On August 20, 2021, the Standing Committee of the 13th National People's Congress of China issued the final version of Personal Information Protection Law (the “PIPL”), which will come into effect on November 1, 2021. This follows three previously released drafts of this critical law, and comes ten months after the release of the first draft on October 21, 2020 (see our prior article here).
When it comes into effect, the PIPL will be China’s most significant personal information privacy legislation to date, becoming a cornerstone, along with the new Data Protection Law and the older Cybersecurity Law, for personal information (“PI”) regulation in China’s previously fractured data and privacy regulatory scheme. In nature, the PIPL takes inspiration from other comprehensive privacy laws, in particular the GDPR, and as such many concepts and requirements in the PIPL will be familiar to global practitioners. But the PIPL also has numerous unique requirements, responsive to China’s specific domestic and international priorities.
This article intends to provide a quick overview of the core requirements and risks under the PIPL for companies operating in or targeting the Chinese market.
General Principles for PI Processing – Notification and Consent
- Under the PIPL, the key principle for PI collection and processing is notification and consent, with a few exceptions including contractual necessity for contract with an individual or to perform statutory obligations.
- For consent to be effective, the notification must include, among other information, the purpose, scope and method of data processing. In addition, the scope of collection and retention of PI should be the minimum necessary to achieve the processing purpose, which must be specific and reasonable.
- Enhanced notification and consent is required for certain activities, including transfers and cross-border transfers, and the processing of Sensitive PI, which is defined similarly to the GDPR.
- Operators may not deny services on the basis of a refusal to consent to PI processing whether the PI is not essential to the provision of the services.
- Users may withdraw consent, and PI processors must provide channels to make such requests, as well as report other issues.
Extraterritorial Effect
As foreshadowed in the prior drafts, the PIPL asserts jurisdiction over organizations and individuals who undertake activities outside the borders of China if the PI of natural persons within China is involved, and where the purpose of such activities is to provide products or services to natural persons inside China or to analyze or assess their activities. This has potentially significant ramifications for many companies, including those operating entirely outside of China, but it’s not yet known how aggressively the PRC authorities will enforce these provisions, or what mechanisms they will primarily use.
One clue is offered in a parallel requirement that overseas PI processors set up special agencies or appoint designated representatives in China to be responsible for PI protection related matters, and submit the name of such agency or the name and contact information of the representative to the authorities. Again, this is an untested mechanism, but it’s possible that the authorities would seek to impose penalties on these representatives for violations by their principals. Local affiliates of any such overseas PI processors might also draw attention.
Cross-border Transfers
For any cross-border transfer of PI, the PI processors must secure separate and specific consent from the PI subject, disclosing the identity of the overseas recipient, the purpose and method of the processing.
For critical information infrastructure operators (“CIIOs”) and PI processors who handle a large amount of data (specific threshold still pending clarification), there are more restrictions. These entities must keep PI within China, and any cross-border data transfer will be subject to a security assessment by the Cyberspace Administration of China (“CAC”).
Other PI processors may undertake cross-border transfers, but only where necessary and if they also complete one of the following: (1) pass a security assessment, (2) obtain PI protection certification from a specialized body, or (3) conclude a data transfer agreement following the form provided by the relevant national cyberspace authority.
Certain categories of data are also completely prohibited from cross-border transfers.
The other significant requirement relating to foreign data sharing is that the PIPL prohibits personal information processors from providing any personal information stored within the territory of the PRC with any foreign judicial or law enforcement body without the prior approval of the competent PRC authorities. As with the extraterritoriality provisions mentioned above, it’s not yet known exactly how this provision will be interpreted or enforced, particularly in respect of whether personal information that is stored both within and outside of the PRC (i.e. duplicated) will fall into this scope. In any event, this provision may present challenges to organizations that face law enforcement information requests in multiple jurisdictions, though the PIPL also suggests that China will comply with any data sharing treaties it has joined.
Third Party Processing
Third party processing is not a safe harbor. Before engaging a third-party to undertake PI processing, the data controller must conduct an assessment to determine any impact on PI protection. There are also specific requirements for the required data processing agreement to be entered between such parties, including specifying the purpose, period, and method of the contracted processing, the type of PI to be processed, any protection measures to be taken, and the rights and obligations of both parties, etc.. The data controller must supervise the processing activities carried out by the contracted party and keep a record of such activities.
PI processors must also disclose to the PI subject to identity of the third party, the purpose and method of the processing, and the type of PI involved, and obtain specific consent for that third party processing.
Important Internet Platform Service Providers
Important internet platform services providers - The PIPL stipulates that the PI processors who provide important internet platform services, have a large number of users, and/or have certain complex business types will have additional obligations, such as establishing a PI protection compliance system, and regularly publishing PI protection reports. The specific criteria for inclusion in this group have not yet been defined.
Automated Decision Making
Where PI processors use automated decision-making, the PIPL requires that the process be transparent, that the results be fair and impartial, and that there be no unreasonable differential treatment of individuals in terms of transaction prices or other transaction terms. Individuals are also supposed to be given the option to refuse personalization based on automated decision making.
The PIPL also states that if a decision made by a PI processor through automated decision-making has a material impact on an individual's rights and interests, the individual shall have the right to demand the PI processor to provide an explanation, as well as the right to refuse to be subject to such decisions by the PI processor made solely by means of automated decision-making.
These provisions are fairly broad, so we would expect further implementing rules to be released in order to clarify the specific technical requirements.
Fines up to CNY 50 Million (Around USD 7.7 Million) or 5% of Annual Turnover
The PIPL introduces specific administrative penalties for various violations, including substantial monetary penalties. Where PI is handled in violation of the PIPL or without adopting necessary security protection measures, the PI processor shall be subject to a correction, given a warning, and any illegal gains shall be confiscated. Any application program that illegally processes PI will be ordered to suspend or terminate its services. Where correction is refused, the operator shall be subject a fine of up to CNY 1 million (around USD 154k). Additionally, the persons directly in charge and other directly responsible persons shall be fined between CNY 10,000 and CNY 100,000 (around USD 1.5k to USD 15k). Where the circumstances are serious, operators shall be subject to a rectification order, a warning, confiscation of illegal gains, and a fine of not more than CNY 50 million (around USD 7.7 million) , or 5% of their prior year’s annual turnover. They may also be subject to orders to suspend any related activity or to suspend business for rectification, and/or be reported to the relevant authority for the revocation of the related business permit or business license. The persons directly in charge and other directly responsible persons shall fine between CNY 100,000 (around USD 15k) and CNY 1 million (around USD 154k).