China Passes the Personal Information Protection Law (PIPL)
Written by Rick Buck, Chief Privacy Officer, WireWheel
On August 18, China introduced a third and final version of the Personal Information Protection Law (PIPL) law. This new law will take effect on Nov. 1, 2021. In many respects, it takes a similar approach to the EU General Data Protection Regulation (GDPR) by contemplating lawfulness and purpose of processing, data minimization, privacy rights, big data applications, protecting minors and the use of other sensitive information, user consent, data transfer approvals, and strict penalties.
The law applies to the processing of personal information of Chinese individuals happening outside of China if the purpose is:
- To provide products or services to individuals in China
- To “analyze” or “assess” the behavior of individuals in China, or
- Other purposes to be specified by laws and regulations
Companies doing business with China should begin thinking about the pending impact of this law. Some of the considerations include:
- Basis of Processing: Currently, under China’s Cybersecurity Law, “consent” is the only available legal basis for collecting and using personal information. PIPL reads more like GDPR with multiple legal bases for processing:
- Consent or…
- Necessary for the conclusion and performance of a contract
- Necessary to perform statutory duties or statutory obligations;
- Necessary to respond to public health emergencies, or to protect the life, health and property safety of natural persons in an emergency
- Carry out news reports, public opinion supervision and other acts for the public interest, and handle personal information within a reasonable range
- Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope in accordance with the provisions of this law
- Other circumstances stipulated by laws and administrative regulations
- Data Minimization: The law calls for processing to be based on:
- A “minimum necessary” standard and requirements for automated decision-making
- Principles of lawfulness, fairness, necessity, and good faith
- A clear and reasonable purpose directly related to the purpose of processing
- Retaining personal information for the shortest time necessary to achieve the processing purpose
- Data Subject Rights: Rights include:
- Right to information and explanation on the data processing
- Object processing
- Withdraw consent without penalty
- In the event of a natural person’s death, his close relatives may, for their own lawful and legitimate interests, exercise the rights of access, copy, correction, deletion, etc., to the relevant personal information of the deceased
- Sensitive Information: Consent is required when processing sensitive personal information. Sensitive information includes biometrics/facial recognition, medical/health, financial, automated decision-making, behavioral advertising, and children (people 14 and under).
- Localization: Critical information infrastructure operators and businesses who process personal information of a certain volume (currently unspecified) are required to store the personal information collected and generated within the borders of China.
- Cross-border Transfers: To transfer personal information outside the People’s Republic of China business must meet one of the following conditions:
- Pass the security assessment organized by the national cybersecurity and informatization department
- Conduct personal information protection certification by professional institutions in accordance with the regulations of the national cyberspace administration
- Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the national cyberspace administration department, stipulating the rights and obligations of both parties
- Other conditions stipulated by laws, administrative regulations or national cyberspace administration departments
- Data Breach Notification: In the event of a data breach, businesses must take “immediate” remediation actions and notify the relevant agency and affected individuals.
- Penalties: Businesses that unlawfully process personal information or fail to take necessary security measures to protect personal information may be subject to fines up to 1 million RMB.
This is where the comparisons to the GDPR end. On the surface, many of the tenents of the law appear to protect Chinese citizens and provide them privacy rights. PIPL does not prevent the People’s Republic of China’s central government from accessing data. There do not appear to be any restrictions to limit government surveillance. IAPP Chief Knowledge Officer Omer Tene offered a brief Twitter thread on the proposed law’s main takeaways, concluding: “If you’re doing business in China,” he said, “get legal advice. They’re not playing around.”
Suggested Blog Posts
Congressional testimony from a former Facebook employee has sparked outrage over the governance of the company’s...
Introduction ‘Personal Data’ has different legal definitions in the GDPR, CCPA in California, CDPA in Virginia, LGPD...
Last Updated: October 5, 2021What is a DSAR? Data Subject Access Requests (DSARs) give individuals (also known as data...
Written by Rick Buck, Chief Privacy Officer, WireWheelIntroduction to California’s Data Privacy Laws The California...
WireWheel’s Spokes 2021 conference included a panel of experts discussing current and emerging privacy laws around the...