On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law, which will take effect Nov. 1, 2021. Serving as China’s first comprehensive law in the personal information protection area and based on China’s Constitution, the PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1).
From a broader cyber and data security governance perspective, the PIPL, the Cybersecurity Law, and the Data Security Law will form an over-arching framework to govern data protection, cybersecurity and data security in China for years to come.
To better understand the new challenges posed by the PIPL, we compare the PIPL with the European Union’s General Data Protection Regulation, and then explain the roles of key enforcement agencies in China and recent enforcement trends and priorities.
The goal here is to explain not just the text of the new law, but also how it is likely to be implemented going forward, so companies can form a risk-based approach towards privacy compliance in China.
Note that while the PIPL bears a resemblance to the GDPR, it includes certain substantive obligations that differ from the GDPR, and there are also obligations found in the GDPR that are not included in the PIPL. Below we provide a high-level summary of key issues where the PIPL converges or diverges from the GDPR.
Definition of Key Terms
The definition of “personal information” and “processing of personal information” are defined similarly under both of the PIPL and the GDPR. Sensitive personal information is defined under the PIPL as “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14” (Article 28).
Note that anonymized information is not deemed as personal information under the PIPL and “anonymization” refers to the process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing (Articles 4 & 73).
The PIPL uses the term “personal information processing entity” to refer to “organization or individual that independently determines the purposes and means for processing of personal information” (Article 73). This appears to be the Chinese law equivalent of the “data controller” concept under the GDPR. Further, the PIPL uses “entrusted party” to refer to “data processor” as defined under the GDPR.
Similar to the GDPR, the PIPL extends its territorial scope to the processing of personal information conducted outside of China, provided that the purpose of the processing is: (i) to provide products or services to individuals in China, (ii) to “analyze” or “assess” the behavior of individuals in China, or (iii) for other purposes to be specified by laws and regulations (Article 3).
Moreover, the PIPL requires offshore “personal information processing entities” subject to the PIPL to establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purpose (Article 53). This requirement largely mirrors the GDPR’s requirement for the appointment of an “EU representative” for offshore controllers.
Lawful Basis for Processing
Similar to the GDPR, the PIPL requires organizations to have a lawful basis to process personal information. However, the PIPL does not provide “legitimate interests” as a lawful basis for processing as found in the GDPR. Instead, in addition to consent, Article 13 of the PIPL offers the following non-consent basis:
- Necessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts.
- Necessary to perform legal responsibilities or obligations.
- Necessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property.
- To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests.
- Processing of personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with the PIPL.
- Other circumstances as required by laws.
The definition of consent under the PIPL largely aligns with the strict consent requirements of the GDPR – i.e., it must be informed, freely given, demonstrated by a clear action of the individual, and may later be withdrawn (Articles 14 & 15). However, the PIPL requires a separate consent for certain processing activities, namely if a processing entity (i) shares personal information with other processing entities; (ii) publicly discloses personal information; (iii) processes sensitive personal information; or (iv) transfers personal information overseas (Articles 23, 25, 29 and 39).
Personal Information Rights
While the PIPL mostly aligns with the GDPR with respect to personal information rights, it lacks more precise GDPR language addressing such rights, including where certain restrictions or exemptions may apply. Moreover, the PIPL only requires processing entities to “timely” respond to the requests rather than providing a specific timeline for responding. The table below compares the key types of personal information rights under the GDPR and the PIPL, but it remains uncertain how such rights under PIPL might be interpreted in practice.
Cross-border Transfer of Personal Information
One noticeable change brought by the final version of the PIPL is that individuals will have the right to bring lawsuits against processing entities if they reject the individuals’ requests to exercise their rights (Article 50). Together with the provision that changes the burden of proof in privacy-related suits and that allow individuals to be compensated based on the actual damage or the illegal profit obtained by processing entities (Article 69), this provision could provide more incentives for individuals to exercise their personal information rights and file suits in Chinese courts if their requests are rejected.
The PIPL has several elements in common with the GDPR regarding the cross-border transfer of personal information, but it also includes some additional requirements, in particular if the exporter is an operator of Critical Information Infrastructure or it processes an amount of personal information that reaches a threshold to be released by the Cyberspace Administration of China, as explained below.
In general, a processing entity that plans to transfer personal information to entities outside of China is required to (i) provide individuals with certain specific information about the transfers and obtaining separate consent (Article 39),(ii) adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL (Article 38) and (iii) carry out an personal information protection impact assessment (Article 55).
In addition, for CII operators or entities processing a large amount of personal information, they need to store personal information locally. If it is indeed necessary for it to transfer such personal information overseas, it shall pass a security assessment administered by the CAC (Article 40).
For other processing entities, they can choose to obtain a personal information protection certification or to conclude an agreement with the overseas recipient based on a standard contract to be released by the CAC for their transfers (Article 38). It is currently unclear to when the standard contract will be released by the CAC or to what extent such a contract would akin to the standard contractual clauses under the GDPR.
Personal Information Protection Impact Assessment
Article 55 of the PIPL requires personal information processing entities to carry out prior personal information protection impact assessments and retain the processing records for at least three years for the following processing activities:
- Processing of sensitive personal information.
- Processing of personal information for automated decision-making.
- Entrusting vendors to process personal information, sharing personal information with other processing entities or publicly disclosing personal information.
- Transferring personal information overseas.
- Other personal information processing activities that may have significant impacts on the rights and interests of individuals.
Although the obligations to conduct a prior personal information protection impact assessments are similar to the “data protection impact assessments” under the GDPR, the processing activities that will trigger such an assessment are different. In addition, under the PIPL, there is no obligation to consult a regulator in the event that an organization concludes – after completing such an assessment – that it cannot remediate certain residual risks identified.
Penalties and Private Rights of Action
If a processing entity violates the requirements under the PIPL, regulators may order it to take corrective actions, issue warnings, confiscate illegal income, suspend services or issue a fine. The fine can be up to 50 million RMB or 5% of an organization’s annual revenue for the prior financial year (Article 66). Unlike the GDPR, the PIPL does not specify whether the annual revenue refers to the worldwide turnover or the revenue generated in China.
Meanwhile, since the PIPL does not set a minimum penalty, regulators have wide discretion with regard to the penalties that they will impose on violations. Besides monetary fines, violations may also be recorded into the “credit files” of the processing entity under China’s national social credit system (Article 67).
Further, the processing entities will be liable for tort damages if they infringe the rights and interests of personal information (Art. 69). If the processing entities infringe the rights and interests of a large number of individuals, the People’s Procuratorate and other designated organizations may file public interest lawsuits (Article 70).