China Passes Personal Information Protection Law

On August 20, 2021, the People’s Republic of China (PRC) passed the Personal Information Protection Law (PIPL) (non-official English translation available here), which will come into effect on November 1, 2021. This new law is part of a triad including the Cybersecurity Law (unofficial English translation available here) and the recent Data Security Law (non-official English translation available here), which came into force on September 1, 2021.

The PIPL regulates the processing of personal information (PI) of natural persons by following a very similar approach to that of Europe through its former Directive No. 95/46/CE and its current General Data Protection Regulation No. 2016/679. It also follows closely what has already been established in the Data Security Law. Unlike the Data Security Law, however, the PIPL regulates the processing of personal information (i.e., all kinds of information, recorded by electronic or other means, on identified or identifiable natural persons).

The PIPL thoroughly regulates the processing of PI. A key aspect of the PIPL is that it extends beyond the borders of the PRC to the processing of PI of natural persons outside the PRC if: (i) the purpose of the processing is to provide products or services to natural persons in the PRC; (ii) the activities of natural persons are being analyzed or assessed within the country’s borders; or (iii) as established by applicable laws or administrative regulations.

Some other key considerations of the PIPL include:

1. Purpose limitation, minimization and transparency: PI must only be processed for a clear and reasonable purpose. The collection of PI must be limited and correlate to that purpose (section 6). Section 17 provides that, before processing PI, controllers shall explicitily notify individuals truthfully, accurately and fully of the following, in plain language: (i) name and contact details of the PI controller; (ii) purpose, methods, categories of processed PI, and retention period; (iii) methods and procedures of individuals to exercise their rights; and, (iv) other items that laws or administrative regulations specifically regulate. PI can only be retained for the shortest period of time needed to fulfill the informed purpose (section 19).
2. Legal basis: according to section 13, PI controllers may only process PI under the following legal basis:
   • Consent;
   • Need to conclude or fulfill a contract;
   • Statutory duties and responsabilities or statutory obligations;
   • Sudden public health incidents or to protect natural persons’ lives and helath, or the security of their property, under emergency conditions;
   • News reporting, public opinion supervision, and other such activities for the public interest (processing that personal information with reasonableness);
   • Disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of the PIPL.
   • Other circumstances provided in laws and administrative regulations.
3. Outsourcing: section 21 provides that an agreement must be in place between the personal information controllers and the service provider.
4. Company reorganization: the PIPL states that, when necessary to transfer personal information due to mergers, separations, dissolutions, bankruptcy, and other such reasons, PI controllers must notify individuals about their assignee’s name and contact details. The assignee must continue to fulfill the PI handler’s duties (section 22).
5. International transfer of PI: section 38 provides that the international transfer of PI outside the PRC requires meeting one of the following conditions:

• Passing a security assessment organized by the State cybersecurity and informatization department;
• Undergoing PI protection certification by a specialized body under State cybersecurity and informatization department provisions;
• Concluding a contract with the foreign receiving side in accordance with standard contract clauses formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;
• Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.

Where treaties or international agreements that the PRC has concluded or acceded to contain relevant provisions such as conditions for the international transfer of PI, those provisions may be carried out. PI controllers are required to adopt necessary measures to ensure that foreign receiving parties' personal information processing activities reach the standard of personal information protection provided in the PIPL.

6. Data localization: section 40 provides that critical information infrastructure operators and PI controllers processing PI provided by the State cybersecurity and informatization department must store PI within the PRC domestically. Where an international transfer is necessary, they are required to pass a security assessment organized by the State cybersecurity and informatization department.

If PI is handled in violation of the PIPL, the PI agencies may order a correction, confiscate unlawful income, and order the temporary suspension or termination of the service. As per monetary sanctions, where correction is not performed, a fine of no more than 1 million Yuan (USD 155,118) may apply; the person directly responsible in charge and other directly responsible personnel may be fined between 10,000 and 100,000 Yuan (1,551 USD and 15,511 USD).

If, however, PIPL violations are severe, the provincial or higher-level departments fulfilling personal information protection duties and responsibilities can order a correction, confiscate unlawful income, and impose a fine of no more than 50 million Yuan (7,755,906 USD), or 5% of annual revenue. They may also order the suspension of related business activities or cessation of business for rectification, and report to the relevant competent department for cancellation of the corresponding administrative licenses or cancellation of business licenses. The directly responsible person in charge and other directly responsible personnel can be fined between 100,000 and 1 million Yuan (15,511 USD and USD 155,118), and they may also be barred from holding the positions of director, supervisor, high-level manager, or personal information protection officer for a certain period.