On August 20, 2021, China’s first comprehensive Personal Information Protection Law (“PIPL”) was passed into law. The Cybersecurity Law, the Data Security Law, and the PIPL of China are the three pillars of China’s data protection framework, which govern cybersecurity, data security, and personal information protection respectively. The Cybersecurity Law largely governs cybersecurity requirements for Critical Information Infrastructure operators and network operators, and the Data Security Law regulates the security of data processing activities, specifically “important data” and “national core data”. PIPL, on the other hand, focuses on “personal information,” serving as China’s first comprehensive personal data privacy law, similar to the EU’s General Data Protection Regulation (“GDPR”). Understanding and complying with all three laws are vital for organizations to process data of individuals in China.
The PIPL will become effective on November 1, 2021, giving organizations a tight timeline to comply. Here are the key takeaways to get ready for the new data protection law in China.
- Personal Information Processor: Similar to the GDPR’s definition of “data controller,” PIPL uses the term, “Personal Information Processor” as the “organization or individual that independently determines the purposes and means for processing of personal information” (Article 73).
- Entrusted Party: PIPL uses “Entrusted Party” to refer to the entity that processes personal information on behalf of the Personal Information Processor, comparable to GDPR’s definition of “data processor” (Article 21).
- Personal Information: Similar to the GDPR, PIPL defines personal information as any “information related to identified or identifiable natural persons recorded by electronic or other means” (Article 4). Also like the GDPR, anonymized information is not considered personal information under the PIPL.
- Processing of personal information is similarly broad in scope as under EU and US privacy laws, encompassing “the collection, storage, use, processing, transmission, provision, publication, and erasure of personal information.”
Extra-Territorial Scope. PIPL applies to personal information processing activities outside of China when the purpose of the processing is (a) to provide products or services to natural persons in China, (b) to analyze and assess the activities of natural persons in China, or (c) for other purposes provided by laws and regulations (Article 3). This approach closely mirrors the GDPR’s provisions on extraterritorial application, all the way down to being contained in Article 3 of both GDPR and PIPL. This suggests China believes the GDPR’s approach enables jurisdictional reach sufficient for Chinese regulatory intentions under the PIPL.
Designated Representative. PIPL requires a foreign Personal Information Processor to designate an agency or a representative in China for personal information protection (Article 53). Again, this closely mirrors the GDPR approach. Like under the GDPR, PIPL only requires representatives to be appointed by Personal Information Processors who are (a) outside of China, and (b) only subject to the PIPL by virtue of its extraterritoriality provisions (discussed above). It can potentially be presume that the “PIPL representative’s” function will be similar to a “GDPR representative’s” function, i.e. serving as a registered agent within China for regulatory inquiries, consumer inquiries, or lawsuits under the PIPL. Although European privacy supervisors have not yet vigorously enforced the representative requirement in the EU, observers will be closely watching to see if Chinese agencies enforce it more actively.
Lawful Basis for Processing. Article 13 in PIPL provides the following seven lawful bases for processing personal information:
- Obtain personal consent, which, similar to GDPR’s definition of “consent,” must be informed, freely given, explicit, and may be later withdrawn. Unlike GDPR, however, PIPL consent does not need to be “specific,” suggesting that for PIPL – unlike for the GDPR – China may envision a baseline practice of companies asking consumers to consent to entire privacy policies or other comprehensive written statements about their data practices. Note though, the PIPL does identify scenarios where “separate” consent is required, suggesting that for these situations, a more specific consent similar to the GDPR approach may be required. These “separate consent” situations include: (a) sharing or disclosing personal information, (b) processing sensitive personal information, and (c) transferring personal information outside of China;
- Necessary for the conclusion and performance of a contract in which an individual is a party, or necessary for the implementation of human resource management in accordance with the labor rules and regulations established in accordance with the law and the collective contract signed in accordance with the law;
- Necessary to perform statutory duties or statutory obligations;
- Necessary to respond to public health emergencies, or to protect the life, health and property, or safety of natural persons in an emergency;
- To carry out news reports, public opinion supervision and other acts for the public interest, and handle personal information within a reasonable extent;
- To process personal information already disclosed by individuals or otherwise lawfully disclosed within a reasonable scope in accordance with PIPL; and
- Other circumstances stipulated by laws and administrative regulations.
Notably and unlike the GDPR, PIPL does not include “legitimate interests” as a legal basis for processing personal information.
Personal Information Rights. PIPL provides individuals with the following rights: right to be informed, right to access, right to correction, right to deletion, right to objection or restriction of processing, right to data portability, right to not be subject to automated decision making, right to withdraw consent, and right to file complaints (Chapter IV).
PIPL’s rights regarding automated decisions are worth noting, since they differ from EU and US approaches. If an organization uses automated decisions to provide delivery or commercial sales to individuals, PIPL requires them to “simultaneously” provide an option not to target the individual’s characteristics, suggesting that real-time or differential pricing algorithms may be subject to opt-out rights (Article 24). Additionally, PIPL also gives individuals a right not seen in EU or US privacy laws under which they can require organizations to explain their “personal information handling rules.”
PIPL also gives individuals a private right of action against a Personal Information Processor if the Personal Information Processor refuses to fulfil their requests related to their personal information rights (Article 50). Additionally, PIPL includes a quasi-class action right, whereby consumer organizations stipulated by law or organizations designated by relevant authorities can file a lawsuit if a Personal Information Processor infringes on the rights of many individuals (the definition of “many” has yet to be defined). A similar right exists in Europe under GDPR but, to date, has not yet been used frequently, in part because of the limited number of registered consumer organizations that are both entitled and sufficiently funded to bring large-scale GDPR claims. In China, these private rights of action will inevitably bring compliance and litigation pressures on companies and tracking future lawsuits will be particularly important, given the many undefined terms in PIPL.
Data Processing Agreement. PIPL requires Personal Information Processors to have data processing agreements in place for engaging entrusted parties. An Entrusted Party must follow the agreement while processing personal information and shall not further entrust any other parties without the Personal Information Processor’s approval (Article 21). Unlike GDPR, the PIPL does not address whether this approval can be general (e.g. “Entrusted Party is hereby granted approval to engage subcontractors”), or must be obtained from all Personal Information Processors each time the Entrusted Party seeks to engage a new subcontractor.
Internal Privacy Governance. PIPL imposes a number of internal governance requirements on organizations that handle Chinese personal information. Among the more salient are: (a) establishing an internal personal information management program based on administrative measures (policies, operating rules, management structures) and technical controls (Article 51); (b) appointing a “Personal Information Protection Officer” if the organization reaches a threshold size to be determined by the Cyberspace Administration of China (“CAC”) at a later date (Article 52); and (c) conducting documented “Personal Information Protection Impact Assessments” for enumerated higher-risk processing situations (Article 55).
Cross-Border Data Transfer. PIPL allows personal information cross-border transfer if a Personal Information Processor (a) notifies individuals about the transfer and obtains “separate” consent (Article 39), (b) adopts necessary measures to ensure the foreign data importer provides adequate data protection as required by PIPL (Article 38), and (c) conducts a personal information protection impact assessment (Article 55).
When adopting adequate data protection measures, an organization should consider the purpose and method of processing personal information, type of personal information involved, impact on individual’s right and interest, possible security risk, and more (Article 51). PIPL specifies the following as adequate data protection measures:
- Formulating internal management system and operational procedures;
- Managing personal information by classification;
- Taking technical security measures such as encryption and de-identification;
- Reasonably determining the authority to process personal information and conduct regular security education and training for employees;
- Establishing and implementing emergency plans for personal information security incidents; and
- Other measures stipulated by laws and administrative regulations.
Other Personal Information Processors may choose to obtain a personal information protection certification or to enter into an agreement with the foreign data importer based on the standard contractual clauses (“SCC”), which will be published by the CAC at a later date (Article 38). It is uncertain when the PIPL SCC will be released and how similar it will be to the GDPR SCC.
Data Localization. If the Personal Information Processor is a Critical Information Infrastructure operator or processes a “large amount” of personal information (to be defined by the CAC at a later date), such Personal Information Processor must store the personal information within China; if the transfer of such personal information outside of China is absolutely necessary, such organization must pass a security assessment administered by the CAC (Article 40).
Litigation, Enforcement, or Compliance-Related Transfers. The PIPL prohibits personal information stored within “mainland” China territory from being transferred to foreign judicial or law enforcement agencies without the approval of competent Chinese authorities (such as, e.g., the CAC) (Article 41). The intent of this provision appears to be to route foreign governmental requests for personal information through mutual legal assistance treaties, or through agency cooperation procedures. It is unclear whether this provision will affect, e.g., intra-affiliate sharing of documents that potentially (but not necessarily) will be used in foreign litigation or agency enforcement procedures, or similar inter partes sharing for pretrial discovery.
Breach Notification. When a personal information breach occurs, PIPL requires Personal Information Processors to (a) immediately take remedial measures, and (b) inform the department designated with the duty of personal information protection and individuals concerned.
- Risk of Harm Exemption: notification to individuals is not required if the Personal Information Processor has taken effective measures to avoid harm caused by the information breach. This breach notification exception is likely to be similar to the “risk of harm” analysis incorporated in a number of U.S. state breach notification statutes, which obviates the need for notification when the risk of harm caused by a security breach can be mitigated effectively.
- However, unlike GDPR and many U.S. state breach notification statutes, there is no set deadline on the timing of the notification under PIPL (Article 57).
Further, the Entrusted Party needs to take necessary measures to ensure the security of the personal information processed and assist Personal Information Processors to fulfill their obligations under PIPL, including notifying the Personal Information Processor of any personal information breach (Article 59).
Increased Penalties. Violation of PIPL may result in corrective actions, warnings, illegal income confiscation, service suspension or termination, or a fine of up to RMB 50 million or 5% of an organization’s annual revenue for the prior fiscal year (Article 66). It is unclear whether PIPL refers to worldwide or domestic revenue. Moreover, the directly liable persons may be fined of up to RMB 1 million and be prohibited from serving as directors, supervisors, senior managers, and personal information protection officers of the related organization for a certain period of time (Article 66).
In summary, while much about PIPL remains unsettled based on the last of clarified definitions and understanding how strictly PIPL will be enforced, PIPL will undoubtedly increase compliance costs (and potentially litigation costs) for companies processing personal information of Chinese Individuals.