China’s Personal Information Protection Law (PIPL)

China’s Personal Information Protection Law (PIPL)

As governments worldwide persist in implementing diverse legislation concerning consumer data privacy, it becomes crucial for privacy and data security experts to grasp the fundamental legal and regulatory distinctions among these laws and remain vigilant about meeting international compliance standards. Presented here is an outline of the most commonly raised inquiries concerning China's Personal Information Protection Law (PIPL), encompassing guidelines on achieving compliance and elucidating the divergences between this legislation and other significant privacy and data security laws.

What is the PIPL?

China's PIPL, which was enacted on August 20, 2021, during the 30th Session of the Standing Committee of the 13th National People's Congress, represents the inaugural national-level legislation that provides a comprehensive regulatory framework for matters pertaining to the protection of personal information.

When did the PIPL take effect?

The PIPL took effect on November 1, 2021.

What is personal information (PI)?

According to the PIPL (Personal Information Protection Law), personal information is characterized as any form of information, whether electronically or otherwise recorded, that pertains to an identified or identifiable individual within the territorial boundaries of the People’s Republic of China (PRC). However, it is important to note that the law excludes anonymized information that cannot be employed to identify a particular individual and remains irreversible following the anonymization process, as stated in PIPL Art. 4.

What does the processing of PI mean?

Processing (also referred to as "handling") encompasses a wide array of activities involving personal information (PI) as stated in PIPL Art. 4. These activities span from the initial collection and secure storage of PI to its subsequent utilization, alteration, transmission, and disclosure, among others. Additionally, the process extends to providing individuals with access to their data, deleting unnecessary information when no longer required, and any other relevant actions related to personal information management. The PIPL emphasizes the significance of adhering to strict guidelines during these processing operations to safeguard individuals' privacy and maintain the integrity of their personal data.

What is sensitive personal information (SPI)?

The PIPL defines Special Personal Information (SPI) as sensitive data that, if disclosed or misused, may harm individuals' security or dignity. SPI includes biometric traits, religious beliefs, specific identity details, medical records, financial accounts, location tracking, etc. Minors under 14 are also covered as SPI. PIPL Art. 28.

Is SPI treated differently from PI?

Processing SPI demands a clear purpose, substantial necessity, and more stringent protective measures, as per PIPL Art. 29. Separate consent is mandatory, and in certain cases stipulated by other laws and regulations, written consent might be required.

Moreover, PI handlers are obligated to inform individuals about the necessity of SPI processing and its potential impact on their rights and interests (PIPL Art. 30).

Regarding minors, prior separate consent from their parent or legal guardian must be obtained before processing their personal information (PIPL Art. 31).

What is the territorial scope of the PIPL?

The PIPL has jurisdiction over the processing of personal information (PI) within the People's Republic of China (PRC). Similar to the General Data Protection Regulation (GDPR), the PIPL also has extraterritorial applicability. This means that any PI processing conducted outside of China will still fall under the purview of the PIPL if any of the following circumstances occur:

The processing aims to provide products or services to individuals located within the PRC.

The processing involves the analysis or evaluation of the behaviors of individuals located within the PRC.

Other circumstances specified by relevant laws and regulations as outlined in PIPL Art. 3.

What processing activity is exempt from the PIPL?

PIPL Art. 72 provides an exemption from the law for natural persons who process personal information (PI) for personal or family-related matters. This means that individuals handling PI for their own private and domestic affairs are not subject to the regulatory requirements and obligations imposed on organizations and entities processing PI for commercial or public purposes under the PIPL.

Does the PIPL apply to the PI of deceased individuals?

Yes. According to PIPL Art. 49, the next of kin of a deceased individual have the right, for legal and legitimate purposes, to access, copy, correct, or delete the pertinent personal information (PI) of the deceased individual. This access and control over the deceased person's PI are granted unless the decedent specified otherwise before their death. This provision aims to ensure that the rights and interests of the deceased's family members are protected and respected in managing the deceased individual's personal information.

What rights do individuals (i.e., data subjects) have?

Processing SPI demands a clear purpose, substantial necessity, and more stringent protective measures, as per PIPL Art. 29. Separate consent is mandatory, and in certain cases stipulated by other laws and regulations, written consent might be required.

Moreover, PI handlers are obligated to inform individuals about the necessity of SPI processing and its potential impact on their rights and interests (PIPL Art. 30).

Regarding minors, prior separate consent from their parent or legal guardian must be obtained before processing their personal information (PIPL Art. 31).

What data protection principles must PI handlers follow?

PI handlers must adhere to several data protection principles as outlined in the PIPL to ensure the lawful and responsible handling of personal information. These principles include:

Lawfulness, Fairness, and Necessity
Purpose Limitation
Informed Consent
Data Minimization
Storage Limitation

What are the legal bases for processing PI?

Under the PIPL, there are several legal bases provided for processing personal information (PI):

Consent: PI can be processed with the explicit consent of individuals after providing them with clear and informed information about the intended purposes.

Contractual Necessity: Processing PI may be justified when it is essential for the performance of a contract in which the individual is a party or for the implementation of human resources management within an organization.

Compliance with Legal Obligations: PI processing can be legitimate when necessary to fulfill statutory responsibilities or obligations imposed by laws and regulations.

Public Health or Emergency Situations: Processing PI is allowed when responding to public health emergencies or safeguarding the life, health, or property of individuals during emergency situations.

Public Interest: PI can be processed for purposes related to news reporting, activities in the public interest, or other lawful public-interest endeavors.

Self-Disclosure: If individuals have already disclosed their own PI voluntarily, or if the information has been lawfully disclosed, further processing based on this existing disclosure may be permissible.

Compliance with Laws and Regulations: PI can be processed if permitted by specific laws and regulations, which serve as a legal authorization.

What constitutes valid consent?

Consent must be freely given, explicit, and fully informed when it serves as the legal basis for processing PI under the PIPL (PIPL Art. 14). In case of changes in processing purposes, methods, or PI categories, new consent from the individual is required.

What is separate consent?

The PIPL requires "separate consent" in certain cases without providing a clear definition. It refers to obtaining distinct and independent consent from individuals for specific data processing activities or purposes, promoting transparency and informed decision-making.

Under what circumstances is separate consent required?

  1. Transferring PI to another PI handler (PIPL Art. 23).
  2. Otherwise disclosing PI to third parties (PIPL Art. 25).
  3. Processing PI collected by public surveillance devices for purposes other than public security (PIPL Art. 26).
  4. Processing SPI (Special Personal Information) (PIPL Art. 29).
  5. Transferring PI outside the People's Republic of China (PRC) (PIPL Art. 39).

Are there any specific requirements for advertising?

Under the PIPL when PI is used for advertising purposes through automated decision-making, handlers are obligated to offer individuals the choice not to receive targeted ads based on their characteristics. Alternatively, handlers must provide a mechanism for individuals to opt-out or reject such targeted advertising (PIPL Art. 24). This requirement aims to empower individuals with control over how their personal information is utilized for advertising purposes and respects their preferences regarding targeted advertisements.

What constitutes automated decision-making?

Automated decision-making pertains to the utilization of computer programs to automatically analyze or evaluate the conduct, preferences, hobbies, and various aspects of individuals, such as their financial, health, or credit information, as described in PIPL Article 73.

What rules apply to automated decision-making?

Handlers utilizing personal information (PI) in automated decision-making must uphold principles of transparency, fairness, and justice in the outcomes generated by the automated processes. It is strictly forbidden for handlers to subject individuals to unjustifiable discriminatory treatment resulting from automated decision-making, as stated in PIPL Article 24.

In cases where the implementation of automated decision-making substantially impacts an individual's rights and interests, that individual has the right to demand an explanation from the handler regarding the use of such decision-making. Additionally, the individual can request the handler to refrain from making decisions solely based on the outcomes of automated processes, as stipulated in PIPL Article 24.

What is a PI handler?

A "PI handler" refers to an individual or organization that autonomously decides the objectives and methods for processing personal information (PI).

What are the principal duties of a PI handler?

The PIPL imposes certain obligations on PI handlers, which are as follows:

Establish and implement a privacy program that classifies and manages PI in compliance with relevant laws and regulations. The program should incorporate suitable security measures to prevent unauthorized disclosures and leaks of PI. Additionally, it should include educational initiatives for employees and staff regarding appropriate PI-handling practices. An incident response plan must also be part of this program. (PIPL Art. 51)

If the handler processes PI that meets a threshold determined by the relevant enforcement authorities, they must appoint a Data Protection Officer (DPO). The name and contact details of the DPO need to be disclosed to those authorities. (PIPL Art. 52)

If the handler operates outside the People's Republic of China (PRC) but falls within the extraterritorial scope of the PIPL, they are required to designate a local representative or entity responsible for data protection practices. The name and contact information of this representative or entity must be disclosed to the relevant enforcement authorities. (PIPL Art. 53)

Regular compliance audits of data protection practices are to be conducted. (PIPL Art. 54)

When handling Sensitive Personal Information (SPI), using PI for automated decision-making, disclosing PI to "entrusted parties" (data processors), other handlers, or third parties, transferring PI abroad, or engaging in any other activities significantly affecting individuals, the handler must prepare PI Protection Impact Assessments (PIPIAs). (PIPL Art. 55)

In the event of an actual or potential cybersecurity incident involving "leak, distortion, or loss" of PI, the handler must promptly implement remedial measures and inform the relevant enforcement authorities and affected individuals. However, notifying affected individuals may not be necessary if the remedial measures effectively mitigate harm to them. (PIPL Art. 57)

What is an entrusted party and what are the main obligations?

An "entrusted party" in the context of the PIPL is similar to a "data processor" as defined in the GDPR (General Data Protection Regulation). When a PI handler delegates the processing of PI to another entity through a contractual agreement, the entrusted party is obligated to process the PI according to the terms agreed upon in the contract. It is not allowed to subcontract the processing without obtaining explicit consent from the PI handler. Furthermore, the entrusted party does not have the authority to determine the purposes and methods of the processing and is restricted from processing PI beyond what is specified in the contract.

The entrusted party must implement necessary measures to ensure the security of the PI it processes and provide assistance to the PI handlers in meeting their obligations under the PIPL.

Are there special requirements for processing the PI of minors?

Certainly! Here's a paraphrased version of the rules concerning minors under the PIPL:

PI belonging to a minor under the age of 14 is considered Sensitive Personal Information (SPI) according to PIPL Article 28.

Therefore, any handler who processes the PI of individuals under the age of 14 is required to conduct a Personal Information Protection Impact Assessment (PIPIA) as per PIPL Article 55.

Handlers processing the PI of minors under the age of 14 are obligated to obtain explicit consent from their parent or legal guardian, as stated in PIPL Article 31.

Special processing rules must be followed by handlers when dealing with the PI of minors under 14, in accordance with PIPL Article 31.

Are there special requirements for internet giants?

PI handlers offering "important" internet platform services with a large user base and complex operations must:

Establish a PI protection compliance program supervised by an independent external body.

Develop platform rules based on openness, fairness, and justice, defining PI handling standards for intraplatform providers.

Take action against providers seriously violating PI laws and regulations, potentially terminating their services.

Regularly publish "social responsibility reports" on PI protection efforts.

Does the PIPL include data localization requirements?

Indeed, the PIPL stipulates several scenarios where PI handlers are required to store the PI they process within the People's Republic of China (PRC). These scenarios are as follows:

State agencies processing PI are obligated to store the PI within the PRC, as mandated by PIPL Article 36.

Critical Information Infrastructure Operators (CIIOs) that collect or generate PI within the PRC must also store the PI within the country, as per PIPL Article 40.

PI handlers who collect or generate PI within the PRC and have processed a volume of PI that meets a specific threshold, as determined by the relevant enforcement authorities, are obliged to store the PI within the PRC, as specified in PIPL Article 40.

Can PI be transferred outside China? Are there any conditions?

Yes. For PI transfer outside the PRC, a handler must:

Obtain separate informed consent from the individuals whose PI will be transferred (PIPL Art. 39).

Conduct and document a PI protection impact assessment (PIPIA) (PIPL Art. 55).

Fulfill one of the following conditions from PIPL Art. 38: a. Pass a security assessment by government cybersecurity authorities. b. Obtain a PI protection certification from a specialized body designated by government cybersecurity authorities. c. Agree to the terms of a standard contract drafted by government cybersecurity authorities, along with the data importer. d. Comply with other conditions specified in law, regulation, or by government cybersecurity authorities.

Ensure overseas recipients provide a level of PI protection equivalent to the PIPL standard (PIPL Art. 38).

Is there a whitelist or blacklist regarding the cross-border transfer of PI?

Not yet, but overseas organizations or individuals involved in activities that harm the PI rights of Chinese citizens, or jeopardize state security or public interests, may be blacklisted and consequently restricted or prohibited from receiving PI from the PRC (PIPL Art. 42).

Under what circumstances is a personal information protection impact assessment (PIPIA) required?

PI handlers are obligated to perform and record a Personal Information Protection Impact Assessment (PIPIA) prior to engaging in any of the following circumstances:

Processing Sensitive Personal Information (SPI).

Employing Personal Information (PI) for conducting automated decision-making processes.

Disclosing PI to entrusted parties (also known as data processors), other handlers, or third parties.

Transferring PI to locations outside the jurisdiction of the People's Republic of China.

Participating in any other handling activities that have a substantial impact on the rights of individuals.

What must be included in a PIPIA?

As per PIPL Article 56, a PIPIA report must encompass the following aspects:

The lawfulness, legitimacy, and necessity of the purposes or methods for processing personal information (PI).

The potential impact on the rights and interests of individuals, along with any associated security risks.

The legality, effectiveness, and appropriateness of the protective measures implemented, considering the level of risk involved.

Does the PIPL mandate any record-keeping obligations?

Indeed, PI handlers are required to retain PIPIA reports and "handling status records" for a minimum of three years, in accordance with PIPL Article 56.

Who enforces the PIPL?

Specific cybersecurity authorities and relevant departments under the State Council, such as the Ministry of Public Security, the State Administration for Market Regulation, and the Ministry of Science and Technology, have the authority to enforce the PIPL.

For minor violations, any of the mentioned authorities can levy fines up to CNY 1 million (approximately $157,000). In more severe cases, only provincial or higher-level authorities are authorized to impose fines up to CNY 50 million (about $8 million) or 5% of the violator's annual revenue, as per PIPL Article 66.

What penalties might be imposed in the case of a violation?

For minor violations, authorities are empowered to impose the following penalties:

Issue an order for correction, confiscation of illegal gains, or the temporary suspension or termination of improper practices.

Impose a fine of up to CNY 1 million against offenders who fail to rectify their actions.

Impose a fine ranging from CNY 10,000 to CNY 100,000 on the directly responsible individual, as stated in PIPL Article 66.

In the event of a serious violation, provincial or higher-level authorities have the authority to apply the following penalties:

Issue an order for correction, confiscation of illegal gains, suspension, or closure of the relevant business, or revocation of the business license.

Impose a fine of up to CNY 50 million or 5% of the turnover from the previous year.

Impose a fine ranging from CNY 100,000 to CNY 1 million on the directly responsible individual.

Prohibit the directly responsible individuals from holding senior management positions and roles for a certain period, as per PIPL Article 66.

In both cases, these unlawful acts will be recorded in credit records and publicly disclosed, in accordance with PIPL Article 67.

What remedies are available to individuals (i.e., data subjects) and others for violations of the PIPL?

Any organization or individual possesses the right to report to the appropriate enforcement authorities regarding the unlawful practices of a PI handler, as stated in PIPL Article 65.

If PI handlers refuse to comply with individuals' requests to exercise their rights, individuals have the option to file a lawsuit in court, as per PIPL Article 50.

In cases where the illegal processing of PI adversely affects the rights and interests of individuals, the procuratorates, consumer organizations specified by the law, and other organizations designated by the relevant enforcement authorities may initiate legal action before a court, according to PIPL Article 70.

Who bears the burden of proof in a lawsuit?

In situations where the handling of PI results in infringement upon individual rights and causes harm, the PIPL seemingly places the burden of proof on the PI handler to demonstrate that it is not responsible, as mentioned in PIPL Article 69. Subsequently, damages may be awarded, either based on the losses experienced by the affected individual or the profits gained by the PI handler, as outlined in PIPL Article 69.

QR code for this page URL

Submit your project
Get a free quote

Contact Now