China’s New Personal Information Protection Law – 10 Questions Companies Should Consider

Effective on the 1st day of next month (November 2021), China’s first standalone privacy law will impose new obligations on companies regarding how they process personal information of individuals within China.

1. Who does the PIPL apply to?

The PIPL will apply to a company based in China if it processes personal information within China.

Subject to certain conditions as set out in question 2 below, the PIPL will apply to a company processing personal information outside of China even if the company is based outside of China.

Note that individuals processing personal information for personal or family affairs will not be subject to this new law.

Our Comments. Regardless of whether the processing of personal information is by a Chinese company or a local affiliate/branch of an MNCs, it will be subject to the PIPL as long as it is based in China. For overseas companies, they should consider whether they are processing personal information outside of China. If such processing is indeed carried out, the processing activities might trigger the application of the PIPL. 

 

2. My company is located outside of China. Would the PIPL apply to me?

If a company carries out personal information processing activities outside China, the PIPL will apply to it where such activities are for:

1. the purpose of providing products or services to individuals in China;
2. analysing or assessing the behaviour of individuals in China; or
3. other circumstances as prescribed by law and regulations.

Our Comments. The criteria for the extraterritorial reach of the PIPL is similar to the threshold tests of the GDPR. The GDPR applies to controllers and processors if they offer goods or services to EU data subjects or monitor the behaviour of data subjects in the EU. Overseas companies should consider whether they are carrying out activities that might be caught within the scope of the PIPL (e.g. offering products/services to individuals in China).

 

3. What are the grounds to process personal information under the PIPL? 

The processing of personal information is lawful only if at least one of the following conditions apply:

1. the individual’s consent has been obtained;
2. the processing is necessary for the conclusion or performance of a contract to which the individual is a party to;
3. the processing is necessary for HR management under a lawfully formulated employment policy or a legally concluded collective contract;
4. the processing is necessary to fulfil statutory functions or obligations;
5. the processing is necessary to respond to public health emergencies or protect the life and health of individuals, or the security of their property in emergencies;
6. the processing is for reasonable news/media reporting that is in the public interest;
7. the personal information being processed is publicly available and such processing is reasonable; or
8. any other circumstances as provided by law.

Our Comments. Unlike the GDPR, the PIPL does not provide for legitimate interests as a lawful basis for processing. Legitimate interest is arguably the most flexible of the GDPR’s law bases for processing personal data and which, from our experience, companies in practice usually rely on. A company that generally relies on legitimate interests to process individuals’ personal information should consider the bases under the PIPL that could act in lieu of legitimate interest.

For companies that are processing personal information “for HR management” under (c) above, they should consider if such processing is indeed necessary for HR management and whether the process (and not just the contents) of their employment policies was established in accordance with the laws and regulations of China to be regarded as “lawfully formulated”.

 

4. Does the PIPL provide for the processing of sensitive personal information? If so, are there special conditions for the processing of sensitive personal information?

There are specific provisions in the PIPL that address the processing of sensitive personal information. A company may not process sensitive personal information unless there is a specified purpose and sufficient necessity. In addition, strict measures must be adopted for protecting the sensitive personal information being processed.

“Sensitive personal information” refers to personal information that, once leaked or illegally used, may easily cause harm to the dignity or personal safety of individuals, or the security of their property, including without limitation biometric identification, religious beliefs, specially designated status, medical and health information, financial accounts, individual location whereabouts, as well as any personal information of a minor under the age of 14.

Our Comments: Companies should differentiate sensitive personal information from other personal information they process. Furthermore, companies should, by way of a personal information protection impact assessment, assess the risk of activities involving the processing of sensitive personal information and make records of such processing. 

 

5. What are the rights of individuals in relation to the processing of his/her personal information? 

Individuals have the following rights under the PIPL:

1. right to withdraw consent;
2. right to automated decision making;
3. right to information;
4. right to restrict or reject processing of their personal information;
5. right to data portability;
6. right to correction of their personal information;
7. right to deletion of personal information; and 
8. right to seek explanation of the rules of personal information processing.

Our Comments. Unlike the right of data portability under the GDPR which requires the data to be received in a “structured, commonly used and machine-readable format”, the right to data portability under the PIPL only requires companies to provide a channel to transfer.

We note that the PIPL expressly provides for a situation in which if the deletion of the personal information is technically difficult to achieve (which is, in practice, not implausible), the company must cease to process such personal information but it may store and protect the personal information. This might be relevant for companies when faced with situations in which they are unable to delete the personal information requested due to technical difficulties.

 

6. What are the requirements that apply to a transfer of personal information outside of China?

Save for Critical Information Infrastructure Operators (“CIIOs”) and companies which process a large volume of personal information, a company may transfer personal information outside of China under the following conditions:

1. obtains separate consent from the individual;
2. performs a personal information protection impact assessment and keeps a record of the processing for at least 3 years; and
3. satisfies one of the following conditions:

1. obtains a certification of personal information protection by a professional institution (to be stipulated by the authority);
2. having signed a contract with the overseas recipient based on a standard contract template (to be formulated by the authority);
3. meets other conditions provided by laws and regulations.

For CIIOs and companies which process large volume of personal information, they must store personal information in China and if it is necessary to provide personal information to an overseas recipient, the overseas data transfer would be subject to the authority’s security assessment.

Our Comments: The “standard contract template” is expected to be similar in principle to the standard contractual clauses under the GDPR. Depending on the ease (or difficulty) in obtaining the certification of personal information protection by a professional institution, the “standard contract template” condition would appear, in practice, to be a condition that companies could rely on for overseas transfer. However, note that the companies would still need to obtain separate consent from the individual. 

Regarding the definition of “large volume”, this has yet to be confirmed by the authority. However, we note that pursuant to the Administrative Measures on Security Assessment on Cross-Border Transfer of Personal Information and Important Data (Draft) issued on 11 April 2017 (“2017 Draft Measures For Personal Information And Important Data”), this definition may refer to personal information of more than 500,000 individuals or where the data volume exceeds 1,000GB.

 

7. Is the appointment of a Data Protection Officer (“DPO”) or equivalent mandatory under the PIPL? If so, does a company need to register its DPO with the Chinese authorities?

Companies whose processing of personal information reaches a volume as specified by the national cyberspace department must designate a “personal information protection officer” (“PIPO”) to be responsible for supervising personal information processing activities and the protection measures taken. The name and contact information of the PIPO needs to be submitted to the Chinese authorities.

Overseas companies which are subject to the PIPL are required to set up a dedicated office or appoint a designated representative in China, to be responsible for handling matters in relation to personal information protection. The name of the relevant office or entity, as well as the name and contact information of the designated representative are required to be submitted to the authority.

Our Comments. Companies should consider whether a PIPO, or local office and designated representative (as the case may be) ought to be appointed and who would be most appropriate in holding the positions.

Regarding the volume as specified by the national cyberspace department, the threshold tests in the 2017 Draft Measures For Personal Information And Important Data involving personal information of more than 500,000 individuals or where the data volume exceeds 1,000GB appear relevant in determining this.

 

8. Is there a mandatory data breach notification under the PIPL? If yes, who must be notified and what information must be provided?

A company subject to the PIPL is required to report data breaches to the relevant authorities and, in certain circumstances, to the affected individuals. The notification to the authorities must include:

1. the types of personal information leaked, tampered with, or lost, the causes, and the damages that has/may have been caused;
2. the remedial measures taken by the company and the measures available to individuals to mitigate the damage; and
3. the contact information of the company

Where a company is able to adopt measures to effectively avoid harm caused by the data breach, it need not notify the affected individuals. However, if the authority considers that the data breach might cause harm to the affected individuals, then it may require the company to notify such individuals.

Our Comments: The PIPL does not provide a specific time limit for notifying the authority or affected individuals save for the general requirement of “immediate” notification. Companies should check sectoral rules for any time limit of data breach notification that may specifically apply to them.

 

9. Which are the Chinese authorities that oversee and/or enforce the PIPL?

At the national level, the national cyberspace department is responsible for the overall supervision and management of personal information protection. In addition, relevant departments under the State Council and sectorial authorities (e.g. the National Health Commission of the People’s Republic of China and the People’s Bank of China) are responsible for the supervision and management of personal information within their respective jurisdictions.

At the local government level, the relevant authorities of “county-level and higher” are responsible for carrying out personal information protection duties in accordance with the relevant regulations.

Our Comments: Unlike Hong Kong or other EU countries, China does not have an independent data protection authority. We note that the Chinese authorities have wide enforcement powers including conducting on-site inspection and investigating suspected unlawful personal information processing activities.

 

10. What are the liabilities and penalties for non-compliance with the PIPL?

A company held to be in breach of the PIPL may be directed to correct the violation, relinquish any illegal gains and/or suspend activities. If such company refuses to comply, it may face an additional fine of up to RMB 1 million. For severe circumstances of violation, a company may be issued a fine of up to RMB 50 million (or roughly USD7.8 million) or 5% of its annual revenue.

Individuals in charge or directly responsible for the processing may face fines from RMB10,000 to RMB 1 million and be prohibited from holding positions of director, supervisor, high-level manager or PIPO for a certain period.

Our Comments: In addition to the financial penalties, a breach of the PIPL by a company may be recorded under China’s national social credit system; this might have negative repercussions on the company’s reputation and corporate development. Further, any violation of the PIPL that constitutes a violation of public security administration shall be subject to penalty under public security administration rules in accordance with the law; and any  violation that constitutes a criminal offense shall be investigated for criminal liability in accordance with the law.

We will be hosting a webinar on 26 October 2021 (Tuesday) 1pm to 2pm SGT on the PIPL and practical considerations that companies doing business in China should be mindful of. You may register for the webinar here.Alternatively, please contact us at grace.feng@clydeco.com or laurance.leung@clydeco.com.