After two rounds of public consultation, China’s new omnibus data privacy law – the Personal Information Protection Law (个人信息保护法, PIPL) – was officially promulgated by the Standing Committee of the National People’s Congress on August 20, 2021 and will take effect on November 1, 2021.
The drafting of PIPL was heavily influenced by the EU General Data Protection Regulation (GDPR) and PIPL follows GDPR closely in many areas. Nonetheless, PIPL has a number of distinct features and global companies need to understand these in particular.
In this alert, we address a number of questions often asked about China’s PIPL, including what companies ought to do to get ready for it.
The principal provisions of PIPL apply to the “handling” of PI (个人信息处理) and to “PI handlers” (个人信息处理者).
The term “PI handling” includes, without limitation, the collection, storage, use, processing, transmission, provisions, public disclosure, and deletion of PI.
A “PI handler” under PIPL is similar to the concept of “data controller” under GDPR and refers to an organization or individual that, when handling PI, independently determines the purpose and method of handling.
As a jurisdictional matter, PIPL applies primarily to PI handling undertaken within China. However, similar to GDPR, PIPL seeks to have extraterritorial reach. PIPL also applies to the PI of natural persons in China undertaken from outside China that is handled:
PIPL requires overseas parties engaged in data-handling activities that fall within the ambit of PIPL to set up an institution or designate a representative within China that is responsible for handling matters relating to PI protection, and report their name and contact information to the competent authority.
PIPL also includes broadly-drafted language extending its reach to organizations and individuals outside China that harm PI-related rights or interests of PRC citizens or undertake PI handling activities that harm national security or the public interest, and contemplates that the Cyberspace Administration of China (CAC) may add them to a public list and take measures such as restricting or prohibiting the provision of PI to them.
PIPL includes robust disclosure requirements. A PI handler must disclose the policies it follows in handling PI and the specific purpose, method, and scope of its PI-handling activities.
Before handling an individual’s PI, a PI handler must disclose to the individual in a conspicuous manner and in clear and understandable language:
Additional notice requirements are applicable to handling of sensitive PI, cross-border PI transfers, and provision of PI. See below for details.
The lawful bases for handling PI provided for under the PIPL include:
Pre-PIPL, consent was virtually the only lawful basis to handle PI. PIPL adopts some but not all legal bases provided for under GDPR. Most notably absent from PIPL is the broadest basis under GDPR, namely “legitimate interest.” For the time being, therefore, consent appears to be more pivotal under PIPL than under GDPR, although we also note that the drafters of PIPL have left flexibility for additional bases to be added later on via implementing regulations.
PIPL broadens a data localization requirement first introduced in the Cyber Security Law (CSL), which came into effect on June 1, 2017. The CSL requires operators of critical information infrastructure (CII) to store in China PI and important data collected and generated during business operations in China.
In respect of PI, PIPL expands this requirement beyond CII operators, to include all PI handlers handling PI in volumes exceeding a certain threshold to be prescribed by the CAC. At the time of writing of this alert, the threshold has still not been established.
A PI handler with a genuine business need to provide PI outside the China may do so if they satisfy one of the following conditions:
Implementing measures for each of these cross-border transfer mechanisms have yet to be issued.
The PI handler must take necessary measures to ensure the overseas recipient’s PI handling meets the PI protection standards specified in PIPL.
The PI handler must also inform the individual of the name and contact information of the overseas recipient, the purpose and method of handling, the types of PI, and how an individual can exercise his or her rights with the foreign recipient, as well as obtain the individual’s separate consent (unless a lawful basis other than consent is applicable).
As discussed in response to Question 10, cross-border PI transfers will trigger a protection impact assessment (PIA) requirement.
Similar to the Data Security Law, PIPL makes the provision to foreign judicial or law enforcement institutions of PI stored in China subject to regulatory approval.
PIPL provides individuals with various rights concerning their PI, including:
When handling sensitive PI, a PI handler must, in addition to complying with the notice requirements that apply generally to PI handling, also inform the individual of the necessity of the handling of the PI and its impact on his/her personal rights and interests.
The PI handler must have a specific purpose and sufficient necessity and take strict protective measures before handling sensitive PI.
Where the handling of sensitive PI is based on consent, the PI handler must obtain the individual’s “separate consent” (单独同意), unless laws or regulations require that written consent be obtained. In using the term “separate consent” in a number of provisions, the final version of PIPL moved away from the terms “explicit consent” (明示同意) and “express consent” (明确同意) used in previous laws and standards. PIPL offers no guidance on the meaning of the term, although we anticipate that a separate check box or a separate pop-up window/page will be needed to meet separate consent requirements under PIPL.
Where a PI handler provides any PI to another PI handler, it must inform the individual of the recipient’s name and contact information, the purpose and method of handling, and the types of PI, and obtain the individual’s separate consent.
When entrusting the handling of PI to another person, a PI handler must agree with the entrusted person (similar to the concept of “data processor” under GDPR) on the purpose, term, and handling methods of the PI, the types of PI involved, the protective measures to be implemented, and the respective rights and obligations of the PI handler and the entrusted person. The entrusted person must not handle PI beyond the agreed scope. Without consent of the PI handler, the entrusted person cannot further entrust the handling of the PI to other persons.
Data sharing will trigger a PIA requirement, as discussed in our response to Question 10.
Yes. A PI handler must conduct a PIA before carrying out any handling activities that could have a major impact on individuals’ rights and interests, including:
Relevant records must be retained for at least three years.
Where a data breach occurs or may occur, a PI handler must immediately take remedial measures and notify the competent authority and the relevant individuals. However, PIPL does not impose a specific 72-hour notification obligation as GDPR does.
According to PIPL, a data handler does not have to provide notification to affected individuals if the breach does not cause any harm. However, notification to the relevant authority is not exempted and the authority has the power to mandate a notice to relevant individuals if it takes the view that any harm may be caused by the breach.
A PI handler handling PI in volumes exceeding the threshold prescribed by the CAC must designate a person in charge of PI protection (similar to the DPO requirement under GDPR) to supervise PI handling activities and the implementation of protective measures. The PI handler must publicly disclose the contact information of its DPO and report the DPO’s name and contact information to relevant authorities.
At the time of the writing of this alert, the threshold has not been established.
Penalties under PIPL include an order to rectify, a warning, confiscation of illegal gains, and, in the case of an application that illegally handles PI, an order to suspend or terminate the provision of services. A fine of up to RMB1 million (approx. USD150,000) will be imposed concurrently for a refusal to make rectification; and a fine ranging from RMB10,000–100,000 (approx. USD1,500–15,000) will be imposed on the person directly in charge and other directly liable persons.
Where circumstances are deemed serious, a violation could result in, among other penalties, a fine of up to RMB50 million (approx. USD7.5 million) or 5% of the previous year’s turnover. A fine ranging from RMB100,000–1 million (approx. USD15,000–150,000) on the person directly in charge and other directly liable persons can be imposed.
In many respects, the promulgation of PIPL does not represent a radical departure from either pre-PIPL privacy rules in China or the overall approach taken in GDPR. Companies that have already taken account of Chinese rules in their personal data practices, and that follow GDPR standards in their Chinese operations, may already be in reasonably good shape regarding many of the requirements of the new law.
However, a key challenge for global companies is to comply with PIPL rules governing cross-border transfers of personal information. These rules are more stringent than the provisions under either GDPR or pre-PIPL privacy rules in China and so focusing on them ought to be a priority. Implementing technical and operational measures to address the new rules may require extensive lead time. We therefore strongly recommend that companies review their current arrangements with specialist counsel as soon as possible in order to maximize the time available for implementation before the November 1, 2021 date when PIPL comes into force.
The implementation schedule for PIPL is unusually brisk. The approximate 10-week gap between the date of promulgation of PIPL and the date it comes into force contrasts with the close to
30-week gap when the CSL was first introduced. We expect implementing measures to be issued soon to specify the mechanics needed to implement certain PIPL provisions, such as those applicable to cross-border transfers of PI, but certain aspects of PIPL will most likely remain unclear for some time after the law comes into force. We will monitor developments leading up to November 1, 2021 and thereafter.
As further explained in the Terms / Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (“PRC”) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.