After three rounds of revisions, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China officially passed the Personal Information Protection Law (the “PIPL”).
- Fundamental Principle. The fundamental principles under the PIPL is that collection and processing PI should be limited only the minimum level as necessary to fulfill the specific purpose of PI processing; or the so-called “as minimum and as necessary” principle. PI processing beyond the level of minimum and necessity may be found a violation of the PIPL, even if individual consent is obtained or other formality is fulfilled. PI processing and compliance program should be set up always with the fundamental principles in mind.
- Effective Date. Although a number of important provisions will require clarification through implementing rules by regulatory authorities, the PIPL will take effective on November 1, 2021, without the 6+ months grace period as previously expected. Companies doing business in China or otherwise processing Chinese residents’ data need to take immediate actions to comply with the PIPL. (Note: the PIPL applies only in Mainland China. Hong Kong has its own data protection rules which are not affected).
- Extra-Territorial Effect: For the first time, the PIPL will apply to processing of Chinese residents’ data outside of China if it is to provide goods or services to people within China, to analyze the activities of persons within China, or as otherwise proscribed by law. Currently, personal data related Chinese laws do not apply to processing activities outside of China, for example, where the collecting entities and the servers hosting the data are located outside of China. Such activities will now be bound by the PIPL and the relevant entities should particularly note the specific consent requirement and the data localization requirements under the PIPL.
- Legal Bases for Processing: In the following situations, processing of PI is permitted by law without obtaining consent from the data subject:
- For the performance of a contract with the individual or for purpose of human resources management according to legally adopted labor policies;
- Where necessary to perform statutory duties; or
- A few other situations like where necessary for the protection of life, health and property, news reporting, or as otherwise required by law.
“For purpose of human resources management according to legally adopted labor policies” is newly added in the final version PIPL, which is likely to facilitate employee data management. It makes room for companies to rely on its legally adopted employment policies such as its employee handbook, to process employees’ PI, instead of obtaining consent from each individual employee.
- Data Localization Requirements. Critical Infrastructure Information (“CII”) operators or entities processing a large amount of personal information must store personal information within the territory of Mainland China. If they need to transfer such personal information to points outside China, the transfer must pass a security assessment administered by the government authorities.
Critical Information Infrastructure (“CII”) refers to the network and IT system that are critical to national security and public interest, such as government system, utilities, financial system, public health, etc. Operators of CII are subject to much stricter rules in terms of data security and cross-border data transfer. Every company operating in China is suggested to conduct a self-assessment as to whether it might be deemed as a CII operator.
“Large amount of personal information” is not defined in the PIPL. A few other data-related regulations or draft regulations, which define “large amount” as 500,000 or 1,000,000 individuals, may shed some light on the threshold. It is expected to be clarified by the authorities.
- Cross-Border Transfer. Other than CII operator and large volume of PI as mentioned above, cross-border transfer is only allowed if the PI processor meets one of the following requirements:
- It passes a security assessment organized by the Cybersecurity Administration of China (CAC);
- It is certified by a specialized agency for the protection of PI by CAC;
- It enters into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, the form of which has not yet been published.
- Separate Consent. The PIPL requires PI processor to obtain “separate consent” in various occasions, including cross-border transfer, sharing or entrusting PI to a third party and processing of sensitive PI. “Separate consent” means the consent should be specifically relating to the relevant purpose, and not be bundled into a privacy policy covering multiple processing activities. For each such separate consent, certain information must be disclosed to the data subject as provided under the PIPL.
- Penalties. Violations of the law, with serious consequences may be penalized up to 5% of the prior year’s turnover, and/or the ceasing of services including the possible revocation of the business license.
We will provide a more in-depth summary of the PIPL shortly.