The Standing Committee of the National People’s Congress passed the Personal Information Protection Law of the PRC (“PIPL”) on 20 August 2021. The PIPL will take effect on 1 November 2021, and together with the Cybersecurity Law, Civil Code and Data Security Law, establish a comprehensive regulatory framework for data protection in China.
This article summarises key provisions of the PIPL and their potential impact.
Scope of application
The PIPL regulates not only the handling of personal information (“PI”) of natural persons within China, but also the PI handling activities outside of China for the purposes of i) providing goods or services to China-based individuals, or ii) relating to the behavioural analysis/assessment of Chinese residents, or iii) involving circumstances prescribed by laws or administrative regulations.
Overseas PI handlers that collect and analyse data for the aforementioned purposes will need to establish a special organisation or appoint a representative in China to deal with PI protection related matters, and to report the contact information of such organisation or representative to relevant Chinese regulators. Failure to comply could result in being “blacklisted” and they may be restricted or forbidden from receiving personal information from China.
In addition, unlike the Cybersecurity Law, which only addresses PI protection in cyberspace, the PIPL neither excludes protection of non-electronic PI, nor distinguishes online and offline PI handling activities. In this sense, all means of PI handling, whether by electronic or traditional methods (such as hard copies and manual) or online and offline methods, are subject to the PIPL.
Statutory rights for handling personal information
Unlike the Cybersecurity Law and Civil Code which focus on the data subject’s consent for PI handling, the PIPL authorizes the handling of PI in the absence of an individual’s consent, if:
- it is necessary for the execution or performance of a contract to which the data subject is a party or where necessary for implementation of human resource administration pursuant to the labour rules and regulations and executed collective contract;
- it is necessary for performance of statutory duties or obligations;
- it is necessary for responding to a public health emergency or for the protection of the life, health and property of a natural person under emergency circumstances;
- PI is handled within a reasonable scope for news reporting, monitoring of public opinion and other such activities for public interest;
- it involves PI publicly disclosed by an individual or other legally disclosed PI within a reasonable scope; or
- it is prescribed under other laws and regulations.
Protection of different levels
The PIPL provides different levels of protection for different types of PI. To begin with, PI is defined to cover all kinds of data related to identified or identifiable individuals, which are recorded by electronic or other means, but excludes anonymised data. “Sensitive PI” refers to PI which, if leaked or used illegally, can lead to discrimination against an individual or serious damage being done to an individual’s safety or property, including one’s race, ethnicity, religious beliefs, personal biometrics, medical history, financial accounts, personal location tracking, etc. and PI of minors under the age of 14.
For general PI and routine processing activities, the PIPL emphasizes full notification to and voluntary and explicit consent from the data subjects, or rely on one of the statutory rights referred to in Section 2 above.
For sensitive PI, the handlers are subject to the following special requirements in addition to the general obligations:
- PI handlers may only process sensitive PI for specific purposes, when strictly necessary and with strict protective measures. Separate consent from the data subject is required for handling sensitive PI, and the data subject shall be notified of the necessity of sensitive PI handling as well as relevant impact on the personal rights and interests. Furthermore, PI handlers need to conduct an assessment of PI protection’s impact prior to handling sensitive PI.
- Handlers that process PI of minors under the age of 14 must obtain consent from their parents, and formulate specific PI protection rules with respect to the PI of such minors.
Stringent requirements on data localisation and cross-border transfer
In addition to passing security assessments, obtaining PI protection certification or concluding a contract in the standard form formulated by the regulator with the receiving end, a data exporter must adopt necessary measures to ensure that foreign receiving parties’ personal information handling activities meet the standards set out in the PIPL. This new requirement creates substantial uncertainty as to how the enforcement authorities will evaluate whether the PIPL’s standards have been met.
Data exporters need to notify the data subject of the foreign receiving party’s name, contact information, purpose and methods of processing, type of PI and the means and procedures for the data subject to exercise his/her rights under the PIPL against the foreign receiving party, and to obtain the data subject’s specific consent.
Operators of critical information infrastructure and data handlers whose handling activities reach the prescribed levels must store the personal information collected and generated in China within the territory. Cross-border transfer is only permissible for those transferors who have passed the security assessment conducted by the designated network security authority.
Cross-border transfer of PI is also permissible when treaties or international agreements are in place. Provision of PI stored within the territory of China to overseas judicial or enforcement agencies will be subject to PRC regulators’ approval.
New requirements and special regulations in response to social hot events
In recent years, there has been a growing public concern on businesses using big data to enable differential treatment of consumers, including price discrimination, which is well known as “big data swindling”. This practice is explicitly banned in the PIPL. Those conducting “automated business marketing” will have to ensure transparency, fairness and justice of the results, and not engage in unreasonable differential treatment of individuals in trading conditions (including price discrimination). When generating push notifications and promotional content through an automated process, PI handlers will have to provide non-personalised content or offer consumers the option to reject such content.
The PIPL defines “automated decision-making” as “the activity of using computer programs to automatically analyse or assess personal behaviours, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions.”
To address a growing public awareness of the need to regulate the use of facial recognition technology in public areas, the PIPL restricts the installation of image capture equipment and personal recognition equipment in public areas unless they are only used for safeguarding public security and with a prominent sign to alert data subjects. Unless specific consent is granted, the individuals’ images and identification information collected via such equipment cannot be used for purposes other than safeguarding public security.
Extra requirements on large data handlers
The PIPL differentiates between major internet platforms and smaller entities in terms of the obligations with respect to PI protection. It imposes extra requirements on PI handlers that provide important internet platform services, with huge number of users and complex business types.
The large internet platforms are now required to i) establish and complete PI protection compliance structures and systems according to national laws, set up an independent organization composed mainly of external members to supervise PI protection; ii) abide by the principles of openness, fairness, and justice, formulate platform rules, and clarify the standards for intra-platform product or service providers’ handling of personal information and their personal information protection duties; iii) suspend services to the intra-platform product or service providers which have breached PI laws and regulations; and iv) regularly publish social responsibility report with respect to PI protection.
However, the PIPL does not provide clear definitions of “important internet platform”, “huge number of users” and “complex business types”.
Penalties and compensation
In addition to the rectification, confiscation of illegal income, warning, administrative fines, suspension of business for rectification, and revocation of relevant permits or business licenses, the PIPL includes penalties for fines of up to RMB 50 million (approximately US$7.4 million) or 5% of the offender’s revenue in the previous year.
The PIPL establishes the rule of presumption of fault, so that unless a PI handler infringing a data subject’s rights and interests can prove that it is not at fault, it will have to compensate or make up for the data subject’s losses. Such compensation will be determined according to the losses suffered by the individual or the benefits obtained by the processor. If the losses or benefits are difficult to determine, the people’s court may determine the compensation amount according to the actual situation.
The regulatory environment with respect to PI protection and data security is no doubt tightening in China. There are many common requirements for companies in different industries and fields, including requirements for establishing a compliance system, and sorting out data processing and collection. It is advisable for businesses (especially telecommunications and internet companies which have been particularly subject to supervision and law enforcement in recent years) to make full use of the remaining time before the PIPL is implemented to review and update their personal information collection and processing rules in existing Apps, websites and offline businesses.
The PIPL is a framework law which is not intended to provide details on the majority of the policy matters it covers, but rather sets out broad principles, objectives and responsibilities. It is anticipated that regulators such as the Cyberspace Administration of China will draft and issue corresponding implementation regulations. We will keep track of further development of the implementation and enforcement of the PIPL and provide corresponding client alerts in due course.