The Background: In recent years, the People's Republic of China ("PRC") has implemented several significant laws governing the collection, storage, use, and transfer of data with a focus on protecting China's national security interests.
The Development: On August 20, 2021, China passed the Personal Information Protection Law ("PIPL"), which complements the recently enacted Data Security Law. The PIPL is the first comprehensive national law in China governing how organizations and individuals handle the personal information of individuals in China and imposes significant penalties for violations of the PIPL.
Looking Ahead: The PIPL will take effect on November 1, 2021. Due to its significant breadth, the PIPL will impact almost every business operating in or doing business with China, and companies should consider commencing an immediate review and assessment of their data processing activities to ensure compliance with the PIPL's requirements.
The PIPL imposes extensive obligations on organizations and individuals engaged in "handling" of personal information, which is defined to include "collection, storage, use, processing, transmission, provision, disclosure, deletion, etc." This Commentary highlights some of the most noteworthy provisions of the PIPL.
Key Rules and Definitions Regarding Handling Personal Information
Definition of Personal Information and Sensitive Personal Information. Personal information is defined broadly under the PIPL as all information related to identified or identifiable natural persons recorded by electronic or other forms. Furthermore, the PIPL makes a distinction between anonymized information, which does not constitute personal information, and de-identified information, which still constitutes personal information. Anonymization refers to the processing of personal information in a way that makes it impossible to identify natural persons and cannot be reversed. De-identification refers to the processing of personal information in a way that makes it impossible to identify certain natural persons without the use of additional information, which seems comparable to the concept of pseudonymization under the European Union's ("EU") General Data Protection Regulation ("GDPR").
Sensitive personal information ("SPI") is broadly defined as "any information that, once leaked or abused, could seriously endanger personal and property safety," and specific examples include biometrics, religious beliefs, medical health, financial accounts, individual location tracking, and information of minors under the age of 14.
Entities Covered by the PIPL. The weight of the obligations under the PIPL fall on organizations and individuals that independently determine the purposes and means for handling of personal information ("PI Handlers")—a concept similar to a data controller under the GDPR. PI Handlers can entrust the handling of personal information to a third party—which are akin to data processers under the GDPR—subject to an agreement that sets out the purpose, method, and other details regarding the personal information handling.
Consent and Other Legal Bases. One basis for handling of personal information under the PIPL is consent, which must be informed, voluntary, explicit, and capable of being revoked.
Distinct from the GDPR, the PIPL does not acknowledge the "legitimate interest" of the PI Handler or a third party as a legal basis for handling personal information. Instead, other bases for handling personal information include:
- Necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management in accordance with labor policies and collective contracts legally formulated;
- Necessary to fulfill a statutory duty;
- Necessary to respond to public health emergencies or for the protection of the life, health, and property of a natural person;
- It is in the public interest, such as news reporting and public supervision;
- The personal information has been disclosed by individuals themselves or was otherwise legally disclosed, and the processing of such personal information is within a reasonable scope; and
- Under other circumstances specified by the PRC laws and administrative regulations.
Handling Sensitive Personal Information. The PIPL imposes stricter controls on the handling of SPI. PI Handlers may not process SPI without a specific purpose and unless there is a sufficient need to do so. PI Handlers shall, in addition to the general notice requirements, also notify individuals about why handling of their SPI is necessary and how it impacts their personal interests.
Extraterritorial Application. The PIPL applies not only to those handling personal information within China, but also applies to those handling personal information outside of China when the information is related to individuals inside China and is used for providing products or services to individuals in China, or analyzing the activities of such individuals. This legislative approach shows similarities with the GDPR's approach to extraterritorial application. When the PI Handler is outside China, it must establish a dedicated entity or appoint a representative within China to be responsible for matters relating to the handling of the personal information. This is another parallel to the GDPR, which requires the appointment of a representative by the controller or processor established outside of the EU.
Key Restrictions on Cross-Border Transfer of Personal Information
Restrictions on Cross-Border Transfers. Among the most important of the PIPL's restrictions for multinationals operating in China are those governing cross-border transfer of personal information. PI Handlers may only transfer personal information out of China with the informed consent of the individual, where necessary "for business purposes" and after completing a risk assessment. In addition to these requirements, at least one of the following conditions must also be satisfied:
- Passing a security assessment organized by the Cyberspace Administration of China ("CAC") as required for critical information infrastructure operators and PI Handlers that process a quantity of personal information equal to or exceeding the amount prescribed by the CAC;
- Obtaining a personal information protection certification by an organization authorized by the CAC;
- Concluding a contract with the foreign recipient based on a standard contract formulated by the CAC (the form of which has yet to be issued); or
- Other conditions provided in laws or administrative regulations or by the CAC.
PI Handlers must also ensure that all personal information transferred out of China shall be provided a level of protection that is at least equal to that required under the PIPL and domestic standards. It remains to be seen if the Chinese authorities will publish a white list or accede to the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules or other similar cross-border transfer schemes.
Responding to Document Requests From Foreign Judicial and Enforcement Agencies. The PIPL further provides that PI Handlers must seek approval from competent Chinese authorities in connection with providing personal information stored in China to any foreign judicial or law enforcement authority. It is noteworthy that China's Data Security Law ("DSL"), which became effective as of September 1, 2021, contains a similar provision that restricts transfer of all data stored in China to foreign judicial or law authorities. Like the DSL, the PIPL currently does not set out additional details on the scope of this restriction, or the mechanics of approval.
Significant Penalties for Violations of the PIPL
The PIPL provides for significant financial penalties for violations, including fines of up to RMB 50 million (approximately US$ 7.7 million) or up to 5% of the PI Handlers' revenue of the previous year. The PIPL does not specify whether this is China-specific or worldwide turnover. Authorities may also suspend the violating entity's operations or business license. The enforcement risk may not be only theoretical. In July 2021, the CAC and other enforcement authorities initiated data security investigations against a major Chinese technology company for potential improper use of personal information. Although the investigation is still pending, authorities already have ordered the company to remove its apps from Chinese app stores. In August 2021, the CAC published a report listing 85 Chinese companies that were involved in improper use of personal information, and ordered those companies to make rectification within 15 days.
Additionally, individuals are granted both a number of rights under the PIPL (e.g., right to consult or copy, right to correct, right to delete, etc.) and a private cause of action under the PIPL to sue PI Handlers who infringe their rights. Where a PI Handler damages the interests of a large group of people (as yet undefined), Chinese authorities may initiate the equivalent of a civil prosecution against the PI Handler on behalf of the public.
Two Key Takeaways
- The PIPL applies to all data handling activities involving personal information within China, and also applies to activities outside China that affect individuals within China. In particular, the PIPL imposes extensive notice and consent requirements on companies that wish to handle personal information, and also imposes significant hurdles for companies that wish to engage in the cross-border transfer of personal information.
- Implementing regulations and further guidance concerning the PIPL are expected in due course, but in view of the November 1 effective date of the PIPL, companies should immediately start reviewing and assessing their data processing activities against the PIPL's requirements.