China’s Personal Information Protection Law Brings Heightened Data Privacy Regulation to the People’s Republic
On August 20, 2021, at the closing meeting of China’s National People’s Conference Standing Committee in Beijing, lawmakers approved the Personal Information Protection Law (PIPL). The PIPL legislates for the protection of personal information and will take effect on November 1, 2021. For businesses transacting with China, the PIPL promises a shift in the way cross-border business is done. To help businesses prepare for the enactment of the new legislation, important provisions of the new law are presented below. We recommend that businesses re-visit their practices and become familiar with the parts of the PIPL most likely to affect the flow of information.
Who PIPL Applies To: The PIPL applies to entities collecting, storing, using, processing, transmitting, disclosing, deleting, or otherwise handling the personal information of individuals residing within the borders of the People’s Republic of China (PRC). The PIPL also applies to the processing of personal information of individuals residing outside the borders of the PRC where:
- the purpose is to provide products or services to natural persons inside PRC borders;
- analyzing or assessing activities of natural persons inside PRC borders;
- other circumstances provided in laws or administrative regulations.
Definition of Personal Information: The PIPL defines personal information to include all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, but does not include pseudonymized personal information.
PIPL Principles: The PIPL contains principles and provisions, analogous to those contained in the European Union General Data Protection Regulation (GDPR), pertaining to lawfulness, fairness and transparency, purpose limitation, data minimization, and accountability in the form of PIPL principles of legality, propriety, necessity, and sincerity. The PIPL specifically requires entities collecting, storing, using, processing, transmitting, disclosing, deleting, or otherwise handling the personal information to have a clear and reasonable purpose, and use a method with “the smallest influence on individual rights and interests,” limiting collection to the smallest scope for realizing the purpose for handling the personal information.
Consent Requirements: The PIPL conditions permission to handle personal information on consent, except for situations where information has already been lawfully disclosed, or handling is necessary to conclude a contract, fulfill statutory requirements, respond to public health incidents, to allow news reporting, or where other circumstances in law and administrative regulations allow information to be handled.
As a precondition to consent, the PIPL requires personal information handlers to notify individuals of the name of the information processor, the contact information for the personal information handler, the purpose for the handling of personal information, the methods used, categories of information involved, the applicable data retention period, and the ways in which individuals can exercise their rights under the law.
Breach Notification: The PIPL requires that potentially affected individuals and certain regulators be notified when the unauthorized disclosure, distortion, or loss of personal information occurs or may have occurred. The notification is to include affected information categories, incident causes, and possible harm caused by the incident. It must also include remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm. It must also include contact information for the personal information handler. Although there is not outside time frame specified for notification, the PIPL appears to contemplate immediate notification.
Penalties and Enforcement: The PIPL provides for the creation of a personal information protection structure to enforce the PIPL by punishing acts that harm personal information, strengthening personal information protection, and promoting the creation of an environment for personal information protection. Chinese authorities are allowed to impose penalties for violation of the PIPL, order correction, confiscate unlawful income, and order the provisional suspension or termination of service of any application programs unlawfully handling personal information. Additionally, authorities can publicize violations of the law. Where correction by those handling personal information is refused, the regulatory authority is permitted to impose a fine up to ¥1 million along with additional fines between ¥10,000 and ¥100,000 to persons directly responsible for the violation.
If the violations are particularly serious, regulatory authorities are directed to order correction, confiscate unlawful income, and impose a fine of not more than ¥50 million, or 5% of annual revenue, and can also order the suspension of related business activities and report violations to the relevant competent department for cancellation of corresponding administrative or business licenses.
Transfers Outside of China: The PIPL has separate provisions for businesses handling critical information infrastructure. For other general network operators, there are two paths to being allowed to transfer personal information out of China: 1) undertaking a personal information protection certification carried out by recognized institutions in accordance with the Cyberspace Administration of China’s (CAC) regulation, or 2) signing a cross-border transfer agreement with the personal information recipient and ensuring that the processing meets the protection standard provided under the PIPL. For any cross-border transfer of personal information, in addition to the above compliance requirement, the information handler must also obtain separate consent for the transfer from the data subjects.
For more information on the PIPL, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.