.
- Article 49.
- Article 55.
- Article 56.
- Article 39.
- Article 38.
- Article 38.
- Article 39.