On 20 August 2021, China's much anticipated Personal Information Protection Law (PIPL) was passed. The new law will come into force on 1 November 2021. The PIPL, Cybersecurity Law and the new Data Security Law (which came into force on 1 September 2021), now form the main legal framework governing data security and the handling of both personal and non-personal data in China.
The PIPL has often been compared with the EU General Data Protection Regulation (GDPR) and while this statement is largely true there are many points of difference between the two regimes. For example, the cross border transfer restrictions and extra-territorial application of the PIPL are broader than the equivalent provisions in the GDPR. This, as well as some of the key aspects of the PIPL, are discussed below.
Scope and Extra-territorial Effect
The PIPL regulates the processing of personal information of individuals within China. Personal information is defined as any information relating to identified or identifiable natural persons that is recorded by electronic or any other means, but excluding anonymous data.1
The law also expressly applies to any processing activities performed outside China, if such activities are:
- for the purpose of providing products or services to individuals located in China;
- for the purpose of analysing or evaluating the activities of individuals located in China; or
- they fall within any other circumstances specified under local laws or regulations.2
All data controllers outside of China who engage in such processing activities must establish a dedicated entity or appoint a legal representative in China to be responsible for all matters relating to the processing of personal information under the PIPL.3 The name and contact details of such local entity or legal representative will need to be provided to the relevant authority.
Whilst on the face of it the extra-territorial scope of the PIPL appears similar to the GDPR, there are some notable differences. Unlike the GDPR, which applies to the "offering" of goods or services (i.e. the targeting criteria), the PIPL applies to the processing of personal information for the purpose of "providing" products or services to individuals in China. In the absence of further clarification, the PIPL has the potential of applying to foreign companies that are not specifically targeting individuals in China and might incidentally provide products or services to them. For example, a foreign company that operates an e-commerce site with global delivery may be caught by the PIPL simply because a customer might be based in China, even though the e-commerce site is not specifically targeting Chinese customers (e.g., it is not a Chinese website nor does it use a domain name, etc.). Before the PIPL comes into operation, the local authorities may issue interpretations and measures to provide further clarity on the scope of application of the PIPL.
Data Controller and Data Processor
The responsibility and requirements under the PIPL are mainly imposed on personal information processors (i.e. the equivalent of data controllers under the GDPR). The personal information processor is any organisation or individual that independently determines the purpose and means of processing of personal information (data controller).4
Data controllers remain responsible for supervising the entities to whom they have entrusted the processing of personal information (i.e. the equivalent of a data processor under the GDPR) (data processor). The parties must agree on the purpose, period and method of processing and type of personal information covered, as well as the security measures and rights and obligations of both parties. This should be reflected in an agreement between the parties. The data processor cannot further sub-contract the processing of the personal information without the consent of the relevant data controller.5
Under Article 59 of the PIPL, data processors are required to adopt necessary measures to protect the personal information entrusted to them in accordance with the PIPL and other relevant laws and regulations, and to assist the data controller to comply with their obligations under the PIPL. Whilst data processors are potentially not directly regulated under the PIPL in the same way as they are under the GDPR, this Article 59 acts as a reminder that data processors may still be directly subject to the data security requirements under China's Cybersecurity Law and Data Security Law.
Grounds for Processing
Under the PIPL, personal information may only be processed if it is for a specific and reasonable purpose, and should be directly related to such purpose. Only the minimum amount of data required to fulfil such purpose should be collected, and the excessive collection of personal information is prohibited.6 Similar to the GDPR, the PIPL imposes general principles of openness and transparency, legality, legitimacy, necessity and good faith.
The PIPL also sets out the lawful basis for the processing of personal information. Under Article 13 of the PIPL, data controllers can only process personal information if:
- The data subject has provided their consent;7
- The processing is necessary: (a) for the conclusion or performance of a contract to which the data subject is a party; or (b) to conduct human resources management in accordance with labour rules and regulations established by the employer in accordance with the laws or collective contracts signed under law;8
- The processing is necessary for the fulfilment of duties or obligations imposed under laws or regulations;
- There is a need to respond to public health emergencies or to protect an individual's life, health or property in an emergency situation;
- The personal information is being processed for the purposes of conducting news reporting, supervising public opinion or other such activities that are in the public interest and the processing is within a reasonable scope;
- The personal information is already publicly available (either disclosed by the data subject or has otherwise legally disclosed), and the processing is within a reasonable scope and in compliance with the PIPL; or
- The processing is permitted pursuant to other laws and regulations.
Notably, unlike the GDPR, legitimate interest is not a ground for processing under the PIPL. However, the PIPL does specifically include publicly available information and human resources management as grounds for processing, which are absent from the GDPR.
Regardless of the basis of processing relied on by the data controller, the data controller must still explicitly notify the data subjects beforehand of the purpose of processing, the categories of personal information being handled, the mechanisms in which the data subjects can exercise their rights, and so on.9 The notification must be accurate, clear and easy to understand. Any changes to the original notice must also be notified to the data subjects.
If consent is being relied on as the basis of processing, then separate consent must be obtained if:
- Personal information will be provided by the data controller to a third party;10
- The data controller intends to disclose the personal information publicly;11
- Images and other personal information collected in public areas to safeguard public security (e.g., information collected via CCTV or facial recognition technology) will be used for other purposes;12
- Sensitive personal information will be processed;13 or
- Personal information will be transferred outside of China.14
What amounts to separate consent has not been defined in the PIPL. It is likely that unbundled and distinct opt-in consent may be required, separate to the general consent collected in relation to the processing of the data subject's personal information.
With regard to sensitive personal information, this is defined as any personal information that once leaked or illegally used could readily result in harm to the dignity of an individual, or the individual's personal safety or security of their property.15 Examples include biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, tracking an individual's location, and personal information of minors under the age of 14.
To view the full article, please click here.
1. Article 4 of PIPL.
2. Article 3 of PIPL.
3. Article 53 of PIPL.
4. Article 73(1) of PIPL.
5. Article 21 of PIPL.
6. Article 6 of PIPL.
7. To be valid, the individual must provide their fully informed, voluntary and explicit consent. Where laws or regulations require separate or written consent, then this must be obtained. See Article 14 of PIPL.
8. The legal basis of processing in relation to human resources management is a anew legal basis introduced in the final PIPL, which did not appear in the first and second drafts of the PIPL.
9. Article 17 and 18 of PIPL.
10. Article 23 of PIPL.
11. Article 25 of PIPL.
12. Article 26 of PIPL.
13. Article 29 of PIPL. Note that for personal information of minors under the age of 14, the data controller must obtain the consent of the parent or guardian of the minor (Article 31 of PIPL).
14. Article 39 of PIPL.
15. Article 28 of PIPL.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.