Personal Information Protection Law of the People's Republic of China explained

Short Title:Personal Information Protection Law of China
Legislature:National People's Congress
Long Title:Personal Information Protection Law of the People's Republic of China
Territorial Extent:People's Republic of China excluding China's Special Administrative Regions
Enacted By:13th National People's Congress
Date Enacted:August 20, 2021
Date Commenced:November 1, 2021
Related Legislation:Cybersecurity Law of the People's Republic of ChinaData Security Law of the People's Republic of China
Summary:This law is formulated in order to protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.
Keywords:Civil code
Status:in force

The Personal Information Protection Law of the People's Republic of China (Chinese: 中华人民共和国个人信息保护法; pinyin: Zhōnghuá rénmín gònghéguó gèrén xìnxī bǎohù fǎ) referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

The PIPL was adopted on August 20, 2021, and is effective November 1, 2021.[1] It is related to, and builds on top of both China's Cybersecurity Law ("CSL") and China's Data Security Law ("DSL").[2]

A reference English version was published on December 29, 2021.

History

On August 20, 2021, the Standing Committee of the 13th National People's Congress passed the Private Information Protection Law or ("PIPL"). The law, which took effect on November 1, 2021, applies to the activities of handling the personal information of natural persons within the borders of the China.

In comparison to countries in the West, China has developed its privacy laws over time at a slower pace. In recent years, though, China has more actively developed regulations, as the nation is considered a “global cyberforce.” China’s policies differ from Western nations, in that their perception of privacy is different due to historical and cultural reasons.[3]

During the drafting process, the European Union's General Data Protection Regulation ("GDPR") was used as a model and in some areas, PIPL closely tracks the GDPR.

Provisions

Scope

The PIPL generally covers all organizations operating in China processing personal information.

Long Arm Jurisdiction

Some provisions also include Long Arm Jurisdiction over data collection and processes of organizations outside of China. These apply when:

  1. The purpose is to provide products or services to natural persons inside the borders;
  2. Analyzing or assessing activities of natural persons inside the borders;
  3. Other circumstances provided in laws or administrative regulations.

This presumably applies to offshore or multi-national companies with Chinese customers in China,[4] for example Amazon who might be shipping goods to a Chinese buyer, or Apple who may have Chinese users in the American App Store.

All such entities are required to establish a dedicated entity or appoint a representative within China.

Exemptions

There are few exemptions, but one that was added during late drafting provides a non-consent legal basis for handling employee data, though employee consent is still needed for overseas transfer, such as to a global corporate parent.[5] [6]

Key Themes

Individual privacy, control and consent are consistent themes throughout the law, which lays down key principles including:

Definitions

The law defines the following:

Legal Basis

All personal information collection and processing must have one of the following legal bases:

  1. Individuals’ consent obtained;
  2. Where necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded collective contracts;
  3. Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
  4. Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;
  5. Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
  6. When handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of this Law.
  7. Other circumstances provided in laws and administrative regulations.

Unlike in the GDPR, there is no legitimate interests basis.[7] Therefore, most consumers will likely be covered by giving their direct consent (such as for cookies, newsletters, etc.) or by contract fulfillment (such as shipping goods to them or providing services).

Consent

Consent is a major concern of the PIPL and a key legal basis on which handlers can process personal information.

If there is no other legal basis for processing data, handlers must get consent for data collection and processing, and this consent can be revoked by any individual at any time. Handlers are not allowed to refuse to provide products or services if an individual withholds or withdraws their consent for non-essential processing.

Separate consent is also specifically required in a number of situations:

Consent for these situations cannot be "bundled" and thus must be obtained separately from the individual.[8]

Where a change occurs in the purpose of personal information handling, the handling method, or the categories of handled personal information, the individual's consent shall be obtained again.

Individual Rights

Individuals have several specific rights under the PIPL - they can:

Automated Decision Making

There are specific rules for automated decision making in the PIPL, including the right of individuals to opt-out, such as disabling product recommendations.

The law specifically requires "transparency of the decision-making and the fairness and justice of the handling result shall be guaranteed, and they may not engage in unreasonable differential treatment of individuals in trading conditions such as trade price, etc."

For companies pushing delivery or commercial sales to individuals through automated decision-making methods shall simultaneously provide the option to not target an individual's characteristics, or provide the individual with a convenient method to refuse.

When the use of automated decision-making produces decisions with a major influence on the rights and interests of the individual, they have the right to require personal information handlers to explain the matter, and they have the right to refuse that personal information handlers make decisions solely through automated decision-making methods.

Automated Decision Making is defined as "refers to the activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions."[9]

Facial Recognition

The PIPL specifically covers the use of facial recognition in public spaces, including that it can only be used for public security reasons unless each individual separately consents:

"The installation of image collection or personal identity recognition equipment in public venues shall occur as required to safeguard public security and observe relevant State regulations, and clear indicating signs shall be installed. Collected personal images and personal distinguishing identity characteristic information can only be used for the purpose of safeguarding public security; it may not be used for other purposes, except where individuals’ separate consent is obtained."

Handler Obligations

Personal information handlers have several specific obligations:

  1. Formulating internal management structures and operating rules;
  2. Implementing categorized management of personal information;
  3. Adopting corresponding technical security measures such as encryption, de-identification, etc.;
  4. Reasonably determining operational limits for personal information handling, and regularly conducting security education and training for employees;
  5. Formulating and organizing the implementation of personal information security incident response plans;
  6. Other measures provided in laws or administrative regulations.

All handlers must "regularly engage in audits of their personal information handling and compliance with laws and administrative regulations."

Personal Information Protection Officers

In addition, at a certain (not yet defined) data handling scale, handlers must appoint "personal information protection officers, to be responsible for supervising personal information handling activities as well as adopted protection measures, etc."

Impact Assessment

Under the following circumstances, handlers must perform a personal information protection impact assessment and report the results:

  1. Handling sensitive personal information;
  2. Using personal information to conduct automated decision-making;
  3. Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
  4. Providing personal information abroad;
  5. Other personal information handling activities with a major influence on individuals.

Such assessments must include:

  1. Whether or not the personal information handling purpose, handling method, etc., are lawful, legitimate, and necessary;
  2. The influence on individuals' rights and interests, and the security risks;
  3. Whether protective measures undertaken are legal, effective, and suitable to the degree of risk.

Data Localization

The PIPL has specific requirements on data localization, the storage and processing of personal information in China.

Data Security

Information handlers have several responsibilities, including adopting the following measures to ensure personal information handling conforms to the provisions of laws and administrative regulations, and prevent unauthorized access as well as personal information leaks, distortion, or loss:

  1. Formulating internal management structures and operating rules;
  2. Implementing categorized management of personal information;
  3. Adopting corresponding technical security measures such as encryption, de-identification, etc.;
  4. Reasonably determining operational limits for personal information handling, and regularly conducting security education and training for employees;
  5. Formulating and organizing the implementation of personal information security incident response plans;
  6. Other measures provided in laws or administrative regulations.

Impact Assessments

Impact Assessments are required in a number of situations, including:

  1. Handling sensitive personal information;
  2. Using personal information to conduct automated decision-making;
  3. Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
  4. Providing personal information abroad;
  5. Other personal information handling activities with a major influence on individuals.

Contractual Elements

Agreements are required when a handler entrusts personal data handling to another handler. Some law firms have suggested this will resuit in specific standard contractual clauses ("SCC"), similar to in the GDPR.

Breach Notification

All data leaks must be reported internally, and if "harm may have been created" they may be required to notify the individuals affected. Notification details must include:

  1. The information categories, causes, and possible harm caused by the leak, distortion, or loss that occurred or might have occurred;
  2. The remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm;
  3. Contact method of the personal information handler.

Large Handlers

Large-scale handlers, such as those "providing important Internet platform services, that have a large number of users, and whose business models are complex" also have the obligations:

  1. Establish and complete personal information protection compliance systems and structures according to State regulations, and establish an independent body composed mainly of outside members to supervise personal information protection circumstances;
  2. Abide by the principles of openness, fairness, and justice; formulate platform rules; and clarify the standards for intra-platform product or service providers' handling of personal information and their personal information protection duties;
  3. Stop providing services to product or service providers on the platform that seriously violate laws or administrative regulations in handling personal information;
  4. Regularly release personal information protection social responsibility reports, and accept society's supervision.

Overseas Transfers

Moving personal information outside of China is only allowed if one of these conditions is satisfied:

  1. Passing a security assessment organized by the State cybersecurity and information department according to Article 40 of this Law;
  2. Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and information department;
  3. Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and information department, agreeing upon the rights and responsibilities of both sides;
  4. Other conditions provided in laws or administrative regulations or by the State cybersecurity and information department.

All such transfers require each individual's separate consent and notification about "the foreign receiving side’s name or personal name, contact method, handling purpose, handling methods, and personal information categories, as well as ways or procedures for individuals to exercise the rights provided in this Law with the foreign receiving side, and other such matters."

Sharing data with foreign governments

Information handlers are prohibited from sharing any personal information with foreign judicial or law enforcement agencies with approval.

This has raised concerns among law firms about how multi-national corporations would or could respond to judicial inquiries in other countries, such as a warrant for data held about a Chinese citizen in those countries.

Government Departments

The PIPL includes legal basis for how government ("State Organs") can collect and process data. Generally, the government must follow the same rules as non-government entities, including notifications. There are some exceptions, such as when it "shall impede State organs’ fulfillment of their statutory duties and responsibilities".

See also

Notes and References

  1. Web site: 中华人民共和国个人信息保护法_中国人大网 . 2023-10-16 . www.npc.gov.cn.
  2. Book: Zhang, Angela Huyue . High Wire: How China Regulates Big Tech and Governs Its Economy . . 2024 . 9780197682258 . 10.1093/oso/9780197682258.001.0001.
  3. Web site: Recent evolution of the personal privacy legal protection in people’s Republic of China . 2023-10-06 . iris.uniroma1.it.
  4. Web site: 2021-09-10. China Passes the Personal Information Protection Law, to Take Effect on November 1. 2021-09-29. Gibson Dunn. en-US.
  5. Web site: 2021-08-25. Employee Personal Information Protection in China – Are You Up to Speed?. 2021-09-29. Crowell & Moring LLP. en.
  6. Web site: Briefing. China. 2021-02-02. Employers in China Should Prepare for Compliance Expectations Under Draft PIPL. 2021-09-30. China Briefing News. en.
  7. Web site: China's Personal Information Protection Law (PIPL): Key Questions Answered Morrison & Foerster. 2021-09-29. www.mofo.com. en.
  8. Web site: The journey has just begun: China passes its Personal Information Protection Law. 2021-09-29. www.hoganlovells.com.
  9. Web site: Translation: Personal Information Protection Law of the People's Republic of China DigiChina. 2021-09-29. digichina.stanford.edu. en.