Although the Chinese Personal Information Protection Law (PIPL) went into effect on November 1, 2021, many organizations still wonder if they meet PIPL compliance.
To provide details on many elements, PIPL relies heavily upon further guidance and administrative regulations.
With serious sanctions that can be imposed if organizations do not comply, a massive effort is necessary for compliance with the main PIPL requirements by November.
Scope of the Chinese Personal Information Protection Law
PIPL applies to all personal data processed within the People’s Republic of China if products or services are provided to people in China, their activities are assessed or analyzed, and where Chinese laws and regulations apply.
The scope of the law is comparable to the EU GDPR, including a household exemption and no nationality requirement.
Due to globalization and many businesses with operations in China, understanding PIPL compliance is imperative for business in today’s economy.
Important Definitions to Know for PIPL Compliance
Contrary to many modern data protection laws, the PIPL does not include an extensive section of definitions.
Some terms are defined in the relevant provisions, and some are featured in an official explanation included in article 73.
The most important of these is the Personal Information Handler or the organization or individual that autonomously decides on the handling purposes of personal data, like that of the Data Controller (GDPR, LGPD) or the Business (CCPA).
PIPL Article 4 includes Two Key Definitions
Personal data handling is the terminology used in the PIPL for the processing of personal data, which includes anything from collection to deletion.
Personal data, which refers to all information, electronic or not, that relates to an identified or identifiable natural person. Anonymous data is explicitly excluded.
A processor or service provider is known under the PIPL as an entrusted person (article 21).
Personal Data Processing
The handling or processing of personal data is bound to a series of principles, which include legality, propriety, necessity and sincerity, as well as purpose limitation, data minimization, data quality, and accountability.
Transparency is a key element of the law, requiring organizations to provide notice to individuals when processing their data with details on how personal data is processed and which personal information handling rules (such as standard operating procedures) apply.
The legal basis to process personal data are also inspired by those found in other laws, ranging from consent, necessity to conclude or fulfill a contract (including HR), compliance with legal requirements, and urgent medical needs.
Data can also be processed in these situations:
- To secure the property of an individual in case of emergencies
- For news reporting and similar activities in the public interest
- When the information has already been made public in a lawful way, either by the individual or a third party
Consent and Data Processing
If an organization relies upon consent, it needs to be freely given with an explicit statement, based on full knowledge of the processing operation.
Consent can be withdrawn and needs to be validated if anything changes in the processing operation.
There are specific requirements for all important Internet platform services (think of major tech companies).
They will for example need to create a compliance infrastructure in line with forthcoming State regulations, establish their own independent supervision body, and clarify the standards for intra-platform data handling.
3 PIPL Compliance Friendly Methods for International Transfers
Personal data covered by the law should only be processed in China.
Processing personal data in another country where truly needed is permitted under one of three conditions, each governed by the State Cybersecurity and Informatization Department:
- Passing a security assessment;
- Obtaining a certification by a specialized body; or
- Under an approved standardized contract.
Large information infrastructure operators reaching a certain amount of personal data being processed (yet to be determined) can only qualify under the security assessment element.
Once these mechanisms are available – there are no indications of a timeline so far – the foreign receiving party will need to meet the PIPL standards.
Interestingly, the law also includes that any discriminatory provisions or limitations against China by other countries may be reciprocated.
Data Breaches
A general data breach notification to authorities and individuals is effective in China as of 1 September 2021, under article 29 of the Chinese Data Security Law.
This provision is further supplemented by article 57 PIPL, which stipulates that the notification needs to include:
- The information categories, causes, and possible harm caused by the (suspected) breach;
- Measures taken by the organization to mitigate these risks, and what measures individuals could take themselves; and
- How to contact the organization.
Individuals need not to be notified if sufficient measures were taken to prevent harm to individuals.
Individual Rights
The PIPL provides individual rights such as access, correction and deletion. Furthermore, the law allows for restriction of data processing if deletion is not possible or technically hard to realize.
Other rights under PIPL include a right to know (understand the data processing operations), a right to decide (individual control over processing operations), and a right to limit or refuse data processing, unless it is mandatory under law.
Organizations are required to provide an answer to the individual “in a timely manner”, and if denied, the organization must explain why.
Accountability
Accountability plays an important role in the PIPL.
Article 9 includes the basic requirement for organizations to “bear responsibility for their personal information handling activities”. This is further explained in Article 51.
Organizations are required to formulate internal management structures and operating rules, to implement categorized management of personal information ( e.g., a register of processing activities), adopt appropriate technical security measures and more.
Furthermore, individuals have the right to request organizations to explain their personal information handling rules.
The appointment of a DPO will only be mandatory for large organizations, to be defined at a later date.
However, similar to GDPR, organizations without a physical presence in China must appoint a representative registered with the Chinese authorities.
Enforcement
It is not yet sure which authorities will enforce the PIPL. It is clear that serious sanctions can be imposed for violations of the law.
These could include compliance orders, processing bans, confiscation of unlawful income, and fines of up to 1 million Yuan (~$155,000).
Additionally, persons in charge and/or directly responsible for the processing operation can receive a personal fine between 10,000 and 100,000 Yuan.
For grave violations, the maximum fine for the organization is up to 50 million Yuan (~$7,7 million) or 5% of annual revenue.
The individual sanction would go up to between 100,000 and 1 million Yuan, and could include a prohibition to hold a number of professional positions for a certain period.
Individuals whose data is wrongfully processed have a right to compensation.
In case a large number of individuals is involved, the People’s Procuratorates (comparable to the Public Prosecution Service) can also file a lawsuit against the organization.
