A Guide to China’s Personal Information Protection Law (PIPL)
• read
Introduction
The Personal Information Protection Law is the first comprehensive data privacy law in China based on China’s constitution. Its primary aim is to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1).
The Draft PIPL, coupled with the other two fundamental laws on cybersecurity and data protection, China’s Cybersecurity Law (CSL) and the Data Security Law of the People’s Republic of China (DSL), provides a new data protection legal regime in China. The CSL is the law regulating cyberspace, covering personal information and other important data. The DSL is the law regulating data security and establishing a legal framework for data security. The new PIPL now provides a comprehensive system for the protection of personal information in China.
Official text
Click here to access the full official text of the PIPL. Click here to access the unofficial translation in English.
Effective Date
The PIPL was passed on August 20, 2021 and will go into effect on November 1, 2021.
Applicability
Under Article 3, this law applies to the processing of personal information of natural persons within the territory of the People’s Republic of China.
This law also applies to the processing of personal information of natural persons outside the People’s Republic of China under any of the following circumstances:
- For the purpose of providing products or services to domestic natural persons,
- Analyze and evaluate the behavior of natural persons in the territory,
- Other circumstances stipulated by laws and administrative regulations.
Article 13 also defines “Personal information processors”, which may process personal information only if one of the following circumstances is met:
- Obtain personal consent,
- Necessary for the conclusion and performance of a contract in which an individual is a party, or necessary for the implementation of human resource management in accordance with the labor rules and regulations established in accordance with the law and the collective contract signed in accordance with the law,
- It is necessary to perform statutory duties or statutory obligations,
- It is necessary to respond to public health emergencies, or to protect the life, health, and property safety of natural persons in an emergency,
- Carry out news reports, public opinion supervision, and other acts for the public interest, and handle personal information within a reasonable range,
- Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope in accordance with the provisions of this law,
- Other circumstances stipulated by laws and administrative regulations.
In accordance with other relevant provisions of this law, personal consent shall be obtained for the processing of personal information, but under the circumstances specified in items 2 to 7 of the preceding paragraph, no personal consent is required.
Covered Personal Information
The PIPL defines “Personal Information” in Article 4. Personal information is a variety of information related to an identified or identifiable natural person recorded electronically or by other means, excluding anonymized information.
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.
Sensitive Data
Under this Data Privacy Law, Article 28 defines “Sensitive personal information” as personal information that, once leaked or used illegally, can easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, Information such as whereabouts, as well as personal information of minors under the age of fourteen.
Personal information processors can process sensitive personal information only when they have a specific purpose and sufficient necessity and take strict protective measures.
Article 29: The processing of sensitive personal information shall obtain the individual’s individual consent; where laws and administrative regulations provide that the processing of sensitive personal information shall obtain written consent, the provisions shall be followed.
Article 30: When processing sensitive personal information, personal information processors shall, in addition to the matters specified in the first paragraph of Article 17 of this law, also inform individuals of the necessity of processing sensitive personal information and the impact on personal rights and interests; in accordance with this law The law stipulates that the individual may not be notified except:
- Article 31: When a personal information processor handles the personal information of a minor under the age of fourteen, it shall obtain the consent of the minor’s parent or other guardians. Personal information processors who process the personal information of minors under the age of fourteen shall formulate special personal information processing rules.
- Article 32: Where laws and administrative regulations stipulate that the processing of sensitive personal information should obtain relevant administrative licenses or impose other restrictions, those provisions shall be followed.
- Section 3 Special Provisions on the Handling of Personal Information by State Organs
- Article 33: This law shall apply to the activities of state agencies in processing personal information; where there are special provisions in this section, the provisions of this section shall apply.
Anonymous, De-identified, Pseudonymous, or Aggregated Data
Article 4 states that “Personal information” is a variety of information related to an identified or identifiable natural person recorded electronically or by other means, excluding anonymized information.
Children
Article 31 states that when a personal information processor handles the personal information of a minor under the age of fourteen, it shall obtain the consent of the minor’s parents or other guardians.
Personal information processors who process the personal information of minors under the age of fourteen shall formulate special personal information processing rules.
Privacy Notice
According to Article 17 of the PIPL, before processing personal information, personal information processors shall truthfully, accurately, and completely inform individuals of the following matters in a conspicuous manner and in clear and easy-to-understand language:
- The name or name and contact information of the personal information processor,
- Purpose of processing personal information, processing method, type of personal information processed, and retention period,
- Methods and procedures for individuals to exercise their rights under this law,
- Other matters that should be notified by laws and administrative regulations.
If there is a change in the matters specified in the preceding paragraph, the individual shall be notified of the changed part.
Where the personal information processor informs the matters specified in the first paragraph by formulating personal information processing rules, the processing rules shall be made public and shall be convenient for inspection and storage.
Consumer Rights
Several articles of the PIPL cover the new consumer rights.
Article 44 states that individuals have the right to know and make decisions about the processing of their personal information, and have the right to restrict or refuse the processing of their personal information by others; unless otherwise provided by laws and administrative regulations.
According to Article 45, individuals have the right to consult and copy their personal information to the personal information processor; except under the circumstances specified in Article 18, paragraph 1, and Article 35 of this law.
Where an individual requests to view or copy his personal information, the personal information processor shall provide it in a timely manner.
Individuals requesting the transfer of personal information to their designated personal information processor, and the personal information processor shall provide the means for the transfer if the conditions specified by the national cybersecurity and informatization department are met.
As per Article 46, if an individual discovers that his or her personal information is inaccurate or incomplete, he has the right to request the personal information processor to correct or supplement it.
Where an individual requests correction or supplement of his personal information, the personal information processor shall verify his personal information and make corrections and supplements in a timely manner.
Article 48 says that individuals have the right to request personal information processors to explain their personal information processing rules.
Finally, Article 49 states that in the event of a natural person’s death, his close relatives may, for their own lawful and legitimate interests, exercise the rights of access, copy, correction, deletion, etc., to the relevant personal information of the deceased as provided in this chapter; unless otherwise arranged by the deceased during his lifetime.
Contracting
Under this data privacy law, Article 21 provides some guidance. When a personal information processor entrusts the processing of personal information, it shall agree with the trustee on the purpose, time limit, processing method, types of personal information, protection measures, and the rights and obligations of both parties, etc., and the trustee’s Supervise personal information processing activities.
The trustee shall process personal information in accordance with the agreement, and shall not process personal information beyond the agreed processing purpose, processing method, etc…, if the entrustment contract is not effective, invalid, revoked, or terminated, the trustee shall return the personal information to the personal information processor or delete it, shall not be retained.
According to Article 38, if a personal information processor really needs to provide personal information outside the People’s Republic of China due to business needs, it shall meet one of the following conditions:
- Pass the security assessment organized by the State Cyberspace Administration in accordance with the provisions of Article 40 of this Law,
- Conduct personal information protection certification by a professional organization in accordance with the regulations of the national cyberspace administration,
- Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration department, stipulating the rights and obligations of both parties,
- Other conditions stipulated by laws, administrative regulations, or the national cyberspace administration department.
Where the international treaties and agreements that the People’s Republic of China has concluded or participated in have provisions on the conditions for providing personal information outside of the People’s Republic of China, they may be implemented in accordance with those provisions.
Personal information processors shall take necessary measures to ensure that the processing of personal information by overseas recipients meets the personal information protection standards stipulated in this law.
Data Protection Assessments
According to Article 36, personal information processed by state agencies shall be stored within the territory of the People’s Republic of China; if it is indeed necessary to provide it overseas, a security assessment shall be conducted. The security assessment may require support and assistance from relevant departments.
In addition, Article 38 says that if a personal information processor really needs to provide personal information outside the People’s Republic of China due to business needs, it shall meet one of the following conditions:
- Pass the security assessment organized by the national cybersecurity and informatization department in accordance with the provisions of Article 40 of this Law,
- Conduct personal information protection certification by professional institutions in accordance with the regulations of the national cyberspace administration,
- Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration department, stipulating the rights and obligations of both parties,
- Other conditions stipulated by laws, administrative regulations, or national cyberspace administration departments.
As per Article 54, personal information processors shall regularly conduct compliance audits of their processing of personal information in compliance with laws and administrative regulations.
Article 55 also states that in any of the following circumstances, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing situation:
- Processing sensitive personal information,
- Using personal information to make automated decision-making,
- Entrust the processing of personal information, provide personal information to other personal information processors, and disclose personal information,
- Providing personal information abroad,
- Other personal information processing activities that have a significant impact on personal rights and interests.
Finally, Article 56 of the PIPL mentions that an assessment of the impact of personal information protection shall include the following:
- Whether the processing purpose and processing method of personal information are legal, proper, and necessary,
- Impact on personal rights and security risks,
- Whether the protective measures adopted are legal, effective, and compatible with the degree of risk.
The personal information protection impact assessment report and processing record shall be kept for at least three years.
Enforcement
According to Article 60, the State Cyberspace Administration of China is responsible for overall planning and coordination of personal information protection and related supervision and management. The relevant departments of the State Council shall be responsible for personal information protection and supervision and management within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.
Private Right of Action
The PIPL does not have a provision for private rights of action.
Penalties and Damages
Under the PIPL, if there are illegal acts and the circumstances are serious, the department performing personal information protection duties at or above the provincial level shall order corrections, confiscate the illegal gains, and impose a fine of less than 50 million yuan or less than 5% of the previous year’s turnover.
It can also order the suspension of relevant business or suspend business for rectification, notify the relevant competent authority to revoke the relevant business permit or revoke the business license; impose a fine of 100,000 yuan up to 1 million yuan on the directly responsible person-in-charge and other directly responsible persons, and may decide to prohibit He serves as a director, supervisor, senior manager and person in charge of personal information protection of related companies within a certain period of time.
Cure Period
The PIPL does not provide a cure period.
Exemptions
The PIPL does not have exemptions.
Data Breach
The PRC Cybersecurity Law introduced a general requirement for the reporting and notification of actual or suspected personal information breaches. Where personal information is leaked, lost, or distorted (or if there is a potential for such incidents), organizations must promptly take relevant measures to mitigate any damage and notify the relevant data subjects and report to the relevant government agencies in a timely manner in accordance with relevant provisions.
The PRC Cybersecurity Law does not provide guidance on what constitutes a data security breach, nor does it prescribe a timeline for reporting personal information breaches of security incidents. However, the PIS Specification and other guiding circulars (such as the National Network Security Incident Contingency Response Plan), and the latest draft guidelines published by the CAC on the Administrative Measures for the Release of Information on Cyber Security Threats provide some guidelines on the reporting and notification of personal information breaches of security incidents. Nevertheless, these supplementary guidelines do not go further to provide a complete set of reporting procedures.