China’s new personal information privacy law (PIPL) becomes effective today, 1 November 2021. It significantly alters the regional and global privacy landscape, and its significance will likely be more apparent after having read this article.
The readiness anxiety generated by the impending effectiveness of the GDPR in May 2018 seems fairly recent. The GDPR caused a flurry of activity to ensure compliance with this European regulation, with extraterritorial effect and an unpredictable global impact. Like the GDPR, the PIPL is also extraterritorial and there is likely a significant amount of PIPL-covered personal information throughout Asia, not to mention everywhere else.
Since becoming effective, we have witnessed some enormous GDPR fines levied against transgressors. In July 2021, Luxembourg fined Amazon €746 million in relation to cookie consent issues and in 2020 France also fined Amazon €35 million in relation to cookie consents. Cookies relate to how Amazon collects and shares personal information. Consent must be freely given. Ireland fined WhatsApp €225 million in relation to issues related to allegedly forced consents and sharing personal data with third parties.
For those organizations in Asia and elsewhere that have had limited exposure to the GDPR, there will be a steep learning curve with respect to the PIPL. It is extraterritorial and appears to be almost as expansive as the GDPR. If you do business in China, then you are likely subject to the PIPL.
Organizations that provide products and services or separately monitor the behavior of people in China, regardless of whether they are in the PRC, are subject to the PIPL. The PIPL’s fines and penalties regime of up to 5% of annual revenues jibes with the GDPR.
Unsurprisingly, the PIPL shares many similarities with the GDPR. The definition of personal information is similar, the law reflects global privacy principles such as data minimization, use limitation, data protection and accountability and the law gives individuals similar privacy rights. Further, like the GDPR, the PIPL requires organizations caught by its extra-territoriality provisions to appoint a dedicated representative in China if they do not have their own direct presence there.
It should be noted that the PIPL seems to rely more strongly upon consent as the lawful basis for processing personal information and introduces the concept of separate consent for various kinds of processing. Additionally, unlike the GDPR, the PIPL does not allow “legitimate interest” as a legal basis for processing personal data. Furthermore, the PIPL requires the prompt (immediate) notification of data incidents with a currently ambiguous wildcard.
The PIPL also contains a data localization requirement. Any organization that processes a “large” amount of personal information must store the information locally. This requirement could have a considerable impact on organizations that operate significant online retail activities within the PRC. The PIPL contains several ambiguous terms that remain undefined; however, this will likely be rectified in due course via implementing rules or policy guidelines.
It will be necessary to assess whether a company falls within the extraterritorial scope of the PIPL and if so, it will need to consider the extent of its personal information processing, to determine its compliance obligations. Companies that already have an active culture of privacy and are GDPR compliant will be better placed to comply with the PIPL; however, they will still need to understand the additional or different requirements of the PIPL, particularly ongoing policy orientations and practices that can evolve and change quietly and regionally. Those companies that do fall within the scope of the PIPL but do not have a strong data privacy culture will need to adopt compliant practices to mitigate potentially substantial risk. Of course, data privacy is not just about compliance with the law but should also be strongly concerned with customer and client trust. Large fines compounded by a loss of business arising from data privacy transgressions can be significant and lasting.
From a broader cyber- and data-security governance perspective, the PIPL, the Cybersecurity Law and the Data Security Law will form an over-arching framework to govern data protection, cybersecurity and data security in Mainland China for the foreseeable future. This article focuses on key aspects of the PIPL but does lightly address the PRC Cybersecurity and Data Security laws.
It is important to note that contemporary data privacy regulations such as the PIPL and GDPR are generally principles-based rather than wholly prescriptive. This distinction is important because prescriptive laws are detailed and specific and violating the spirit of a prescriptive law is often not a violation of the law itself; such laws lend themselves to exceptions. Principles-based laws, on the other hand, tend to be broader, less detailed and set standards and best practices. They are concerned with outcomes, and therefore if one violates the spirit of such a regulation then one will most likely have violated the law. Consequently, the guiding principles underpinning and expressed in such regulations are very important to know and understand. Principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality and accountability.
The PIPL is new and untested and implementing rules and interpretations have yet to be issued; however, we must both look at its language and understand the principles underscoring the PIPL to apply its requirements notwithstanding its current ambiguities. As the PIPL grows and is clarified so must your compliance approach evolve correspondingly.
Personal information (PI) and the “processing of PI” are defined similarly under the PIPL and the GDPR. PI is “any information related to identified or identifiable natural persons that are electronically or otherwise recorded.” In its simplest and most concise definition, processing of data is ‘any action performed on data’.
The PIPL defines sensitive personal information as “PI that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and the security of property, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as any PI of minors under the age of 14.”
Anonymized information, as with the GDPR, is not deemed PI under the PIPL. “Anonymization” refers to the process by which PI cannot be used to identify specific natural persons and that cannot be restored after processing. It removes both direct and indirect personal identifiers that could allow an individual to be identified.
While the GDPR defines the key data handling parties as “controllers” and “processors”, the PIPL designates a “personal information processor” (PIP) and a “commissioned party” or “entrusted third-party.” It should be noted that a PIP independently determines the purposes and means of processing PI and is similar to a data controller under the GDPR, whereas a commissioned party or entrusted third-party is akin to a data processor under the GDPR. This party has no autonomy and must take specific processing instructions from the PIP lest it be deemed a joint PIP and share potentially heightened liability.
Similar to the GDPR, the PIPL applies extraterritorially to PI processed outside Mainland China, if the purpose of the processing is:
- to provide products or services to individuals in China
- to “analyze” or “assess” the behavior of individuals in China, or
- for other purposes to be specified by laws and regulations
The PIPL requires an offshore PI processor subject to the PIPL to establish a “dedicated office” or appoint a “designated representative” in Mainland China for PI protection purposes. The GDPR similarly requires the appointment of an “EU representative” for offshore controllers.
Legal basis for processing
Under the PIPL, organizations must have a legal basis to process PI but unlike the GDPR, the PIPL does not provide for legitimate interest as a legal basis for processing.
While processors in Mainland China have traditionally relied upon consent to process PI, the PIPL now offers the following legal bases for processing if:
- Necessary to enter or perform a contract to which the data subject is a party (e.g., fulfillment of an online purchase or HR management and payroll).
- Necessary to perform a legal obligation or responsibility.
- Necessary to respond to a public health emergency, or in an emergency to protect the safety of individual health and property.
- To conduct news reporting and media monitoring in the public interest (within reason).
- Process PI that is already in the public domain or voluntarily disclosed by a data subject.
Consent (like the GDPR) must be informed, freely given, demonstrated by clear action of the individual (not tacit) and freely revocable. Unlike the GDPR, the PIPL articulates a requirement for separate consent, for certain processing activities if a PIP:
- shares PI with other processors
- discloses PI that exceeds the scope of the original consent
- processes sensitive PI, or
- transfers PI out of Mainland China
Privacy notice elements
The PIPL requires all PIPs to inform data subjects of their rights. Before processing PI, data subjects must be accurately, conspicuously, clearly and in plain language notified of the:
- Name and contact information of the PIP (and the DPO or designated representative).
- Purposes and methods of processing PI, categories of PI to be processed and PI retention periods.
- Methods and procedures for data subjects to exercise their rights under the PIPL.
- Additional elements that may be determined from time to time by lawmakers or policymakers.
It is important to note that at any time after a data subject has been provided with a privacy notice, if any of the above elements change, each data subject must be notified of the change.
Personal information rights
The PIPL generally tracks the GDPR with respect to PI rights but currently is perhaps slightly less precise. There is a right to access, right to correction/rectification, right to erasure, right to object to processing of PI and the right to withdraw consent but the right to data portability has to meet the China Cyberspace Administration (CAC) conditions. Data subjects have the right to:
- Know (all the detailed elements described above within a privacy notice).
- Access – right to access and receive a copy of their PI that is held (with certain exceptions).
- Portability – a PIP will have to provide a means of transferring PI to the new PIP designated by the data subject (data portability will have to meet CAC conditions),
- Rectification – the right to correct inaccurate or incomplete PI.
- Withdraw consent.
- Erasure/deletion – PIPs should actively delete data when it is no longer needed, however, a data subject may request deletion where the:
- purpose of processing has been achieved, is impossible to achieve or the data is no longer necessary for the purpose,
- PIP ceases provision of the product or service or the retention period expires,
- consent is withdrawn by the data subject, or
- processing violates a law or agreement.
Uniquely, it should be noted that the related survivors of a decedent have rights under PIPL. Close relatives can exercise the right to access, correct and delete a decedent’s PI unless the decedent otherwise arranged for the handling of his/her PI before death.
Additionally, the exercise of the above PI rights must be convenient and if any request to exercise such rights by a data subject is rejected, the PIP must provide a reason. If a PIP impedes or rejects a data subject’s request to exercise their rights, the data subject can sue the PIP, who may also be subject to regulatory enforcement actions and fines.
The PIPL only requires processing entities to “timely” respond to PI rights requests rather than providing a specific timeline for responding. This response time may become less ambiguous over time if the CAC issues implementing rules or policy guidelines.
PIPs must implement measures to ensure compliant data handling to prevent unauthorized access, disclosure, tampering and loss of PI. Of course, such measures strongly depend upon a PIP’s operating model. A PIP’s approach to its obligations should be risk-based, particularly considering the broad, principles-based nature of the PIPL and the rapidly evolving nature of technology and potential threats.
The minimum appropriate measures a PIP should implement to ensure the compliant handling of PI under the PIPL would be to:
- Map PI – entails the classification and inventorying of all PI.
- Adopt appropriate security measures, such as encryption and de-identification.
- Determine operating limits for PI handling, such as data retention schedules and regular education and training for employees and third parties with access to the PIP’s data sets.
- Formulate a security incident response plans in the event of unauthorized access to PI or a data breach.
All PIPs must be prepared to deal with data incidents. The PIPL defines a data incident as the loss of data, the unauthorized disclosure of data, data tampering and uniquely, a possible incident. Under the PIPL, a PIP is obligated to make an incident notification not only if an incident actually occurs but if an incident is likely to occur. This is an area in which clarification will be needed from the CAC. In any event, where an incident notification is required the PIPL requires it to be made “promptly”, which should be interpreted as “as soon as possible” or “without delay.”
Currently, we understand that incident notifications should be made to the CAC and affected data subjects. However, if an incident occurs and the PIP has effectively prevented any harm to data subjects then a PIP would not be required to notify data subjects; however, the CAC can override this choice at its discretion. It should also be noted that there may be considerable overlap between the growing and emerging bodies of relevant law in relation to national security, cyber security and data privacy in Mainland China and government bodies other than the CAC may also have or claim jurisdiction over a PIP depending on its industry and business model, such as the Ministry of Public Security, the China Securities Regulatory Commission or the China Banking and Insurance Regulatory Commission, among others.
In the event of a data incident in which a notification must be made, the content of the notice must include the:
- categories of affected PI,
- cause(s) of the incident,
- remedial measures taken by the PIP to solve the issue(s),
- measures data subjects can take to mitigate their risks and damages, and
- contact information of the PIP, DPO or designated representative.
Cross-border personal data transfers
A PIP that plans to transfer PI outside of Mainland China must provide data subjects with specific information about the transfers, consisting of the PI recipient’s name, contact information, the purpose of the cross-border PI transfer, how the PI will be processed, the categories of PI to be transferred and how PIPL-covered data subjects can exercise their PI rights in the PI destination jurisdiction. Additionally, and importantly, a PIP must also obtain separate consents from any data subjects to transfer their data outside of Mainland China.
Furthermore, a PIP must also adopt measures to ensure that the overseas recipients of PIPL-covered PI can provide the same level of protection to data subjects as that required under the PIPL and also conduct a data privacy impact assessment with respect to the transfer of data outside Mainland China. While the language of the PIPL is not yet fully clear, there is the notion of an obligation for data exporters and data recipients to conduct regular assessments to ensure the PIPL’s protective requirements can be met in the destination jurisdiction. The intent is presumably that one cannot simply export data because the current conditions in the jurisdiction of the recipient are acceptable and then forget about it presuming those conditions will remain static. Rather, if conditions change in the recipient jurisdiction that would obstruct or impede the equivalent protections then the processing would need to be reconsidered. This seems to be a concept similar to that expressed by the European Court of Justice in Schrems II, in which the court invalidated the EU-US data privacy shield.
There is a data localization element to the PIPL, which reflects an overlap with the PRC Data Security and Cybersecurity Laws that particularly applies to critical infrastructure operators (CIIO) and PIPs that process “large” amounts of PI. A CIIO is an organization that processes ‘a large amount’ of PI and must store PI locally within Mainland China. If a CIIO or a PIP that processes ‘large’ amounts of PI wishes to transfer PI overseas it must pass a CAC security assessment. Even having passed such an assessment, the CAC will likely limit the nature and amount of data that can be transferred offshore. CAC security assessments will be conducted to determine whether the proposes of PI to be transferred could have a negative impact on national security, the public interest or PI security. It should be noted that the triggers of this data localization have yet to be defined; consequently, until implementing rules or policy circulars are issued, we will not know what constitutes a ‘CIIO’ or ‘large.’ Additionally, one should expect the thresholds to vary according to industry as specific industry regulators may also determine relevant thresholds and restrictions on data handling or exports.
Non-CIIOs and smaller PIPs will be able to transfer PI outside of China if they pass a CAC security assessment, obtain a PI protection certificate or enter into a standard agreement with an overseas recipient of PIPL-covered PI. This contractual approach appears similar to the standard contractual clauses provided under the GDPR, however, such clauses have yet to be issued by the CAC. Furthermore, it isn’t yet clear how an organization would obtain a CAC PI protection certificate or what would be required to pass a CAC security assessment for any size of organization whether small, large or a CIIO.
While the nature of a PI protection certificate is currently unclear, perhaps it contains an element of binding corporate rules (BCRs) provided for under the GDPR. BCRs are a set of rules approved by a data supervisory authority in the EU specific to one company, for internal use and covers binding guidelines on internal data handling and cross-border transfers within that company outside of the EU. Until the CAC offers implementing rules or other guidance, it is impossible to know how multinational companies in China will be able to make streamlined intra-company cross-border data transfers.
It should also be noted that it is possible that small PIP and non-CIIO cross-border PI transfers that may be permissible under the PIPL may violate other PRC laws. This could be the case in industries with their own specific rules or where relatively small amounts of data could demonstrably or conceivably be considered state secrets, core data or important data in relation to national interests covered by the DSL or other applicable rules.
Additionally, no organization covered by the PIPL may transfer PIPL-covered PI stored within the PRC to any foreign law enforcement agencies or courts without the approval of the competent authority. The PIPL does not indicate who this authority is and further details will be required and likely articulated in due course in the form of implementing rules or circular notices. This authority may be the CAC, but it is likely that the CAC will be just one point of contact while other government authorities such as the Public Security Bureau, Ministry of Public Security and even the Ministry of Foreign Affairs could be involved in such decisions depending upon the nature of the case.
Data privacy impact assessments
Unlike the GDPR, which ambiguously requires a DPIA to be conducted when processing personal data is likely to result in a high risk to the rights and freedoms of natural persons, the PIPL provides prescriptive language in this respect. The reasons to conduct DPIAs may be similar under the GDPR and PIPL; however, the processing activities that trigger a DPIA are different.
Under the PIPL, DPIAs must be conducted when a PIP:
- processes sensitive PI,
- uses PI for automated decision making,
- commissions a third-party vendor to process PI,
- shares PI with other processors,
- publicly discloses PI, or
- makes cross-border transfers of PI.
It should be noted that the PIPL also contains an additional vague catchall requiring a DPIA to be conducted for ‘other’ PI processing activities that have a significant impact on the rights and interests of data subjects. Additionally, DPIAs must be conducted prior to processing PI and retained for at least three years. It may be prudent to keep a DPIA longer as a reference for the chain of decision making and reasoning, which comports with accountability standards but also to assist when later modifying a process for which the DPIA was conducted in the first place in order to conduct a new DPIA.
Scope of a DPIA
The PIPL requires a DPIA to assess, among others:
- whether the proposed purpose and method of PI processing is lawful, legitimate and necessary,
- impacts on data subjects’ rights and interests and security risks, and
- whether the protection measures that will be employed are lawful, effective and proportionate to the risk level.
Data subject recourse / Enforcement
Under the PIPL, data subjects have the right to complain or report illegal PI processing activities to the CAC. Such complaints or reports must be handled ‘promptly’ in accordance with the PIPL and the complainant/informant must be notified of the outcome. The PIPL does not provide a specific timeline for such a notification, however, this should be clarified by implementing measures or policy circulars.
Additionally, data subjects have the right to sue PI processors if they impede or reject data subject requests to exercise their PI rights. PIPs can be strictly liable for non-compliance. If a PIP’s mishandling of PI infringes upon data subjects’ rights and causes damage, even if the fault of the PIP cannot be proven, the PIP will be deemed culpable and responsible to compensate data subjects for losses.
As an additional potential deterrent, a non-compliant PIP can potentially bear criminal liability. If a violation of the PIPL also constitutes a crime, there can also be criminal liability for the actors. Notably different from the GDPR, PIPL violations can also impact a company’s credit rating in the PRC social credit scoring system, which can affect the company’s access to business-related resources and disqualification from bidding on certain projects in Mainland China, among others. The social credit scores of culpable individuals can also be negatively impacted.
PIPL enforcement may encompass certain wild cards, and while the PIPL may primarily fall under the purview of the CAC, and its provincial representatives, ultimately there may be a number of government bodies in China with jurisdiction in this space, such as the National Security Commission, Ministry of Information, Industry and Technology, Ministry of Public Security and Public Security Bureau, the China Securities Regulatory Commission or the China Banking and Insurance Regulatory Commission. Additionally, the PIPL should also be considered together with other applicable data and cybersecurity laws in Mainland China.
The PIPL distinguishes PIPL transgressions into two levels – ordinary cases and serious cases. Both companies and individuals (managers and other personnel directly responsible for infractions) can be culpable.
Ordinary cases – The penalties that can be imposed are as follows:
1. Companies – Fines of up to RMB 1 million for companies as well as rectification orders, censure, disgorgement, orders to suspend or cease provision of services and impaired PRC social credit scores.
2. Individuals – Personal fines between RMB 10,000 to RMB 100,000 as well as impaired social credit scores.
Serious cases – The penalties that can be imposed are as follows:
1. Companies – Fines of up to RMB 50 million or 5% of the prior financial year’s revenues (not clear if global) as well rectification orders, censure, disgorgement, orders to suspend or cease provision of services and impaired PRC social credit scores.
2. Individuals – Personal fines between RMB 100,000 and RMB 1 million as well as disbarment from serving as a board member, supervisor, senior manager, or person in charge of PI protection for an enterprise and impaired PRC social credit scores.
If you are familiar with the GDPR you will recognize similarities in the PIPL such as the broad scope of PI, transparency and consent requirements and more stringent requirements on processing of sensitive PI. However, even if you are GDPR compliant it does not mean you will be PIPL compliant. Existing knowledge of the GDPR will certainly help to understand the PIPL’s similarly principles-based requirements.
As an example, your company might already have binding corporate rules approved by a supervisory authority in the EU and your company is compliant with those rules that allow the free cross-border flow of information from the EU within your group of companies internationally. Unfortunately, those BCRs are a device falling under the GDPR and if you are transferring data out of Mainland China, then it will need to be handled in accordance with the PIPL and not with respect to the BCRs and GDPR.
While I have chosen to specifically avoid confusing things further with the Data Security Law (DSL), which became effective on 1 Sept 2021, I would like to point out that it is extraterritorial in scope and Article 2 imposes legal liability if data processing activities conducted outside Mainland China harm the national security or public interest of the PRC.
Furthermore, under the DSL, ‘data’ is widely defined and includes any ‘record of information’ in ‘any form’ and applies to all data whereas the PIPL applies only to personal information. Furthermore, the DSL identifies a category of ‘important data,’ which relates directly to the national interest of the PRC and will be accorded this designation in relation to: (1) the level of importance of that data to the PRC’s economic and social development, and (2) the degree of damage it could cause to the PRC’s national security or social interest if leaked or illegally obtained or used. A catalogue will likely be issued that classifies ‘important data’. Anyone processing important data is subject to various requirements (such as having a designated data security officer and a data security management office and must conduct regular risk assessments.
Moreover, the DSL also identifies a category of ‘national core data’, which corresponds to data that relates to national security, the national economy or a vital public interest and is of a higher status that ‘important’ data. At certain thresholds certain quantities of PI will likely become ‘important’ data but that is not yet clear and it will be necessary to refer to other laws and guidelines relating to various industries that may have specific thresholds such as automotive, aviation, securities, banking and insurance. State secrets are another category of data that must also always be considered.
Additionally, the PRC Cybersecurity Law of 2017 (CSL) is very broad and applies in this space as well. The CSL addresses network products, services, operations, information security and monitoring, early detection, emergency response and reporting and corresponds to other international cybersecurity standards. However, the CSL focuses on internet security, the protection of private and sensitive information and contains safeguards for PRC cyberspace sovereignty and security. It also covers all data and not just PI.
The CSL specifically applies to network operators and CIIOs. Theoretically, any company with more than one computer communicating with each other could constitute a network operator. Essentially any company that operates a network to conduct its business, including a website and/or internal and external networks, to provide a service or collect data in Mainland China will be covered by the CSL. Moreover, because of the CSL’s extraterritoriality, providing goods or services or monitoring the behavior of individuals within Mainland China from outside of Mainland China can also be covered.
Currently, there may be many gaps in the PIPL, DSL and CSL but in due course there will be more guidance, interpretations, and clarifications. Notwithstanding any ambiguities, your organization must comply with these rules. They operate together and it is important to manage the overlapping and sometimes ambiguous aspects of these rules to the highest extent possible.
The author is a member of the International Association of Privacy Professionals and holds CIPP/E (certified international privacy practitioner/EU (GDPR)) and CIPM (certified information privacy manager) certifications.
This article is for general information purposes only, is not intended to, and does not constitute legal advice. The author would be happy to assist with any queries you may have related to data privacy matters.
Author: Alexander May
Legal Manager, Hill Dickinson
International Corporate, Commercial and