China's Personal Information Protection Law (PIPL or the final version),1 following the first two readings in October 20202 and April 2021, was adopted on August 20, 2021 and will become effective on November 1, 2021. The final version comprises 74 articles across eight chapters that cover General Provisions, Rules for Processing Personal Information (PI), Rules for PI Cross-border Provision, Rights of Individuals in PI Processing Activities, Obligations of PI Processors, Authorities Performing PI Protection Duties, Legal Liability, and Supplementary Provisions. PI under PIPL is defined as information of various kinds recorded by electronic or other means related to identified or identifiable natural persons, but excluding information which has been anonymized (Article 4). Privacy rights under the PIPL draw upon the EU's General Data Protection Regulation (GDPR) but lack the protections against the state, including in the name of national security, inherent in its EU counterpart.
Compared to the second draft, major changes in the final version include:
- The final version adds that the PIPL has been formulated "in accordance with the Constitution", making the Constitution the legal foundation for the PIPL (Article 1). Although China does not have a constitutional court and it is difficult to invoke the Constitution in legal proceedings absent a positive law, reference to the Constitution nevertheless accords greater authority to rights under the PIPL.
- The final version extends the legal application of the PIPL to human resource management, and extends employee PI to protection under PIPL (Article 13(2)).
- The final version for the first time introduces the concept of "small PI processor" (Article 62(2)), undefined, for which special rules and standards for PI protection will be formulated by the Cyberspace Administration of China (CAC) in consultation with other authorities.
- Price discrimination against individuals is not allowed in PI-based automated decision-making, a response to widely criticized profiteering through the collection and utilization of big data by apps (Article 24).
- PI of minors under the age of 14 will be treated as Personal Sensitive Information (PSI), which includes biometrics, religious beliefs, specific identities, healthcare, financial accounts, and locations, may be processed only for specific purposes with sufficient necessity (Article 28).
- The final version adds the right to PI portability (Article 45).
- The final version ensures the right of individuals to sue when deprived of rights by PI processors (Article 50). Consumer organizations specified under law and organizations determined by CAC, i.e., officially recognized consumer organization, may file class actions (Article 70).
Below please find a summary of the PIPL's provisions:
PIPL will apply not only to PI processing activities within China, but also to processing outside China of PI of individuals who are inside China when the processing is (i) for the purpose of providing products or services to individuals inside China; (ii) to analyze/evaluate the behavior of individuals inside China; or (iii) other circumstances prescribed by law or regulation (Article 3).
When the processing of PI is for the purpose of analyzing/evaluating the behavior of individuals inside China, the PI processor outside China is required to set up a special organization or designate a representative to handle PI-related matters, and report the contact information of such organization or the representative to the authorities performing PI protection duties (Article 53).
Overseas organizations or individuals which process PI in a way that would harm the personal interests of Chinese citizens or endanger China's national security or public interest may be placed by CAC on a blacklist to restrict or prohibit the provision of PI. The blacklist will be published and authorities will take relevant measures to restrict or prohibit cross-border provision of PI (Article 42).
Counteractions may be taken against countries or regions which adopt, on a discriminatory basis, prohibitive, restrictive or similar actions against China with respect to the protection of PI (Article 43).
PI cross-border transfer
PI cross-border transfer may be made by a PI processor for business or other reasons if any of the following conditions is met: (i) (a) critical information infrastructure (CII) operators and (b) PI processors processing PI that reaches the quantity thresholds prescribed by CAC shall store within the territory of China relevant PI which they have collected or generated in China. This is the mandatory "data localization" requirement. In case it is necessary to transfer PI outside China, CII operators and PI processors processing a large volume of PI shall pass a security assessment organized by CAC; (ii) the PI processor has been certified by a specialized agency for protection of PI in accordance with CAC regulations; (iii) the PI processor enters into a contract with the overseas recipient based on a standard contract template produced by CAC specifying the rights and obligations of the two parties; or (iv) other conditions specified by laws, administrative regulations or CAC rules (Article 38).
International treaties concluded by China may be followed in terms of conditions for PI cross-border transfer (Article 40). Without the approval of the competent Chinese authorities, no PI processor may provide PI stored in China to foreign judicial or law enforcement authorities (Article 41).
Specific consent by the PI owner must be obtained prior to cross-border PI transfer (Article 39). The PI processor must also take necessary action to ensure that the PI processing activities by the overseas recipient meet the standards for PI protection specified in the PIPL (Article 38).
Rules for processing of PI
The processing of PI shall have a clear and reasonable purpose, be directly related to the processing purpose, and conducted in a way that minimizes the impact on personal rights and interests (Article 6). PI processing must be (i) consent based, but consent may be waived when the processing activity is necessary to the public interest; (ii) necessary to the execution and performance of a contract, including labor contracts; (iii) necessary to perform statutory duties and responsibilities; (iv) necessary to emergency responses in public health emergencies; (v) for reasons of news reporting or supervision by public opinion and within reasonable scope; and (vi) reasonably based on PI that has been made public by the individuals themselves or other legal means (Article 13). These provisions impose a "minimal impact" and "necessity" requirement on PI processors when processing PI.
Two or more PI processors which jointly process PI shall agree upon their respective rights and obligations, and bear joint and several liability (Article 20).
Obligations of PI processors
PI processors shall formulate internal policies and procedures, manage PI by category, adopt such security technology measures as encryption and deidentification, conduct periodic security training for employees and conduct audits (Articles 51, 54), and conduct PI protection impact assessments and make records thereof prior to (i) processing PSI; (ii) using PI to engage in automated decision-making activities; (iii) engaging others to process PI, providing PI to other PI processors, or making PI public; (iv) providing PI overseas; and (v) engaging in PI processing activities that have a significant impact on personal interests (Article 55).
Most importantly, Article 58 imposes the following obligations on basic internet platform service providers which have a significant number of users and operate complex types of businesses when processing PI to (i) establish an independent organization largely comprised of external personnel to supervise PI processing activities; (ii) formulate platform rules specifying the standards and obligations for processing PI; (iii) cease to provide services to product or service providers on platforms which have seriously violated laws and regulations regarding PI processing; and (iv) periodically publish PI protection social responsibility reports. These constitute substantial burdens on business, including foreign-invested businesses and smaller businesses.
Violation of the PIPL may result in penalties against businesses ranging from warnings to confiscation of illegal proceeds; fines of up to RMB 1 million (approximately EUR 131,000, or USD 150,000) on entities and RMB 10,000 to 100,000 (approximately EUR 1,310 to 13,100, or USD 1,500 to 15,000) on directly responsible supervisors or individuals, suspension or cancellation of app service, and in serious cases fines of up to RMB 50 million (approximately EUR 6,555,000, or USD 7,700,000) or 5% of the business revenue from the previous year for entities and RMB 100,000 to 1 million (approximately EUR 13,100 to 131,000, USD 15,000 to 150,000) and a bar from serving as director, supervisor or senior officer on individuals; and revocation of operating permits or ultimately business license (Article 66). The amounts of fines on entities and individuals are significantly higher compared to earlier drafts. These are now generally comparable with the potential fines under the GDPR, which can be up to EUR 10 or 20 million, or up to 2% or 4% of the undertaking's total global turnover of the preceding fiscal year, whichever is higher. Where a state organ fails to perform its obligation of protecting PI, its superior organ shall order it to make corrections and impose administrative sanctions on the person directly in charge. Where any staff member of the authorities performing duties of PI protection neglects his/her duty, abuses his/her power, plays favoritism and commits irregularities, which does not constitute a crime, administrative sanctions shall be imposed on him/her in accordance with the law (Article 68).
The PIPL, the first comprehensive legislation dedicated to PI protection, constitutes a significant milestone in China's legislation in the PI and data protection area, and should be considered in conjunction with the Cybersecurity Law, provisions regarding privacy and PI protection in the Civil Code, PI protection standards, and the new Data Security Law.3 Together they enhance privacy protection against business, and promise to impose substantial compliance burdens on business, particularly smaller businesses and foreign-invested businesses, the latter of which may have to establish separate data processing and storage facilities in China.
For an analysis of the first draft of the PIPL, please refer to WilmerHale publication dated October 30, 2020, available at https://www.wilmerhale.com/en/insights/client-alerts/20201029-chinas-draft-personal-information-protection-law.
For an analysis of the Data Security Law, please refer to WilmerHale publication dated June 15, 2021, available at https://www.wilmerhale.com/en/insights/client-alerts/20210615-china-promulgates-data-security-law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.