After rounds of public consultation on the draft laws, the Personal Information Protection Law (PIPL) has finally been officially passed by the Chinese legislature on 20 August 2021. The PIPL imposes stringent legal restrictions on the processing, use and management of personal data, and it signals China’s important first step to align its personal information protection laws to international standards.
The PIPL will come into effect on 1 November 2021 in China. It will no doubt have a major impact on the personal information processing activities of companies conducting business in China.
In this article, we will go through the must-know of the PIPL and its significance, drawing from our experience in advising on personal information protection under the existing legal framework in China with particular focus on the following aspects:
- Extraterritorial Jurisdiction
- Governing Cross-Border Transfer of Personal Information
- Requirement of Obtaining Consent
- Regulation of Automated Decision-Making
- Penalties and Legal Consequences
- Compliance of PIPL
I. EXTRATERRITORIAL JURISDICTION
The newly passed PIPL is applicable to any organization and individual who processes personal information of natural persons within the territory of China. In particular, the PIPL is extraterritorial which means that even overseas domiciled companies carrying out personal information processing activities outside of China but for the purpose of providing services or products to natural persons in China, or to analyze and evaluate the activities of natural persons in China, will be subject to the law. This will affect a wide range of foreign companies such as companies offering e-commerce services that are accessible to Chinese consumers (e.g. selling products on online website, or providing online courses). It is also mandatory for foreign companies to appoint local representatives or to establish designated supervisory agencies in China to ensure compliance of the regulatory requirements under PIPL.
II. GOVERNING CROSS-BORDER TRANSFER OF PERSONAL INFORMATION
Companies shall be mindful of their data transfer strategies under the PIPL and shall ensure compliance of any one of the following conditions when personal information is provided to any party outside the territory of China:
- The personal information processors shall pass the security assessment conducted by the state cyberspace administration.
- The personal information processors shall obtain certification in relation to personal information protection from professional institutions according to the regulations of the state cyberspace administration.
- The personal information processors shall enter into a contract with the overseas receiving parties to agree on the rights and obligations of both parties. Such contract shall be in accordance with the model contract stipulated by the state cyberspace administration.
- The personal information processors must fulfil the criteria stipulated in other laws and regulations, or in the rules set by the state cyberspace administration.
The personal information processors shall also ensure the personal information processing activities undertaken by the overseas receiving parties meet the personal information protection standard as prescribed in the PIPL.
In particular, companies shall be aware of whether they will be classified as “critical information infrastructure operator”, such as for companies operating in public communications, information service, energy, transport, water conservancy, finance, public service and e-government sectors or whether the quantity of personal information processed by the company reach the threshold specified by the state cyberspace administration. In those cases, the PIPL requires all personal information collected and generated within the territory of China to be stored domestically. If it is truly necessary to provide the personal information to an overseas receiving party, the security assessment organized by the state cyberspace administration shall still first be passed. Online shopping platforms, hotel services, and other sectors that process large volume of personal information in China may be affected by the introduction of this new requirement. We expect that further clarification and additional operational guidelines will be issued to clarify the quantity of personal information that will fall under the aforesaid requirement and the threshold thereof.
Where there is cross-border transfer of personal information, the PIPL now requires personal information processors to notify the individuals a list of information including but not limited to names of the overseas receiving parties, their contact information, purposes and methods of processing the individual’s personal information, the methods and procedures for individuals to exercise their rights provided in the PIPL against the overseas receiving parties. The hurdle is higher given the fact that personal information processors shall obtain separate consent from such individuals.
III. REQUIREMENT OF OBTAINING CONSENT
One of the main focus of the PIPL is that it sets out a general rule that the personal information processors shall obtain an individual’s consent before processing personal information except under minor exceptional circumstances. The PIPL requires such consent to be given voluntarily and explicitly by an individual on a fully informed basis and if and when required, separate or written consent shall be obtained. If there are any change of the purpose or method of processing of personal information, a fresh consent shall be obtained by the individual again. The personal information processors are also required to provide a convenient way for the individual to withdraw his or her consent.
It is worth noting that the PIPL has imposed stricter requirements on personal information processors if they wish to obtain sensitive information from individuals. Examples of sensitive information include biometrics, medical and health data, financial information and location data. Personal information processors shall obtain separate consent from individual before processing his or her sensitive data. In addition to the requirements as abovementioned, personal information processors shall notify individuals of the necessity of the processing of sensitive personal information and the impact on individual’s rights and interest.
IV. REGULATION OF AUTOMATED DECISION-MAKING
With the worldwide digitalization, companies may increasingly adopt mechanisms of “automated decision-making” in their information systems to enhance their services or businesses or for conducting commercial marketing. Automated decision making is now governed under the PIPL and is defined as activities of automatically analysing and assessing individuals’ behavioural habits, hobbies, or financial, health and credit status through computer programs and making decisions thereon.
If companies make use of personal information when conducting automated decision-making, they should ensure the transparency of the decision-making and the fairness and impartiality of the result, and if there are any differential treatment to individuals in terms of trading price or other trading conditions it should be justified reasonably. The PIPL allows the individual to have the right to request the personal information processor to give explanations and to refuse to accept the personal information processor making decisions solely based on automated decision making, if such decision has a major impact on an individual’s rights and interests.
In addition, where companies use automated decision-making to carry out information push or to conduct business marketing to individuals, the companies shall simultaneously provide options that are not based on the individuals' personal characteristics in order to be in compliance of the PIPL. Alternatively, the companies may provide convenient methods for the individuals to refuse such information push or business marketing carried out solely based on automated decision making.
V. PENALTIES AND LEGAL CONSEQUENCES
Personal information processors shall take note of their legal liability under the PIPL. If personal information processors are found to be in violation of the PIPL, personal information protection authorities may issue order for rectification, issue warnings to personal information processor, and confiscate any illegal income. In cases of serious nature of breach, personal information protection authorities may impose a fine not more than RMB 50 million or not more than 5% of annual turnover of the previous year, and may even order suspension of relevant business and notify authorities-in-charge to revoke business permits or business licenses. In particular, the personal information protection authorities may impose a fine not less than RMB 100,000 and not more than RMB 1 million on executives directly in charge or any other officers that are directly in charge, and such personnel directly in charge may even be prohibited from acting as directors, supervisors, senior executives or persons in charge of personal information protection of the related companies for a certain period of time.
In view of the PIPL, companies with China-based operations should review and update their existing data collection and processing policies and terms and conditions before November to ensure that it is in line with the PIPL provisions.