Cheat sheet of China's first personal information protection law

Background

China passed its Personal Information Protection Law (PIPL) on 20 August 2021 and it will take effect from 1 November 2021. Being the first comprehensive law on personal data protection in China, the PIPL has attracted much attention from both domestic and foreign stakeholders since it appeared in the state legislation plan in 2018. The law brings significant changes and challenges to companies’ data practice in many ways and leaves only two months preparation time for market players to be compliant, before it is effective and enforceable. Thus it is vital that you understand its impact on your organisation and start taking actions now. This article will serve as a handy cheat sheet about this PIPL, covering off all the need-to-knows and key things you should consider or already be doing.

Is it relevant to you?

1. Difference in terminology. When you try to understand the PIPL, it’s important to remember that “data processor” under the PIPL refers to the party who controls and determines the purpose and method of the data processing, ie equivalent to the “data controller” concept under the GDPR. The PIPL uses the term “entrusted party” to refer to the party processing data on behalf of and at the instruction of the data processor.

2. Extra-territorial effect. The PIPL applies to all processing activities which take place within China (for this article, refers to the mainland China excluding Hong Kong SAR, Macau SAR and Taiwan region), irrespective of the location of the data processor or nationality of the data subject. It has an extra-territorial effect on overseas processing of personal data of China-based individuals for the purpose of offering products or services to, or for analysing and assessing the behaviour of such individuals.

3. Penalties. The PIPL significantly raises the level of penalties which can be imposed for illegal personal data processing activities. Violations can lead to an administrative fine of up to 5% of the annual turnover or RMB 50 million (approx. GBP 5.6 million). It is not clear at this moment whether the annual turnover is calculated at the entity level or at the group level (like the “undertaking” concept under the GPDR) for revenue generated from China. Either way, it is a huge increase compared to the current legislation. An administrative fine of up to RMB 1 million (approx. GBP 112,150) can be imposed to person-in-charge or other personnel directly responsible. In serious cases, violations may trigger criminal liabilities.

What should you do?

1. Identify appropriate lawful bases for data processing activities. One of the key changes brought by the PIPL is that more legal bases are available in addition to consent. These new lawful bases include: (1) the processing is necessary for entering into or performing a contract to which the data subject is a party, or is necessary for human resources management under lawful labour policies and collective agreements; (2) compliance with legal duties and obligations to which the data processor is subject; (3) in response to public health incidents or to protect the vital interests of natural persons; (4) for news reporting and media supervision for purpose of protecting public interest and within a reasonable scope; and (5) the processing within a reasonable scope of personal data publicised by the data subject or otherwise lawfully made public. It’s worth noting that processing for HR management purposes is only permitted to the extent necessary under labour policies and collective agreements, both legally entered into under Chinese law. That means it is still contract-based. “Legitimate interest” is not recognised as a valid lawful basis under the PIPL.

2. Map out consent collection requirements and process. Although organisations may rely on other lawful bases than consent, there are a handful of circumstances under the PIPL where data subject consent is nonetheless required. These circumstances include for example when sharing personal data with other data processors, providing personal data to overseas recipients, publicising personal data (not already published by the data subject or under other legitimate circumstances), processing sensitive personal data, processing personal data of minors under the age of 14 (in this case the consent of the parent or legal guardian is required).

3. Satisfy conditions for cross-border data flows. The first question is to identify which category of data processors your organisation falls into. If your organisation is deemed as a Critical Information Infrastructure (CII) operator or processes personal data exceeding the volume threshold set by the Cyberspace Administration of China (CAC), then you must clear a security assessment performed by the CAC prior to any cross-border transfer of personal data. If you do not fall into the aforesaid category, you can transfer personal data out of China by satisfying any one of the following conditions: a voluntary security assessment by the CAC, certification by agencies designated by the CAC, or entering into a standard form transfer agreement formulated by the CAC. The PIPL further requires the data processor to take necessary measures to ensure that the overseas recipient achieves an equivalent protection level as provided under the PIPL. It is not clear yet what necessary measures the regulators expect from the data processors, or whether this will develop into a requirement similar to the rather complex EDPB guidance on third country assessment and supplemental measures after Schrems II decision.

4. Conduct personal data protection impact assessment (DPIA) and keep records of data processing activities. Data processors are required to conduct DPIAs and keep records of the data processing activities in a wide range of scenarios including the processing of sensitive personal data, using personal data for automated decisions, entrusting third parties to process personal data, sharing personal data with other data processors, publishing personal data, cross-border data transfer and other activities that may have material impact on data subjects. The DPIA shall cover assessments including whether the purpose and method of data processing is lawful, legitimate and necessary, the impact and security risk on personal interest, and whether the protection measures taken are lawful, effective and proportionate to the risk level. DPIA reports and data processing records shall be retained for at least three years.

5. Establish process to deal with data subject requests. The PIPL provides for largely equivalent data subject rights as the GDPR. Data processors shall establish internal process and policy for responding to data subject requests such as access and copy, correction, deletion, objection, withdraw of consent and portability.

6. Appoint DPO and China representative. Data processors who process personal data exceeding certain volume threshold set by the CAC shall appoint a personal data protection officer. Overseas data processors who are covered by the extra-territorial jurisdiction of PIPL shall establish a designated body or appoint a representative in China.

7. Additional obligations for platform “gatekeepers”. Large online platform operators are subject to additional obligations including establishing an independent supervisory body consisting of external members, formulating platform rules on personal data protection, kicking out product / service providers in material violation of personal data protection laws, and publishing periodic social responsibility reports on personal data protection. These requirements trace the "gatekeeper" concept for platform companies in EU's Digital Market Act and Digital Services Act, and also echo Chinese regulators’ recent enforcement actions to impose stronger regulation on platform giants.

For any assistance with PIPL or any other queries regarding how the PIPL may impact you, please contact Jingyuan Shi or Jenny Liu.