The long-awaited PRC Personal Information Protection Law (the PIPL), China’s equivalent of the EU's General Data Protection Regulation (GDPR), was finally passed by the Standing Committee of the People’s Republic of China on 20 August 2021, and will enter into force on 1 November 2021.
The new law is composed of eight chapters and 74 articles and refines the principles and rules to be followed in the protection of personal information, following on from the Cyber Security Law (the CSL) and Data Security Law (the DSL) which were in place prior to the PIPL.
The PIPL uses the term “personal information processor” which, is similar to a “data controller” under GDPR, while a “donee/trustee” under the PIPL is similar to a “data processor”.
The PIPL reflects the same “long arm” principle as the DSL, in Article 42 and Article 3.
Article 42 provides that any foreign organisation or individual that has caused harm to the national security, public interest or legitimate interest of Chinese citizens in processing the personal information of Chinese data subjects could also be subject to restrictive or prohibitive measures by the PRC authority.
Article 3, not unlike the GDPR, extends the application of PIPL to all personal information processing activities out of China to the extent that:
- they are conducted for the purpose of providing goods or services to natural persons in China;
- (they are conducted for the purpose of analysing or assessing behaviors of natural persons in China; or
- they fall within what is otherwise stipulated by laws and regulations.
In respect of such data processing by processors out of China (that is, foreign personal information processors), Article 53 further requires that a local department be set up or a local representative be appointed for handling matters related to the protection of personal information, and details of this local department or representative should be registered with the PRC authority.
Definition of 'personal information'
The PIPL applies a broader definition of “personal information” than the CSL: any information, regardless whether it is in electronic form or any other form, which relates to any identified or identifiable natural person, exclusive of any anonymised information. How to define “identifiable” and “relates” is open to interpretation, thus potentially broadening the scope of “personal information” for the purpose of the new law.
Legal grounds for processing
Before the PIPL, processing personal information under PRC law was primarily consent-based. The PIPL expressly provides for additional legal grounds for processing, which are:
- Necessary for entering into and/or performing a contract, or for human resource management per the labour rules or polices or collective contracts;
- Necessary for fulfilling legal responsibilities or obligations;
- Necessary in response to public health emergency, or for the purpose of protecting health or property security of natural persons in case of emergency;
- Processing personal information for the reasonable purpose of news reports or supervision of public opinion and other similar purposes in the public interest;
- Reasonable processing of personal information which has been made public by the data subjects or in other legitimate ways; or
- As otherwise provided for under applicable rules and regulations.
Enhanced protection for 'sensitive personal information' and personal information on minors
The new law introduces a special definition of “sensitive personal information” which includes information on biometrics, religious beliefs, medical and health, financial accounts and local tracking, and personal information for minors under 14, and provides for enhanced protection for such “sensitive personal information”.
Similar to GDPR, sensitive personal information can only be processed for very “limited and specific purposes” while still being subject to “sufficient necessity” for processing. Processing is also subject to a stand-alone - and written, if required by mandatory law - consent.
Processing personal information of minors under 14 is subject to the consent of their parents or other guardians. Formulating stand-alone rules for processing adds administrative burdens for processors, from an operational perspective.
In connection with the enhanced protection for “sensitive personal information”, the PIPL also sets out the special requirements for using personal identification devices or equipment, or those for collecting personal images (such as facial recognition devices) in public places. Information so collected is allowed only for the purpose of public security, unless a stand-alone consent is obtained.
Cross-border transfer of personal information
Data localisation and cross-border transfers have become controversial since the issuance of CSL in 2016.
There were certain draft rules issued by the China Administration of Cyberspace, some of which suggested that all cross-border transfers of personal information required administrative approval, while others indicated that only the transfer reaching a certain threshold would trigger such mandatory clearance. The PIPL provides more clarity, and seems to apply a relatively more relaxed position on this issue.
A cross border transfer will be considered as a compliant one if:
- it has passed the mandatory security assessment by PRC authority per Article 40 (discussed in more detail below);
- it has obtained a protection certification by a professional firm/agency;
- it has entered into a contract with the foreign recipient in such standard sample clauses as formulated by PRC authority; or
- it falls within what is otherwise permitted by PRC law.
Generally, the PIPL requires the personal information processor in this context to take all necessary measures to ensure that the foreign recipients shall also meet standards no lower than those under the PIPL. Cross-border transfer is also subject to a stand-alone consent from the data subjects.
Article 40 provides for more clarity as to the application of “mandatory security assessment”, that is, only critical information infrastructure operators or other personal information processors processing personal information up to such amount as prescribed by the PRC authority (which, it is rumoured, could be that of one million data subjects) is subject to such mandatory assessment before transferring the data out of China.
Having said this, we would suggest that businesses also pay attention to industry-specific requirements on cross-border transfers. For example, the recently issued Administrative Measures on Automotive Data Security (which will enter into force on 1 October 2021) provide that automobile data processors collecting important data (including the personal information of no less than 100,000 data subjects) may transfer the data out of China only if necessary and only after it has passed the mandatory security assessment.
No transfer of personal information stored within China to foreign law enforcement authorities would be allowed unless the prior approval of PRC authorities is obtained. While clarity is still needed as to future enforcement, this provision may potentially provide multinational companies with a dilemma, depending upon their circumstances.
Requirements on automated decision-making
In response to society’s concern on the increasing privacy challenges brought by the adoption of artificial intelligence, the PIPL introduces specific requirements under Article 24, which stipulates that any personal information processor using personal information for automated decision-making shall ensure the transparency of such mechanism, the fairness and impartiality of the results, and shall not impose any unreasonable differential treatments in terms of prices and other transactional conditions.
Where automated decision-making mechanisms are adopted to push information or conduct direct marketing, the data subjects should be provided with options not specific to their personal features, or with an easy opt-out mechanism.
Specific rights of data subjects
Similar to GDPR, the PILP also sets out the specific rights which data subjects are entitled to under it, as briefly summarised below:
- Right to information, right to object, and right to restrict or refuse processing, which are similar to those under GDPR;
- Right to access, and right of data portability. Unlike GDPR, the PIPL does not provide for a clear timeline for the personal information processor to respond to the data subjects’ request to access their personal information. It is likely that a timeline will be introduced by national standards or industrial guidelines to be issued in the future. Notably, the PIPL, for the first time, introduces the concept of “data portability”, that is, where a data subject requests for his/her personal information to be transferred from one processor to another, the former shall do so if such request meets the conditions on “portability” to be formulated by the PRC authority;
- Right to rectification and right to erasure, which are not dissimilar to those under GDPR; and
- Right to explanation on the process rules. Article 48 of the PIPL provides that data subjects may request an explanation by the processor in respect of the rules on processing, which, compared to GDPR, would add administrative burdens upon the processor.
In order to facilitate the exercise of rights by data subjects, the processor is also required to set up a convenient mechanism for the exercise of rights. Where a request for exercising the rights is rejected, a reason must be given, and data subjects have also been granted by the PIPL an express right to dispute such rejection before the court.
Obligations of a personal information processor
As with GDPR, the PIPL also sets up obligations for the processor, which mainly include:
- formulating internal management system and operational procedures;
- implementing categorised management for personal information;
- taking such security measures as encryption or de-identification in protecting personal information;
- conducting regular compliance audits;
- carrying impact assessment for high-risk processing activities, such as processing sensitive personal information, using personal information for automated decision-making, or transferring personal information out of China;
- designating a specific responsible person (data protection officer) for supervising personal information protection (where the amount of personal information processed reaches a certain threshold as set up by the PRC authority), which is again not dissimilar to the provisions of GDPR;
- notifications to the authorities and/or data subjects in case of data leakage, modification without authorisation and/or losses.
The PIPL also imposes special obligations on processors operating important internet platforms that have “a large number of users” and “carry out complicated types of business”, including:
- establishing a sound protection system for personal information which shall include an independent supervisory organisation mainly composed of external resources;
- formulating rules for the platform, defining the standards and obligations for personal information protection in respect of the suppliers within the platform;
- ceasing providing services to those goods or service providers in violation of laws, regulations or rules on personal information protection; and
- regularly issuing social responsibility reports for personal information protection, open to supervision by the public.
Enforcement and penalties
One could argue that the power of GDPR is mainly attributable to the severe penalties imposed for violations, which have been historically absent from the PRC personal information protection regime until the PIPL. Compared to previous laws, such as CRS and DSL, the PIPL introduces more severe administrative penalties, including:
- warning, being order to rectify and/or confiscation of unlawful proceeds;
- a fine up to RMB 1 million, and a fine between RMB 10,000 and 100,000 for responsible individuals;
- in serious circumstances, a fine up to RMB 50 million or 5% (which is even higher than the GDPR cap at 4%) of the turnover of the last year, in addition to suspension or close-down of the business and a fine between RMB 100,000 and 1 million for responsible individuals.
In addition to the administrative penalties, civil and criminal liabilities could also be triggered by violation of PIPL.
A special note should also be given to the possibility of class action, which, as expressly provided for under the PIPL, can be initiated by the People’s Procuratorates, designated consumers’ organisations or other organisations endorsed by the PRC authority.
Next steps for businesses
The final issuance of PIPL is good news to the extent that it provides for clarity and certainty, especially for those who have been treating data protection compliance seriously. Given that there are only two months to go before the PIPL takes effect, it is important for businesses to quickly review, and if necessary, amend their existing policies and practice to comply with the PIPL in time.
As outlined above, the PIPL has been greatly impacted by GDPR. Therefore, it could potentially be an advantage for a business that has already adopted GDPR-based rules and practice as existing processes can be adapted. Nevertheless, the differences between the PIPL and GDPR should still be well noted and properly analysed.