The People’s Republic of China’s Personal Information Protection Law (China PIPL) is the country’s new data protection law. The law was adopted in August 2021 and came into force on 1 November 2021. PIPL protects the personal information held and processed by organisations operating in China and those established outside China. PIPL’s data protection principles include lawfulness, necessity, good faith, purpose limitation and data minimisation, transparency, accuracy and accountability and security accountability. Individuals have rights to be informed, access, copies, deletion, rectification, portability and rights to respond to automated decision-making. Businesses and organisations must be more accountable and act in good faith when collecting, using and storing personal information. China does not have an Independent data protection regulator. China’s PIPL enforcement is decentralised and the main government departments responsible for enforcement are the Cyberspace Administration of China (CAC) and the Ministry of Public Security. Each of these bodies has state-level and local organisations that can have rulemaking and enforcement powers. Enforcement starts on 1 November 2021, after a short implementation period.
- What types or organisations are covered by China PIPL?
The law applies to businesses and organisations, which PIPL calls Personal Information Processors. The term is very similar to Controllers in the European Union’s General Data Protection Regulation (GDPR). The law covers businesses that are based in China and those based outside China that collect, use and store personal information about individuals in China. Companies and organisations based outside of China fall within the scope of PIPL is they provide goods and services to people in China, analyse or assess the behaviour of people in China and where other Chinese laws and regulations specify. Entrusted Parties are organisations that process personal information on behalf of and under the instruction of Personal Information Processors. This role is similar to the function of Processors in GDPR, but there are less explicit legal responsibilities, under PIPL.
2. What types of data or information are covered by China PIPL?
China’s PIPL protects personal information. This is defined very broadly as all information related to identified and identifiable natural persons. Anonymised data are not personal information, if these cannot be used to identify specific natural persons and the personal information cannot be restored after processing. The law recognises sensitive personal information as that which disclosure or illegal use can easily lead to the infringement of an individual’s personal dignity or harm their person or property. Examples of these information includes biometrics, religious beliefs, specific identity information, medical health, financial accounts, individual location tracking / geolocation and any personal information about children under 14 years old. Processing sensitive personal information attracts actional requirements including clear and specific purpose, necessity, strict protective measures, additional consent, greater transparency measures and Personal Information Impact Assessments (PIIAs).
3. What are the main obligations from China PIPL for businesses?
Businesses registered in China and international businesses and organisations with supply chains and links to China that fall within China PIPL’s scope must:
(a) Conduct regular China PIPL compliance audits.
(b) Formulate operating rules, internal management, data classification, data processing records and information management systems.
(c) Respond efficiently to personal information breaches with immediate remedies and notify Chinese authorities and affected individuals.
(d) Appoint a representative in China or create a specific legal entity in China to comply with PIPL’s requirements.
(e) Set up processes and tools to carry out Personal Information Impact Assessments (PIIAs) for international personal information transfers outside of China, using third parties to process personal information (such as other Personal Information Processors or Entrusted Parties) or when disclosing information.
(f) Allow individuals to easily give and withdraw consent.
(g) Follow the strict rules of personal information international transfers. Either, by passing a security assessment from the State Cybersecurity and Informationization Department (if critical information infrastructure, transferring a lot of personal information), gain a personal information protection certification from a specialised body authorised by the Sate Cybersecurity and Informationization department, agree a contract with the foreign receiving party based on the standard contractual clauses issued by the Cyberspace and Informationization department or other methods specifies by Chinese law, administrative regulations or the State Cybersecurity and Informatization department.
(h) Appoint a Personal Information Protection Officer (PIPO), if required to do so by the State Cyberspace and Informationization department, to supervise data processing, register with the authorities and identify themselves to individuals whose personal information are being processed.
4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with China PIPL?
Yes, in large part, but not completely. GDPR and China PIPL have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. China PIPL was enacted to include provisions that mirror some of the EU’s GDPR requirements. GDPR data mapping and records of processing activities can help to identify personal information impacted by China PIPL. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist China PIPL compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Chinese-speaking Data Protection Officers (Personal Information Protection Officers) and Representatives based in China are also important.
For fuller Chinese compliance, companies and organisation should also comply with other Chinese laws which are closely associated or aligned with China’s PIPL. These include:
China Cybersecurity Law (CSL) of 7 November 2016, in force 1 June 2017
China Data Security Law (DSL) of 10 June 2021, in force 1 September 2021
China Civil Code of 28 May 2020, in force 1 January 2021
5. Does China PIPL apply to foreign based companies and what are the penalties for breach of the law?
Yes, it can. If foreign businesses are registered in China and process personal information in China, then China PIPL will apply. The law also applies to foreign-based businesses that provide goods and services to people in China and support China-based businesses and organisations. Foreign-based companies and organisations that analyse or assess the behaviour of people in China also fall within PIPL’s scope. China PIPL could also be extended by other Chinese laws and regulations at the national, regional, state or local level. This means that organisations must constantly review the scope and application of PIPL.
Enforcement of China PIPL is multifaceted. There are criminal penalties, including imprisonment, if a violation of PIPL amounts to a breach of public security administration and criminal liability is proven. There are civil liability penalties for breaches of China’s Civil Code, including consumer law. Chinese state or regional consumer organisations can also conduct public interest litigation on behalf of a large group of people affected by breaches of PIPL. It is important to note that the burden of proof lies with the Personal Information Processor to demonstrate that no breach of China PIPL has taken place, because Personal Information Processor fault is presumed at the outset.
PIPL also has a system of administrative penalties, falling into two types of cases. In general cases, Personal Information Processors and Individuals can be given warnings, orders to rectify, confiscation of illegal gains and orders to suspend / terminate services that unlawfully process personal information. Failure to make corrections could result in fines up to £1 million RMB. Responsible Persons could receive fines from 10,000 RMB. In severe cases, Personal Information Processors and Individuals can be given, orders to rectify, confiscation of illegal gains, orders to suspend / terminate services, cessation of business for rectification or revocation of business licences or permits. Fines of up to 50 million RMB or 5% of annual turnover from the previous year could also be given. For Responsible Persons, fines ranging from 100,000 to 1 million RMB could be levied. Responsible Persons could also be prohibited from holding director, supervisor, senior manager or Personal Information Protection Officer positions, for a period of time.
National Information Security Standardisation Technical Committee of China Guidelines on the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information (June 2022) – In Chinese