[co-author: Jingwen Hou]
On 20 August 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL). The PIPL has a rapid timeframe for implementation, taking effect on 1 November 2021. The brief transition period will clearly be a challenge for organizations subject to the PIPL – the law represents a seismic shift in data protection regulation in China, and there will be much to do on very short timescales in order to achieve compliance.
Drawing extensively from the European Union's General Data Protection Regulation (GDPR), the PIPL is China’s first comprehensive personal data protection law. The PIPL, together with the Cyber Security Law (CSL) and the Data Security Law (DSL) define China’s approach to regulating its cyberspace and digital economy. The PIPL was first published in draft form on 21 October 2020 (please see our previous briefing here), with a second draft following on 29 April 2021 (please see our previous briefing here). The final version of the PIPL is largely unchanged in terms of overall structure and policy from the second draft.
In this briefing, we recap the key features of the PIPL. The key message is that the law will set a high bar for Chinese data protection, taking revocable consent as its principal basis for processing, introducing extraterritorial effect and restrictions on international data transfers and imposing revenue-based fines as the principal penalty for non-compliance.
Putting the PIPL in context, the law will put China in line with the accountability-driven approach to data protection compliance pioneered under the GDPR. Organizations will be expected to take a “top down” approach and implement firm-wide policies and procedures that fix standards for data management practices. There will be a stepping up of compliance overhead in areas such as consent management, privacy impact assessments and international data transfers. It is clear that the authorities will supplement the PIPL with more detailed administrative measures necessary to fill in key details. The Cyberspace Administration of China (CAC) is expected, for example, to issue standard contractual clauses for international data transfers. But given the shortness of time for implementation of the PIPL, it is difficult to see how compliant solutions will be in place for 1 November.
Set forth below is a summary of the key highlights under the PIPL, with notes on the important provisions introduced in the final draft.
Most of China’s existing laws regulating the use of data in China have a domestic focus. The PIPL tracks GDPR's extraterritorial application in cases where offshore data processing activities are (i) for the purpose of providing services or products to individuals in China, or (ii) analyzing or evaluating the activities of individuals in China. The PIPL also allows for further extensions of extra-territoriality, where laws or administrative regulations stipulate that this is the case.
The immediate practical implication for multinational businesses processing personal data from offshore, i.e. an offshore Personal Information Processor, is that they must establish a dedicated body (e.g., an onshore entity) or appoint a representative in mainland China responsible for administering requirements under the law and report same to the authorities.
Regulation of cross-border transfers of personal data
The PIPL aims to resolve longstanding uncertainty as to the regulation of cross-border transfers of personal data from China.
The CSL, which took effect in June 2017, mandated localization of personal data and “important data” (data that raises national security or strategic sensitives to the Chinese government, such as unpublished government data, geographic data or data concerning sensitive/strategic industries), but only for organizations designated as “operators of critical information infrastructure” (“OCII”), which, in very broad terms, means large-scale state-owned and private sector systems and networks of critical importance to China.
Draft implementing measures under the CSL raised concerns that “network operators” (essentially any organization operating ICT infrastructure in China) would also be subject to data transfer restrictions (albeit, perhaps not data localization). The uneasy status quo for a number of years has been one of concern that China would introduce broad based data localization.
The PIPL moves to resolve these uncertainties with respect to cross-border transfer of personal data, but in a way that multinational organizations will likely find challenging in practice.
Article 40 confirms that OCII are required to localize personal data in mainland China, save where a specific approval has been obtained in cases where international transfer is necessary. Article 40 also provides that PI Processors handling personal data exceeding as yet unpublished thresholds are also required to localize their personal data. It will be critical to understand the thresholds applicable under Article 40.
Articles 38 and 39 deal with international transfer restrictions more broadly. Article 39 requires data subjects’ “separate consent” to the transfer, which appears to mean an "unbundled”, revocable consent, and Article 38 separately requires the satisfaction of one of the following compliance measures:
- completion of a cyber security assessment by the CAC (applicable to PI Processors which are either an OCII or are processing a volume of data that meets or exceeds materiality thresholds yet to be set by the CAC);
- obtaining a certification by a third party professional institution; or
- entering into an agreement between the Chinese data transferor and the offshore data recipient incorporating certain standard contractual clauses (“SCC”) to be formulated by the CAC; or
- meeting any other requirements specified by the laws, regulations or the CAC.
Additionally, PI Processors who are transferring personal data offshore are required to take necessary measures to ensure the processing activities of the offshore recipient will meet the protection standards set forth under the PIPL.
The combined effect of Articles 38 and 39 is a “consent plus” model for international transfers which is bound to raise significant practical challenges for multi-national businesses. If Chinese data subjects may revoke their consent to the transfer, then the business will likely need to have domestic Chinese data processing arrangements in place, even if the Article 38 measures have been satisfied.
We note that, at present, the CAC has not yet published the SCCs or the criteria for its cyber security assessments, nor established a third party certification framework.
Similar to Article 36 of the DSL, Article 41 of the PIPL introduces a requirement for official prior approval for the provision of personal information stored in China to foreign judicial or law enforcement agencies. The competent Chinese authority is required to respond to data requests by foreign judicial and law enforcement agencies in accordance with international treaties or agreements to which China is a party or based on the principle of equality and reciprocity. Such data shall not be provided without the approval of the competent Chinese authority. However, the key undefined terms in these provisions include who qualifies as a foreign “judicial or law enforcement” agency, and who qualifies as the competent Chinese authority to grant the approval. This provision causes challenges to Chinese companies who are subject to foreign governments’ sanctions, investigations, lawsuits, or supervisions.
Legal basis for processing of personal information
The PIPL takes consent as the principal basis for processing personal data, with limited specific exemptions including:
- the conclusion or performance of contracts with data subjects;
- as necessary to conduct human resources management in accordance with legally adopted employment regulations and rules and the collective employment contracts (this is an exemption added in the final draft of the PIPL);
- for the purpose of compliance with applicable laws;
- where necessary to respond to public health incidents and protect individual lives and health;
- conducting news reporting, public opinion supervision and other acts in the public interest “within a reasonable scope”;
- use of publicly available information “within a reasonable scope”; and
- other circumstances stipulated by laws and regulations.
There is also provision for notification (rather than consent) in the case of transfers of personal data in the context of mergers, acquisitions, and corporate restructurings.
Unlike GDPR and some other international reference points, there is no “legitimate interests” basis for processing and no explicit recognition of deemed or implied consent. Consent under the PIPL is revocable, provided that revocation of consent does not impact processing that took place prior to the revocation. PI Processors are not permitted to refuse to provide products or services if the data subject withholds or withdraws his or her consent to non-essential processing.
Unlike the Shenzhen Data Regulation (please see our previous briefing here), which does not require “separate” or “unbundled” consent, the PIPL requires separate/unbundled consent in the following situations:
- the transfer of personal data by data controllers to third parties (Article 23);
- the publication of personal data (Article 25);
- the publication or provision of personal data collected by equipment installed in the public places for security purposes, such as personal images (Article 26);
- the processing of sensitive personal data (Article 29); and
- cross-border transfers of personal data (Article 39).
The PIPL does not offer further guidance on what constitutes a “separate/unbundled” consent. Pending further guidance or authoritative interpretation, the most obvious interpretation is that consent requires a separate written acknowledgement or empty checkbox that may be ticked to indicate consent for each item. It is clear that this requirement for separate/unbundled consent on such a broad basis will pose significant challenges for organizations, particularly for those active in the digital economy where data sharing is an essential component of the commercial internet.
Regulation of sensitive personal data
The PIPL broadly follows the Information Security Technology --- Personal Information Security Specifications (“Specification”) in defining "sensitive personal data" conceptually by reference to the possibility of the data subject suffering harm to dignity and personal or property security. This approach is to be contrasted with GDPR, which sets out a closed list of “special categories” of personal data receiving enhanced protection under the law. The PIPL does list biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, and the personal information of minors under the age of 14 as specific examples of sensitive personal data, but this is not an exhaustive list.
Not substantially changed from its second draft, under the final PIPL, the processing of sensitive personal data would be subject to the following requirements:
- the processing is only allowed where there is a specific purpose and sufficient necessity to do so and strict protection measures are taken;
- a data subject has be informed of the necessity of the processing of his/her sensitive personal data and its implications;
- before processing sensitive personal data, the data controller must perform a personal information protection impact assessment; and
- as noted above, data controllers processing sensitive personal data must obtain a separate/unbundled consent from data subjects.
The PIPL requires PI Processors to take extensive organization-wide accountability measures similar to those mandated by GDPR.
PI Processors processing volumes of personal data exceeding officially-specified thresholds will be required to designate a data protection officer responsible for taking charge of personal data processing activities. The relevant thresholds are yet to be announced.
PI Processors are required to adopt a raft of measures directed at internal accountability, including:
- formulating internal management structures and operating rules;
- undertaking data classification exercises;
- adopting security measures (e.g., de-identification or encryption) to safeguard the personal data they process;
- regularly conduct security education and training for employees;
- formulate and implement security incident response plans; and
- other measures specified by law.
Separately, PI Processors are required to carry out personal information protection impact assessments before conducting high-risk data processing activities, such as the processing of sensitive personal data and cross-border transfer of personal data.
The PIPL also sets out a number of data subject rights which organizations will be required to implement procedures for, in particular rights to access and receive copies of their personal data, correct inaccurate or incomplete data and delete personal data which is no longer necessary for the purposes of collection, or where the data subject has withdrawn consent or processing is otherwise no longer lawful. There is also a right of data portability whereby data subjects may request the transfer of their personal data to a PI Processor they designate, subject to CAC regulations. Article 50 provides that PI Processors must establish convenient mechanism to accept and handle data subject right applications, providing data subjects with right to appeal to the People’s Court where data subjects believe their requests have been improperly rejected.
The PIPL also specifically addresses the engagement of data processors, requiring PI Processors to engage processors under agreements specifying the purpose, method of handling and time limit for the processing, the categories of personal data being processed and applicable security measures.
In summary, the PIPL envisages a significant step forward for organizations’ data protection accountability frameworks and policies.
Mandatory data breach notification obligation
The final PIPL requires organizations to immediately take remedial measures and notify relevant competent authorities and impacted individuals of potential or actual data leakage, distortion, or loss incidents. Notably, the scope of the notification obligation extends from cases of actual data leakage, distortion, or loss incidents to potential ones. Notifications are required to include:
- the information categories, causes, and possible harms caused by the leak, distortion, or loss that occurred or potentially may occur;
- the remedial measures taken by the PI Processor and measures that individuals can adopt to mitigate harms; and
- means of contacting the PI Processor.
The final PIPL confirms that PI Processors will not be required to notify breaches to individuals if remedial measures may be taken without harm being caused to individuals, unless personal information protection authorities direct otherwise.
It is notable, however, that unlike the current graded breach notification requirements under the CSL, there is no materiality threshold or specified time period for notifications under the PIPL.
Reinforced gatekeeper’s obligations for platform operators. The PIPL imposes special additional obligations on PI Processors having “complex business models” that involve the operation of “critical” internet platform services serving “massive” number of users (no threshold number has been specified as of yet). Such PI Processors are required to (i) establish and promote compliance structures and system for personal information protection in accordance with the statutory provisions; (ii) establish an independent body to supervise compliance; (iii) decline to provide services to service providers on their platforms that violate laws in relation to personal data; and (iv) regularly publish social responsibility reports.
The rights of the deceased persons. The PIPL provides that close relatives of deceased persons may exercise rights of consulting, copying, correcting, deleting among others against the related personal information of the deceased persons for their legitimate and rightful interests, unless otherwise arranged by the deceased person during the lifetime.
Regulation of automated decision-making. The PIPL introduces controls on the use of personal information to conduct automated decision-making, in particular imposing requirements that such decision-making be non-discriminatory. PI Processors are required to provide data subjects with the means to understand automated-decision where it has significant impact on their rights and interests and, in such cases, the PIPL requires that decisions not be made solely on an automated basis.
Significantly increased monetary fines and penalties. The final PIPL keeps the high standards of fines set up in its second draft, including fines of up to RMB 50,000,000 or 5% of the company's total turnover in the preceding year. In addition to facing fines of RMB 100,000 to 1,000,000, responsible individuals committing offences under the PIPL may be disqualified from acting as director, supervisor, executive manager, or data protection officer of relevant entities.
Our suggestions and recommendations
It goes without saying that the PIPL will present a significant compliance challenge for organizations, noting in particular that the grace period for implementation is only slightly more than 2 months. This is a very limited time period for PI Processors in China to adapt to the new rules, particularly in the absence of implementing measures and prescribed forms of documentation that are necessary to give specificity to a number of generally worded provisions of the law.
Prioritization of compliance efforts is critical, taking the accountability components of the requirements as the cornerstone for development of an effective compliance program directed at the various requirements. Here, there are learnings from GDPR to be applied, including: (i) a “data mapping” exercise, surveying the organization’s personal data holdings to understand what personal information it collects and how personal information is used, stored, processed, transferred and disclosed; (ii) reviewing current policies and practices, including but not limited to, privacy policies, consent collection mechanisms, cross-border transfer processes, data breach reporting policies, personal rights response policies, extraterritorial application; and (iii) identifying and remediating gaps.
For some organizations, there may be existing compliance measures in place that meet PIPL requirements, with or without adjustment.
For others, industry regulators may have specific direction on how PIPL measures should be met.
Whatever the organization’s specific context, there is clearly work to be done. As China moves to introduce data accountability as an organizational practice it is clear that the journey has only just begun.
Flora Feng, a paralegal in our Beijing office, contributed to this post.