The Chinese Personal Information Protection Law (PIPL) will apply as of 1 November 2021 (a short deadline for companies), only 73 days after it was adopted by the National People’s Congress. PIPL relies heavily upon further guidance and administrative regulations to provide the details on many elements. With serious sanctions that can be imposed if organizations do not comply, a serious effort needs to be made to comply with the main requirements of PIPL by November. Main points of the law are provided below and we will issue more detailed guidance and further resources.
PIPL applies to all personal data processed within the People’s Republic of China if products or services are provided to people in China, if their activities are assessed or analyzed, and where Chinese laws and regulations apply. The scope of the law is therefore comparable to the EU GDPR, including a household exemption and no nationality requirement.
Contrary to many modern data protection laws, the PIPL does not include an extensive section of definitions. Some terms are defined in the relevant provisions and a handful have an official explanation included in article 73. The most important of these is the Personal Information Handler, or the organization or individual that autonomously decides on the handling purposes of personal data, like that of the Data Controller (GDPR, LGPD) or the Business (CCPA). Article 4 includes two key definitions: Personal data handling is the terminology used in the PIPL for the processing of personal data, which includes anything from collection to deletion and Personal data, which refers to all information, electronic or not, that relates to an identified or identifiable natural person. Anonymous data is explicitly excluded. A processor or service provider is known under the PIPL as an entrusted person (article 21).
Personal Data Processing
The handling or processing of personal data is bound to a series of principles, which include legality, propriety, necessity and sincerity, as well as purpose limitation, data minimization, data quality, and accountability. Transparency is a key element of the law, requiring organizations to provide notice to individuals when processing their data with details on how personal data is processed and which personal information handling rules (such as standard operating procedures) apply.
The legal basis to process personal data are also inspired by those found in other laws, ranging from consent, necessity to conclude or fulfill a contract (including HR), compliance with legal requirements, and urgent medical needs. Furthermore, data can be processed in order to secure the property of an individual in case of emergencies, for news reporting and similar activities in the public interest, and when the information has already been made public in a lawful way, either by the individual or a third party. If an organization relies upon consent, it needs to be freely given with an explicit statement, based on full knowledge of the processing operation. Consent can be withdrawn and needs to be validated if anything changes in the processing operation.
There are specific requirements for all important Internet platform services (think of major tech companies). They will for example need to create a compliance infrastructure in line with forthcoming State regulations, establish their own independent supervision body, and clarify the standards for intra-platform data handling.
Personal data covered by the law should only be processed in China. Processing personal data in another country where truly needed is permitted under one of three conditions, each governed by the State cybersecurity and informatization department:
- Passing a security assessment;
- Obtaining a certification by a specialised body; or
- Under an approved standardized contract.
Large information infrastructure operators reaching a certain amount of personal data being processed (yet to be determined) can only qualify under the security assessment element. Once these mechanisms are available – there are no indications of a timeline so far – the foreign receiving party will need to meet the PIPL standards Interestingly, the law also includes that any discriminatory provisions or limitations against China by other countries may be reciprocated.
A general data breach notification to authorities and individuals is effective in China as of 1 September 2021, under article 29 of the Chinese Data Security Law. This provision is further supplemented by article 57 PIPL, which stipulates that the notification needs to include:
- The information categories, causes, and possible harm caused by the (suspected) breach;
- Measures taken by the organisation to mitigate these risks, and what measures individuals could take themselves; and
- How to contact the organisation.
Individuals need not to be notified if sufficient measures were taken to prevent harm to individuals.
The PIPL provides individual rights such as access, correction and deletion. Furthermore, the law allows for restriction of data processing if deletion is not possible or technically hard to realize. Other rights under PIPL include a right to know (understand the data processing operations), a right to decide (individual control over processing operations), and a right to limit or refuse data processing, unless it is mandatory under law. Organizations are required to provide an answer to the individual “in a timely manner”, and if denied, the organization must explain why.
Accountability plays an important role in the PIPL. Article 9 includes the basic requirement for organizations to “bear responsibility for their personal information handling activities”. This is further explained in article 51, which requires organizations to formulate internal management structures and operating rules, to implement categorized management of personal information ( e.g., a register of processing activities), adopt appropriate technical security measures and more. Furthermore, individuals have the right to request organizations to explain their personal information handling rules.
The appointment of a DPO will only be mandatory for large organisations, to be defined at a later date. However, similar to GDPR, organizations without a physical presence in China, must appoint a representative that should be registered with the Chinese authorities.
It is not yet sure which authorities will enforce the PIPL. It is clear that serious sanctions can be imposed for violations of the law. These could include compliance orders, processing bans, confiscation of unlawful income, and fines of up to 1 million Yuan (~$155,000). Additionally, persons in charge and/or directly responsible for the processing operation, can receive a personal fine between 10,000 and 100,000 Yuan. For grave violations, the maximum fine for the organization is up to 50 million Yuan (~$7,7 million) or 5% of annual revenue. The individual sanction would go up to between 100,000 and 1 million Yuan, and could include a prohibition to hold a number of professional positions for a certain period.
Individuals whose data is wrongfully processed have a right to compensation. In case a large number of individuals is involved, the People’s Procuratorates (comparable to the Public Prosecution Service) can also file a lawsuit against the organization.
TrustArc is in the process of adding the PIPL to its platform, to allow for compliance assessments, including via PrivacyCentral. Please reach out to us if you already want to learn more. Further details on compliance requirements will be provided as and when they become available via Nymity Research and a special microsite.