As reported in our recent post, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”). The implementation date is set for November 1, 2021, though we await some additional detail via promulgation orders on a number of important provisions, as set forth below, from the regulatory authorities.
Although the PIPL is the first comprehensive data privacy law in China, it follows on from the obligations established by the Cyber Security Law (2017), which focuses more on protecting critical infrastructure information, and the recently enacted Data Security Law (2021), which focuses on overall data security requirements. It does not replace these laws, but instead acts to provide a framework focused on overall protection of personal information. Click here for our recent summary of the Data Security Law.
The final version of the PIPL sets forth a number of new obligations that apply to all Personal Information (PI) collected from the mainland of the People’s Republic of China (hereinafter ‘China’, or the ‘PRC’) [Note: Hong Kong has its own data protection rules which are not affected]. The main changes from the earlier drafts of the PIPL are that the final version allows the processing of employee information, revises the definition of ‘Sensitive Personal Information’ and indicates that special rules will be created for small enterprises (as discussed below).
The final version of the PIPL establishes the following requirements:
- Fundamental Principle. The fundamental principle under the PIPL is that collection and processing of PI should be limited to only the minimum level as necessary to fulfill the specific purpose of PI processing; or the so-called “as minimum and as necessary” principle. PI processing beyond the level of minimum and necessity may violate the PIPL, even if individual consent is obtained or other formality is fulfilled.
- Extra-Territorial Effect: As previously reported, for the first time, the rules apply to the processing of PI from persons within China, including by entities outside of China if it:
- Is to provide goods or services to people within China;
- Is to analyze the activities of persons within China; or
- As otherwise proscribed by law.
This will impact organizations outside of China who now need to comply with the PIPL, including its specific consent requirements for export and, in some cases, data localization requirements. The PIPL also requires the offshore PIPs to appoint a Data Privacy Representative within the PRC. This representative is to be responsible for handling matters relating to PI protection, and whose name and contact information shall be submitted to the authorities. The PIPL, however, does not specify who could act as a Data Privacy Representative and how and to whom the filing should be made, which will need to be addressed in implementing rules in the future.
- Definitions:
- ‘Personal Information’ is quite broadly defined and its collection is authorized only to the minimum scope for its limited purpose.
- ‘Processing’ includes the ‘collection, storage, use, processing, transmission, provision, disclosure and deletion, etc. of personal information’.
- ‘Personal Information Processor’ [‘PIP’] is the entity Processing PI who can determine the purpose and method of processing.
- Legal Bases for Processing: Explicit and voluntary consent with full knowledge of the data subject is required for the Processing of PI, except for the following situations:
- For the performance of a contract with the data subject, or, the implementation of human resources management in accordance with the legally adopted employment policies (Note: this now makes room for companies to rely on its employment policies such as its employee handbook, to process employees’ PI, instead of obtaining consent from each individual employee);
- Where necessary to perform statutory duties; or
- A few other situations like where necessary for the protection of life, health and property, news reporting, or as otherwise provided by law.
- Consent Requirements:
- Refusal to provide consent (or its withdrawal) by the data subject is not grounds for refusing to provide services/products unless such consent is necessary for providing the services/products;
- Prior notice needs to be provided by the PIP as to:
- Its name and contact information;
- The purpose for processing and retention period of the PI;
- The way for the data subject to exercise the rights provided; and
- Any other items specified by law.
- Separate Consent: The PIPL requires a PI processor to obtain “separate consent” in certain situations, including cross-border transfer, sharing PI to a third party and processing of sensitive PI. “Separate consent” means the consent should be specifically related to the relevant purpose, and not be bundled into a privacy policy covering multiple processing activities.
- Data Subject Rights: Individuals are, among other items, given a right to:
- Withdraw consent;
- Timely access, correct, delete and/or transfer their PI;
- Request the PIP to explain its processing rules;
- Be notified of any transfer of their PI due to merger, division, dissolution or declaration of bankruptcy, including the name and contact details of the recipient.
Note: data subjects are given a private right of action with the people’s court if the PIP refuses their request.
- PIP Obligations: The PIP is required to provide for:
- Data Security which must incorporate adequate security in accordance with the purpose, type and impact of the PI it processes. The law specifies the types of security measures that should be incorporated.
- Data Retention which must be limited to the minimum period necessary for achieving the purpose of processing.
- A Data Protection Officer who must be identified when the PI processed exceeds a certain quantity (yet to be specified).
- Conducting regular compliance audits.
- Conducting data privacy impact assessments when processing sensitive PI, using automatic decision-processing, providing PI to any third parties, providing PI overseas, or where the processing has a significant impact on the individual. There are specified items which must be included in such an assessment. The assessment must be kept at least three years.
- Joint PIPs (i.e., where they jointly determine the purpose and method of processing of PI) can only be accomplished where the rights and obligations of each PIP is agreed upon. However, it should be noted that each PIP remains joint and severally liable and they are subject to the third party transfer obligations set forth below.
- Third Party Processing: In order to transfer PI to any third party, the law now specifies two types:
- Transfers to third party PIPs, in which case the initial PIP must notify the data subjects of the identity of the third party PIP, along with the contact details, the categories of data to be transferred and the purposes and methods of the processing. Separate consent must be obtained from the individuals for the processing by third party PIPs.
- An Entrusted Party (i.e., who simply processes the PI at the direction of the PIP), as for which the PIP must have an agreement with the Entrusted Party setting forth the obligations under the law, and supervise its processing activities. The Entrusted Party may not provide the PI to another party without the consent of the PIP. Though the term “Entrusted Party” is not specifically defined by law, by application it seems similar to the GDPR’s concept of “data processors”.
- Use of Automatic Decision Making: Where automatic decision-making is used, it must be fair and impartial. Information pushing and commercial marketing to an individual through automated decision-making shall be accompanied by options that do not target the individual’s personal characteristics, or convenient rejection ways shall be provided to the individual. Where it has a significant impact on the individual, they may require an explanation and may reject the decision made if only through the automated decision-making.
- Sensitive PI: This is defined as any PI ‘likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the PI of minors under the age of 14’. It remains unclear how ‘specific identity’ will be interpreted. The data subject’s separate consent is needed for processing any sensitive PI and the PIP must only process for ‘specific purpose and sufficient necessity’ and where sufficient protection measures have been taken.
- Data Localization Requirements and Cross-Border Transfer:
- Critical Infrastructure Information (“CII”) operators or entities processing a large amount of personal information must store personal information within the territory of the PRC. If they need to transfer such personal information to points outside the PRC, the transfer must pass a security assessment administered by the Cybersecurity Administration of China (“CAC)”.
- “CII” refers to the network and IT system that are critical to national security and public interest, such as government system, utilities, financial system, public health, etc. The specific scope and guideline to determine CIIs is yet to be published.
- “Large amount of personal information” is not defined in the PIPL. A few other data-related regulations or draft regulations define “large amount” as 500,000 or 1,000,000 individuals, which may shed some light on the threshold. It is expected to be clarified by the authorities in future implementation rules.
- For PIPs other than those subject to the localization requirements above, cross-border transfer is only allowed if the PIP meets one of the following requirements:
- It passes a security assessment organized by the CAC;
- It is certified by a specialized agency for the protection of PI in accordance with the rules issued by the CAC;
- It shall enter into a contract with the overseas recipient under the standard contract formulated by the CAC, specifying the rights and obligations of both parties; or
- It shall meet other conditions prescribed by laws, administrative regulations or the CAC.
- The PIP must also inform the individual of the overseas recipient’s name, contact and processing details AND obtain their separate consent.
- Similar to the recently passed Data Security Law, before transferring any PI from China for use by foreign judicial or law enforcement authorities, the PIP must obtain the approval of the competent authorities of the PRC.
- It is important to note that where an overseas organization engages in processing activities ‘infringing upon the personal information rights and interests of citizens of the PRC or endangering the national security and public interests of the PRC, the CAC may include such organization or individual in the list of subjects to whom provision of personal information is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of personal information to such organization or individual.’
- In addition, where any country or region takes discriminatory prohibitive, restrictive or other similar measures against the PRC in terms of protection of PI, the PRC may take reciprocal measures against such country or region as the case may be.
- Critical Infrastructure Information (“CII”) operators or entities processing a large amount of personal information must store personal information within the territory of the PRC. If they need to transfer such personal information to points outside the PRC, the transfer must pass a security assessment administered by the Cybersecurity Administration of China (“CAC)”.
- Breach Notification: The law requires that, ‘where personal information has been or may be divulged, tampered with or lost’, the PIP shall immediately take remedial measures and notify the authorities performing duties of PI protection and the individuals concerned. There are designated items now required for this notice. The notice to individuals may be exempted if the harm to individuals can be avoided. However, the authorities may still require PIPs to notify the affected individuals if they believe a harmful result may be caused.
- Penalties: Violations of the law, with serious consequences may be penalized up to 5% of the prior year’s turnover, and/or the ceasing of services including the possible revocation of the business license.
- Small Enterprises. The final PIPL requires the supervising authority to formulate special rules and standards applicable to small-size PI processors. This is likely to ease the burden and cost for small-sized companies to develop a comprehensive PI protection program to comply with the PIPL. However, these have yet to be formulated.
Given that the PIPL goes into effect officially on November 1, 2021, it is very important that companies immediately take steps to ensure compliance with these new and comprehensive regulations, including conducting a data inventory and mapping exercise, assessing the purpose and lawful basis for PI processing, conducting a PI protection assessment and other measures in order to respond to data subject requests.