Data Protection Report - Norton Rose Fulbright

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add another layer of complexity with respect to compliance with China’s security and data laws and regulations.

As is usual with all China laws, many of the concepts and requirements are high-level and we expect that some further details will be provided in regulations and practical guidances in the coming months.

Overview

The PIPL consists of 74 articles in 8 chapters, namely:

  • General Provisions;
  • Personal Information Processing Rules;
  • Rules for Cross-Border Provision of Personal Information;
  • Individuals’ Rights in Personal Information Processing Activities;
  • Obligations of Personal Information Processors;
  • Departments Performing Personal Information Protection Functions;
  • Legal Liabilities; and
  • Miscellaneous Provisions.

The law defines “personal information” as all kinds of information relating to identified or identifiable natural persons recorded by electronic or other form, excluding anonymized information. “Processing of personal information” includes, among other things, the collection, storage, use, refining, transmission, provision, public disclosure and deletion of personal information.

Extraterritorial Effect

The PIPL will have extraterritorial effect and will apply to the following processing activities:

  • processing, within China, of personal information of natural persons; and
  • processing, outside of China, of personal information of natural persons who are in China, if such processing is:
    • for the purpose of providing products or services to natural persons in China;
    • to analyze/evaluate the behavior of natural persons in China; or
    • other circumstances prescribed by laws and administrative regulations.

If a company outside of China conducts processing activities as described in (2) above, the PIPL requires that it set up a special institution or designate a representative in China for handling personal information protection matters, and report the name and contact details of such institution or representative to the Chinese authorities.

Responsible Authorities

The PIPL provides more clarity on the allocation of responsibilities between authorities and refers to the central and local authorities with responsibilities under the law as the authorities performing personal information protection duties and responsibilities (PI Protection Authorities). The allocation of responsibilities is as follows:

  • the national cyberspace administration (e., the Cyberspace Administration of China or CAC) is responsible for the comprehensive planning and coordination of personal information protection and related supervision and administrative work;
  • the relevant ministries and departments of the State Council are responsible for the personal information protection as well as supervision and administration within their respective purviews; and
  • the relevant departments of local governments at the county-level or above will also perform certain duties and responsibilities with respect to personal information protection and related supervision and administration in accordance with the regulations of the State.

Basis for Processing

The PIPL provides the following legal basis for processing personal information, and at least one of them must be established in order for the processing to be lawful:

  • consent by data subjects;
  • necessity for concluding or performing contracts to which the data subject is a party, or necessity for implementation of human resources management in accordance with legally-adopted labor rules and systems and legally-concluded collective contracts;
  • necessity for performing legal duties or legal obligations;
  • to respond to public health emergencies, or necessity for protection of natural persons’ life, health, and property safety under emergency circumstances;
  • processing, within the reasonable scope, of personal information for conducting news reports, public opinion supervision, and other acts for the public interest;
  • processing, within the reasonable scope and in accordance with the PIPL, of personal information that has been made public by data subjects or through other lawful means; and
  • other circumstances as stipulated by laws and administrative regulations.

The underlined part is newly added in the final version of the PIPL and gives employers more flexibility with respect to the processing of employee data. The PIPL also clarifies that consent by data subjects is not required if the processing is based on one of the legal basis listed in (2) to (7).

Cross-Border Transfers of Personal Information

Cross-border transfers of personal information can only be made for legitimate purposes such as business needs, and the transferor is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards set forth in the PIPL.

In addition, both a proper legal basis and consent by the data subjects will be required in order for such transfer to be lawful.

(1) Legal basis

The legal basis for cross-border transfers of personal information under the PIPL include:

  • passing a security review organized by the cyberspace administration if the transferor is an operator of critical information infrastructure (CII) or the volume of the affected personal information reaches the threshold specified by the CAC;
  • obtaining a personal information protection certification from a professional agency in accordance with the rules of the CAC;
  • entering into an agreement with the overseas recipient based on a standard contract form formulated by the CAC; or
  • other conditions provided by laws, administrative regulations or the CAC.

Implementation of the cross-border transfer regime will be dependent on further rules from the CAC, including the preparation of a standard form contract.

(2) Consent

Data subjects must be notified of the following matters and give their separate consent to the cross-border transfer of their personal information:

  • the name, contact details of the overseas recipient;
  • the purposes and methods of the processing;
  • the types of affected personal information; and
  • the methods and procedures for exercising the rights provided in the PIPL with the overseas recipient.

Regardless of whether there is a legal basis and consent is given, companies are strictly prohibited from providing personal information stored within China to foreign judicial or law enforcement institutions without the approval of Chinese authorities. This will be a difficult issue to navigate for international companies with reporting obligations to regulators in their own jurisdictions.

Individual’s Rights

The PIPL provides individuals with various rights with respect to their personal information, including:

  • right to know and to decide relating to their personal information;
  • right to restrict or prohibit the processing of their personal information;
  • right to consult and copy their personal information from the processors;
  • right to portability of their personal information;
  • right to correct and delete their personal information; and
  • right to request the processors to explain the processing rules.

The close relatives of a natural person can exercise these rights for their own legitimate and justifiable interests after the natural person is deceased, unless the deceased has made other arrangements when she or he were alive.

Processor’s Obligations

The PIPL imposes various obligations on the processors of personal information, including obligations to:

  • formulate internal management systems and operation procedures;
  • implement classified management of personal information;
  • adopt corresponding technical security measures such as encryption and de-identification;
  • reasonably determine the operational authorizations for personal information and provide regular security education and training for operational staff;
  • formulate and implement response plans for security incidents relating to personal information;
  • conduct regular compliance audits; and
  • adopt other security measures as stipulated by laws and regulations.

Certain companies (e.g., CII operators, processors of sensitive personal information, companies offering important Internet platform service involving a huge number of users, and complex types of businesses) are subject to more onerous obligations such as appointing a personal information protection officer and/or an independent supervisory board, conducting privacy impact assessments for the processing activities, and publishing regular social responsibility reports.

In the event of a data incident, processors are required to take “immediate” remedial measures and notify the PI Protection Authorities and any affected individuals.

Penalties

Violations of the PIPL may lead to an administrative fine of up to RMB 50 million or 5% of the processor’s turnover in the last year (it is unclear if this is local or global). Other penalties include order for rectification, warning, confiscation of illegal gains, suspension or cessation of service, cessation of operation for rectification, and revocation of operating permits or business licenses. The person-in-charge or other directly liable individuals may also be individually liable and fined or prohibited from acting as directors, supervisors, senior managers or personal information protection officers.

If the processing activity violates the rights or interests of a large number of individuals, a public interest action may be initiated by the People’s Procuratorate (i.e., the authority responsible for criminal prosecution), consumer protection organizations or other organization designated by the cyberspace administration.

Our take

The new law will reshape the handling of personal data in China, including the adoption of measures to deal with developing technologies around facial recognition, AI, and data analytics. It will require organizations to consider whether there are existing practices and procedures that need to be revisited. While this is being tipped as “China’s GDPR”, the law is different to the GDPR and nuanced for China’s own purposes. Consideration and understanding of the scope and application of the PIPL will continue as further details are released via additional regulations and practical guidances in the upcoming weeks.