Keypoint: China’s Personal Information Protection Law is a complicated regulatory regime that will require U.S. entities subject to its requirements to undertake substantial compliance efforts.
Effective November 1, 2021, China will become the latest country to enact a national data privacy law akin to Europe’s General Data Protection Regulation (GDPR). The new law – entitled the Personal Information Protection Law of the People’s Republic of China or “PIPL” – will require foreign companies, including U.S. companies, operating in China (and in some cases, operating purely outside of China) to undertake new compliance efforts.
To facilitate that process, below is a general discussion of PIPL and some of its more notable provisions. For reference, PIPL has been translated into English by DigiChina, which has a wealth of resources available on its website for those interested in further reading on this new law.
What Entities Does PIPL Apply to?
The law generally applies to “personal information handlers” (“PIHs”) which are comparable to GDPR controllers. Specifically, Article 73 defines PIHs as “organizations and individuals that, in personal information handling activities, autonomously decide handling purposes.” PIPL does not apply to natural persons handling personal information for personal or family affairs (Article 72).
Similar to GDPR, PIPL purports to have extra-territorial jurisdiction.
Article 3 states that the law applies to “the activities of handling the personal information of natural persons within the borders of the People’s Republic of China.” It also states that it applies to “handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China” where (1) “the purpose is to provide products or services to natural persons inside the borders”, (2) when “analyzing or assessing activities of natural persons inside the borders”, or (3) “other circumstances provided in laws or administrative regulations.”
Those familiar with GDPR will certainly recognize the similarities between the two laws. It remains to be seen how broadly this provision will be interpreted and applied by Chinese regulators.
What Information Does PIPL Apply to?
PIPL applies to the processing of “personal information”, which is defined in Article 4 as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.” Article 4 further explains that “[p]ersonal information handling includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.”
Does PIPL Require a Lawful Basis for the Processing of Personal Data?
Yes. PIHs are required to have a proper basis for processing personal data.
Some of the bases identified in Article 13 are: (1) consent; (2) where necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded contracts; (3) where necessary to fulfill statutory duties and responsibilities or statutory obligations; and (4) when handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of PIPL.
PIPL does not have a provision similar to GDPR’s “legitimate basis” provision.
How is Consent Defined?
Consent should be provided by individuals “under the precondition of full knowledge” and in “a voluntary and explicit statement” (Article 14). Consent must be reobtained if there is a change in the purpose of the handling, the handling method or the categories of personal information. Consent must be revocable (Article 15).
What About Sensitive Personal Data?
PIHs must obtain an individual’s “separate consent” to handle sensitive information (or the consent of a parent or guardian for individuals under the age of 14) (Articles 29 and 31). PIHs also must have a “specific purpose and need to fulfill,” put in place “strict protection measures,” and provide additional disclosures to individuals (Articles 28 and 30).
Sensitive information is defined in Article 28 as “personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.”
What Rights Does PIPL Grant Data Subjects?
Prior to handling personal information, PIHs must notify individuals of the PIH’s name and contact method, the purpose of the personal information handling and handling methods, the categories of personal information handled, the retention period, and the methods for individuals to exercise their data privacy rights (Article 17). These disclosures must be truthful, accurate, and in clear and easily understood language.
Data retention periods “shall be the shortest period necessary to realize the purpose of the personal information handling” unless law or regulations provide otherwise (Article 19).
In addition, Chapter IV (Articles 44-50) provides individuals the following rights: right to know, right to object to processing, right to access and copy personal information, right to data portability, right to correct inaccurate information, right to supplement incomplete information, right to deletion, and right to have PIHs explain personal information handling rules. Notably, individuals may file a lawsuit with a court where PIHs’ reject individuals’ requests to exercise their rights.
Does PIPL Require Data Processing Agreements?
Yes. Article 21 provides that if PIHs transfer personal information to “entrusted persons” “they should conclude an agreement with the entrusted person on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person.”
Article 21 also requires entrusted persons to adhere to the terms of the contract, return the personal information at the conclusion of the relationship, and not transfer personal information to others without the PIH’s consent.
PIPL governs the transfer of information between PIHs differently. In that circumstance, the PIH must notify the individuals, provide certain required information and obtain separate consent (Article 23).
Finally, Article 25 generally states that PIHs “may not disclose the personal information they handle; except where they obtain separate consent.”
What About International Data Transfers?
Similar to GDPR, Chapter III (Articles 38 to 43) regulates international transfers of personal information. To engage in such transfers, PIHs must meet one of the following conditions:
- Pass a security assessment organized by the state cybersecurity and informatization department according to Article 40;
- Undergo personal information protection certification conducted by a specialized body according to provisions by the state cybersecurity and informatization department;
- Conclude a contract with the foreign receiving side in accordance with a standard contract formulated by the state cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides; or
- Other conditions provided in laws or administrative regulations or by the state cybersecurity and informatization department.
Treaties or international agreements entered into by China and other countries also can provide such a transfer mechanism.
In addition, if PIHs provide personal information outside of China, they are required to notify the individual about the foreign receiving side’s name or personal name, contact method, handling purpose, handling methods, and personal information categories, as well as ways or procedures for individuals to exercise their rights with the foreign receiving side.
Finally, additional data localization requirements apply to critical information infrastructure operators and PIHs handling personal information reaching quantities provided by the state cybersecurity and informatization department.
What Other Duties Do PIHs Have?
Chapter V identifies a number of additional duties for PIHs. These include implementing proper information security measures to protect personal information from unlawful disclosure, appointing data protection officers in certain circumstances, appointing a representative in China (if operating outside of the country), regularly auditing their information practices, and conducting data protection impact assessments for certain processing activities. Article 57 also delineates obligations in the event of a data breach.
What are the Penalties for Non-compliance?
Among other remedies, regulators can issue fines up to 50 million RMB (or approximately 7.7 million USD) or 5% of annual revenue for “grave” violations.
This discussion is intended to provide a general overview of some (but certainly not all) of PIPL’s provisions. As with GDPR, PIPL is a complicated law that will require extensive analysis by any U.S. entity subject to its application.