On August 20, 2021, the Standing Committee of the National People's Congress of the People's Republic of China ("PRC") passed the Personal Information Protection Law ("PIPL"), which will come into effect on November 1, 2021.
The PIPL will work together with the Cybersecurity Law ("CSL") and the Data Security Law ("DSL") to establish a broader regulatory architecture governing cybersecurity and data privacy protection in China. Once effective, this new law will have a significant impact on the data compliance practices of both domestic and multinational companies to the extent they process or use the personal information of individuals located within China.
As the first comprehensive legislation on personal information protection in China, the PIPL specifies the scope of personal information; clarifies the legal bases for processing personal information; lays down the obligations and responsibilities imposed on processors; and imposes stringent requirements on data localization, safeguarding the interest of China in the case of cross-border transfer of personal information. Below is a summary of key aspects of the law.
In addition to covering processing of personal information by processors carried out within the PRC, PIPL also has extraterritorial application to cover processing of personal information of people located within the PRC, where such processing is undertaken outside the PRC under any of the following circumstances:
Therefore, under the PIPL, foreign companies (even with no presence in China) engaging in the processing of personal information of individuals located within China are bound by the law, and are required to establish a dedicated entity or appoint an agent or designated representative in China to be responsible for dealing in related matters. The name and contact details of such local agent or representative will need to be provided to the relevant authority.2
Under the PIPL, personal information is defined to encompass any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information.3
For the first time, the PIPL puts forward the concept of "personal information processor", referring to organizations and individuals who independently decide the purpose and method of processing personal information.4 "Personal information processing" is defined to include, but not limited to, the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.5
In addition to personal information as defined in the CSL, the PIPL defines "sensitive personal information" as the personal information of which the leakage or illegal use could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety.6 This is the first national law in the PRC that defines sensitive personal information and, more importantly, sets out relevant obligations on processors handling such information.7
Since the release of the CSL, "notification and consent" had long been the only legal basis for processing personal information. The PIPL, for the first time on the national law level, broadens the grounds for processing personal information by adding the following bases:
Moreover, the PIPL sets out detailed requirements for notification and consent. In particular personal information processor must obtain specific consents from the individual involved where: (a) sensitive personal information is processed; (b) the personal information is provided by the processor to another processor; (c) the personal information processed is disclosing publicly; or (d) the personal information is transferred outside of China.9
How these provisions will be interpreted and enforced remains to be seen. For example, in the context of an internal investigation, if such investigation is assisted by the human resources department, does it constitute human resources management exemption? Further, does an intra-group transfer (e.g., from one group company to another) constitute a transfer to "another processor" that may require specific consent by the individual involved? Another grey area is the transfer of data from a portfolio company controlled by a private equity fund to the fund itself. In addition, it is not clear what circumstances may fall within the legal bases of "emergency" and "individual's interest or safety". Multinational companies and financial sponsors will need to closely track the relevant regulations and implementation rules of the PIPL for further guidance.
The PIPL sets forth a regulatory framework that imposes substantial obligations and responsibilities on all personal information processors, including:
A personal information processor that provides an important Internet platform service, has a large user base and/or operates complex types of businesses is further required to build a robust data compliance program (including preparing a personal information protection compliance policy) and establish/appoint an independent body to supervise its implementation. Such processors must also actively monitor the behaviors of the service or product providers on their platform who may violate any laws or administrative regulations in conducting processing activities.10 However, it is unclear how many users are considered to be a "large user base" and how to determine the complexity of business types.
The PIPL also stipulates specific obligations for special processing activities, including joint processing and entrusted processing.
Such requirements warrant special attention, as in practice, companies may from time to time work with or engage third parties to conduct processing activities.
In line with the CSL and the DSL, the PIPL also requires that Critical Infrastructure Information operators, as well as processors who process personal information that reaches a certain threshold (which the PIPL does not specify), must store personal information within the territory of China. Where cross-border transfer of personal information is indeed necessary, such transfer must pass a security assessment administered by the Cyberspace Administration of China ("CAC") and other enforcement authorities.14
Other personal information processors may conduct cross-border transfer of personal information upon satisfying one of the following requirements: (a) passing the security assessment by the CAC; (b) obtaining certification of data security by a professional body recognized by the CAC; (c) entering into an agreement with the overseas recipient with provisions governing the rights and obligations of the parties based on a template contract to be released by the CAC; or (d) other requirements as provided by relevant laws and regulations.15
The PIPL imposes enhanced penalties for violations of the law, which may lead to an administrative fine of up to RMB 50 million or 5% of the processor's turnover in the preceding year, confiscation of illegal gains, cessation of operation for rectification, or revocation of operating permits or business licenses.16 The person-in-charge or other directly liable individuals may also be held liable and subject to a fine up to RMB 1 million. Such individuals may further be restricted from serving as a director, supervisor, senior management or personal information protection officer for a stipulated period of time.17
The PIPL also imposes tortious liability on processors infringing upon the rights and interest of personal information. The PIPL imposes the burden of proof on the defendant personal information processor in a civil action to facilitate damage claims.18 If such infringement affects a large number of individuals, then the processors may face civil claims or criminal charges brought by consumer groups, entities authorized by the CAC and/or the prosecutor.19
1 The PIPL, Art. 3.
2 The PIPL, Art. 53.
3 The PIPL, Art. 4.
4 The PIPL, Art. 73.
5 The PIPL, Art. 4.
6 The PIPL, Art. 28.
7 The PIPL, Art. 29, 30, 32, 55.
8 The PIPL, Art. 13.
9 The PIPL, Art. 23, 25, 29, 39.
10 The PIPL, Art. 58.
11 The PIPL, Art. 20.
12 The PIPL, Art. 21, 59.
13 The PIPL, Art. 21.
14 The PIPL, Art. 40. Please note that the security assessment may be waived as provided by laws, administrative regulations or cybersecurity authority.
15 The PIPL, Art. 38.
16 The PIPL, Art. 66.
18 The PIPL, Art. 69.
19 The PIPL, Art. 70.
Michael Li (White & Case, Associate, Hong Kong) and Xue Feng (White & Case, Legal Consultant, Beijing) contributed to the development of this publication.