China Personal Information Protection Law
On the 1st of November 2021, the Personal Information Protection Law (‘PIPL’) comes into force. It will set a new bar in China for privacy rights, obligations, security, and compliance.
Therefore, QPSOFTWARE has partnered up with TEKID to provide you with the following in-depth report which serves as an introduction to PIPL and its key concepts.
Indeed, TEKID’s legal and Compliance experts have been designing, deploying and managing local and international regulatory compliance programs such as the Chinese Cyber Security Law, European GDPR, cross-regional programs, as well as technical international standards such as ISO, SOC, SOX, PCI and more.
For further expertise on the matter, you can personally reach out to Maxime Oliva (Chief Executive Officer) at TEKID: https://www.linkedin.com/in/maximeoliva or contact them directly through their website: https://www.tek-id.com/
You can also register here to download their latest review about the Consumer Data Strategy under the new China Personal Information Protection Law done in collaboration with Fabernovel.
What is the PIPL?
The PIPL is China’s new data protection law. It is the first China law focusing exclusively on personal data (omnibus law), setting ambitious goals, presenting many similarities with the European General Data Protection Regulation (‘GDPR’).
At its core, the PIPL’s goals are to increase individuals’ rights and enhance privacy, transparency, and accountability. It does this by determining how personal data of China residents must be handled, what permissions are needed, and how this data can be lawfully collected, processed, and protected. It also gives individuals more rights and control over what can and cannot be done with their data. The PIPL also gives regulators new powers to impose significant fines on organizations that breach the law.
What is personal data?
Personal data is defined very broadly under the PIPL as any kind of data that relates to an identified or identifiable natural person, whether in electronic form or recorded otherwise. From classily understood personal data such as name, telephone number, address, ID number, etc., to less obvious personal data, such as data related to a person’s job, hair or eye color, style, opinions, comments, habits, likes and dislikes, cultural or social identity, itineraries, IP address, activity logs, etc.
- Anonymized data is not personal data (and can therefore be used freely).
- Sensitive personal data will be subject to additional conditions, and includes biometric characteristics, religious beliefs, specially designated status (such as, for example personal data of children under the age of 14), medical health, financial accounts, individual location tracking.
Location tracking, being labelled ‘sensitive personal data’ will present particular challenges for organizations and brands, as it will drastically reduce the extent to which they can, for example, track offline and online store visits for remarketing and retagging purposes.
Who does the PIPL apply to?
The PIPL applies broadly: to all organizations, of all sizes and all industries, which process personal data.
What kind of processing actors?
In legal terms, the PIPL applies to ‘Personal Data Handlers’ and ‘Personal Data Processors’.
- You are a Personal Data Handler if you are the one who decides the purposes of personal data processing. In other words, you will decide what can and cannot be done.
- Similarly, you are considered a Personal Data Processor if you process data on behalf of the Personal Data Handlers. In other words, you do not decide the purposes of processing: you must follow all instructions referring to the processing of personal data given by the Personal Data Handlers.
What kind of processing?
More specifically, the PIPL applies to:
- Any personal data processing within the territory of China; and
- Any processing of personal data of individuals who reside in the territory of China by an organization established outside the territory of China, where that processing relates to the offering of goods or services to those individuals or to the monitoring or analysis of their behavior.
Put simply, the PIPL applies to any organization or business processing personal data of a China resident. This applies no matter where in the world your organization is based, or the size of your organization.
What risks does your organization face if it does not comply?
For the last few decades, Chinese laws have generally not included significant fines for breaches of privacy-related provision. That will change dramatically under the PIPL. The maximum fine for serious infringements will be the greater of CNY 50 million or 5% percent of an organization’s annual revenue for the previous year. In addition, an organization can face confiscation of illegal gains, suspension of related activities or even suspension or revocation of their business license and/or business permit.
A notable additional risk: any person in charge or directly liable for the breach may also be fined up to CNY 1 million and may also be barred from serving as director, supervisor, senior officer or data protection officer for a certain period.
What are your organization’s core responsibilities?
You are a Personal Data Handler
In short, the PIPL shapes the responsibilities for the Personal Data Handlers and what they are accountable for. The Personal Data Handlers must demonstrate that personal data is:
- Processed lawfully, legitimately, for necessity, in good faith and in an open and transparent manner;
- Processed for specified, reasonable, explicit and legitimate purposes;
- Adequate, relevant, and limited to what is necessary: processing must not be excessive, and limited to the minimum scope necessary to achieve the explicit purpose (i.e., purpose, processing and data minimization);
- Of quality: i.e., accurate, complete and up to date;
- Kept no longer than necessary;
- Processed in a manner that ensures its security.
You are a Personal Data Processor
The PIPL requires Personal Data Processors to adopt necessary measures to ensure the security of personal data in accordance with relevant laws and regulations, and to assist personal information handlers in fulfilling their obligations under this law.
Their personal data processing activities must be supervised by the Personal Data Handlers entrusting them with such processing.
Lawful processing - what does it mean?
It means that at least one of the following ‘legal basis’ must be valid or obtained:
- The data subject has given consent to the processing of their personal data for specific purposes;
- Processing is necessary for the conclusion or performance of a contract with the data subject, or for human resources management according to a legally established contract or policy;
- Processing is necessary for compliance with a legal or statutory obligation;
- Processing is necessary for public health emergencies or for the protection of the life, health, and property of the data subject;
- Processing, within a reasonable scope, to carry out news reporting, supervision by public opinions or any other activity for public interest purposes;
- Processing, within a reasonable scope, of personal data that has been publicly disclosed by the data subject, or legally by a third party;
- Other circumstances provided by laws and administrative regulations.
‘Legitimate interests’, a legal basis available under the GDPR, does not exist under the PIPL.
In other words, you cannot process personal data simply because you want to. Instead, you must be able to point to a ‘legal basis’ for processing.
What are the conditions for a valid consent?
One of the core features of the PIPL: the bar for valid consent is significantly raised. Consent must be:
- Informed (i.e., individual must be giving truthful, accurate and full information on why, how and by whom their personal data will be processed);
- Explicit (i.e., demonstrated by a clear action of the individual);
- Freely given (i.e., consent cannot be force or a condition for the provision of products and services - unless it is necessary for such provision);
- Easily withdrawn at any time (i.e., the possibility to withdraw consent must be offered)
- Written or specific consent may be required in certain circumstances by other laws or regulations.
- A separate consent is necessary for (i) processing of Sensitive personal data, (ii) sharing with another Personal Data Handler or Personal Data Processor, (iii) disclosure or personal data or (iv) transfer outside of China.
As to marketing communications: the PIPL marks a clear and significant shift from opt-out to opt-in: prior consent will be required. Unlike in Europe, organizations in China cannot invoke legitimate interests (i.e., not requiring consent) as a legal basis for collecting personal data for marketing purpose. Moreover, even where consent has been given, if push marketing or sales is based on automated decision-making, individuals must have the option to refuse it (opt-out). This will tremendously affect the creation and push of personalized content and ads, which individual will have the right to refuse.
What about the rights of individuals?
Clearly, in line with a rebalancing of powers between organizations and individuals, these rights are significantly increased and expanded:
- Right to information (truthful, accurate and full information on why, how and by whom their personal data will be processed);
- Right to access and copy personal data;
- Right to portability of personal data (in essence the right for individuals to request transfer of their personal data to another organization, so long as the transfer meets conditions to be set by the Cyberspace Administration of China);
- Right to correct or complete personal data;
- Right to withdraw consent;
- Right to deletion of personal data (under certain circumstances: (i)processing purpose has been achieved or (ii) personal data is no longer necessary, (iii) provision of products and services has ceased, (iv) retention period for personal data has expired, (v) consent has been withdrawn, (vi) violation of applicable laws and regulations, (vii) other circumstances provided by laws and regulations);
- Right not to be subject to automated decision-making;
- To restrict or object to the processing of personal data;
- Right to submit requests to Persona Data Handlers as to exercise their rights, and to file a lawsuit where such requests are rejected.
Organizations already compliant with the GDPR will have an advantage, as adaptation to the PIPL, as far as individuals’ rights are concerned, will be made much easier. For the others, the gap may present difficult and important challenges (whether organizational, operational or technical).
What about Cross-border data transfers?
The PIPL strictly regulates transfers of personal data of China residents to destinations outside China. In line with the Cyber Security Law and the Data Security Law, the PIPL requires that Critical Infrastructure Information operators (‘CIIOs’), as well as any other Personal Data Handler who processes personal data that reaches a certain volume (which the PIPL does not specify, but will be later defined by the CAC), must:
- Not only store personal information within the territory of China, but
- Where cross-border transfer of personal data is necessary, such transfer must pass a security assessment organized by the CAC.
Otherwise and in any case, Personal Data Handlers must as least one of the following conditions before transferring personal data out of China:
- Pass the above-mentioned security assessment organized by the CAC;
- Obtain a personal data protection certification from a professional body accredited by the CAC;
- Enter into an agreement with the overseas recipient, governing the rights and obligations of the parties, based on a model Contract to be later released by the CAC; or
- Other requirements provided under other laws and regulations or by the CAC.
Cross-border transfer prerequisites for personal data may well prove to be a particular pain point for MNCs operating in China, as many still generally rely on such transfers for processing (and more particularly analysis) abroad. Organizations will need to work (i) either on localizing personal data processing, or (ii) toward compliance with the above requirements. Quickly.
What about Security and governance?
No surprise there, requirements are at the same time those that have become classics under the CSL and more recently the Data Security Law, and what we already know under the GDPR with a China ‘twist’.
Personal Data Handlers and Personal Data Processors must implement technical and organizational measures to ensure the level of security commensurate to potential risks, purpose of processing, categories of personal data processed, etc., including:
- Internal management organization and rules for personal data;
- Classification of personal data (categories / types);
- Technical measures such as encryption, de-identification, etc.;
- Reasonable operational limits for personal data processing;
- Regular training and awareness for employees;
- Incident response plans;
- Other measures under applicable laws and regulations.
Appointing a DPO or a representative in China
- Personal Data Handlers established in China who process personal data that reaches a certain volume (as later defined by the CAC) are mandated to appoint a Data Protection Officer to supervise processing and adopted protection measures;
- Personal Data Handlers established outside China who process personal data of China residents are mandated to establish an entity or appoint a representative within the territory of China for personal data related matters.
Audits and Impact Assessments
- Personal Data Handlers must regularly audit their personal data processing activities and their compliance with related applicable laws.
- Data Protection Impact Assessment will have to be conducted by Personal Data Handlers where they (i) process sensitive personal data, (ii) use automated decision-making methods, (iii) entrust processing to a Personal Data Processor, share personal data with a third-party or disclose it, (iv) transfer personal data outside China, or (v) conduct any other personal data processing which has an important impact on individuals.
- If immediate notification to Supervisory Authorities is mandatory;
- Notification to individuals is not mandated if the Persona Data Handler has taken measures that prevent harm to such individuals as a consequence of the breach (unless directed to do so anyway by Supervisory Authorities). No notification time-period is specified by the PIPL for notification to individuals.