The long-awaited China Personal Information Protection Law (hereinafter referred to as "Law") was passed by the Standing Committee of the National People's Congress of the People's Republic of China on August 20, 2021, to enter into force on November 1, 2021. The law mainly regulates how personal data will be collected, used, processed, shared, and transferred abroad by companies operating in the People's Republic of China (hereinafter referred to as "China"). The Law, which determines the legal framework in these areas, complements the local data protection regime previously established by the China Cybersecurity Law (hereinafter referred to as "CSL") and national regulations. When the current legal structure of China is examined, it is seen that the legal and technical measures regarding the protection of personal data and data security are implemented through various laws, secondary regulations, and guidelines containing compliance standards. Herein, the Law possesses the title of the first comprehensive and national level regulation regarding personal data. It is crucial as it contains various legally binding compliance standards rather than the guidelines and secondary regulations.

The foundation of China's current data protection regime is established by CSL, the first law that puts data security at the center and unifies regulations at various levels and fields at a macro level. Briefly, although CSL that entered into force on June 1, 2014, is not an inclusive law that has a scope of application for every company or institution engaged in data processing, such as the European Data Protection Regulation (hereinafter referred to as "GDPR") or Turkish Personal Data Protection Law numbered 6698 (hereinafter referred to as "KVKK"), it is applied to companies operating in the network field and "critical sectors." In terms of personal data, CSL, which imposes an obligation of clarification and explicit obligations intended to users on network providers, however, regulates that personal data processing must have a legal and legitimate purpose, it does not include legal reasons other than explicit consent (this issue has been regulated through regulations later on.). In fact, CSL represents China's will to ensure national security in terms of personal data, and in this sense, it is not a special regulation limited to the protection of personal data, privacy, and the rights of data subjects. For instance, Article 37 of the CSL regulates that the personal data of Chinese residents acquired by network companies and companies operating critical sectors in China must be stored inside the country. Furthermore, various articles also regulate that these personal data can be accessed by Chinese public institutions under certain conditions. The Law, on the other hand, has the nature of a legal framework that centers on personal data and includes many regulations, including the rights of individuals over their own data.

Territorial Scope

PIPL, like the European General Data Protection Regulation (hereinafter referred to as "GDPR"), does not limit its applicability to the domestic level. Companies that process personal data of Chinese residents for the purpose of providing products or services or perform assessment/analysis activities on the behavior of Chinese residents are subject to the provision of PIPL, even if they do not have an establishment in China. In this context, it is regulated that a representative should be appointed in China, or a liaison Office should be allocated in China to carry out the processes related to the companies' personal data and communicate with the relevant institutions in the Law. Again, within the Law, it is stipulated that the data processing activities of foreign companies or individuals may be restricted and/or prohibited in cases where they pose a national security threat.

Legal Reason

As mentioned above, legal grounds for data processing other than explicit consent are not included in the CSL, and this issue is regulated through national guidelines that are not legally binding. This issue has been regulated in detail in the Law, and the legal grounds on which data processing activity without explicit consent can be based are determined as follows:

  • Establishing a contract to which the data subject is a party or carrying out human Resources activities within legally determined limits
  • Fulfillment of legal duties or obligations
  • Responding to sudden public health events or protecting individuals, their lives, health, or property in emergencies
  • Protection of the public interest through reasonable news reporting and media control
  • Processing of personal data made public by the person concerned or for various legal reasons in a reasonable framework

Consent

According to the legal framework envisaged under the law, similar to GDPR and KVKK, in cases where personal data processing activity will be based on consent, a separate consent must be obtained for each activity. Processing of sensitive personal data (In Turkısh), transferring personal data to third parties for various reasons, making personal data public, and transferring personal data abroad (In Turkish) is considered data processing activities that require consent, and "blanket consent" (In Turkish) , not limited to a specific subject and data processing activity, has been determined as an invalid method.

Human Resources Management

Within the scope of the Law, human resources management is defined as a legal reason on which data processing activity can be based. It is expected that this issue, which is not available in GDPR and KVKK, will prevent the existing implementation differences for the protection of personal data in human resources processes (In Turkish) such as performance management.

Protection of the Public Interest

The fact that news reporting and media control processes are evaluated within the scope of public interest under PIPL and personal data can be processed for this purpose, provided that it is reasonable, is in line with GPDR.

Protection of Public Health and Individuals

Another reason for legal data processing envisaged under PIPL is defined as " responding to sudden public health events or protecting individuals, their lives, health, or property in emergencies" similar to GDPR.

Other Important Issues in the Law

Mergers & Acquisitions

Article 22 of the Law regulates how data controllers can fulfill their obligations in terms of personal data in cases of merger, acquisition, and dissolution of companies. The relevant issue has not been regulated within the scope of GDPR and KVKK. Some European countries have issued various national legislation to eliminate conflicts on this issue. Article 22 of the Law, the data controller, should share the name and contact information of the receiving party with the data subject in such cases. In addition, within the scope of the Law, the receiving party is obliged to obtain the consent of the data subjects again or inform them, if it is within one of the legal reasons in the Law, in any change to be made in the processing activities, while fulfilling its obligations as the data controller.

Data Localization and Transferring Personal Data Abroad

As mentioned above, within the scope of the data localization measures prescribed by CSL, companies operating in critical sectors have to store personal data on servers in China and have to be approved by the Cyberspace Administration of China in case of transferring personal data abroad. However, this obligation continues, the scope of this application has been expanded with Law to apply to all companies that process personal data above a certain amount. In the event that personal data is transferred abroad by companies other than the aforementioned categories, they are required to obtain a certificate on the protection of personal data from a professional institution and to sign the standard contract prepared by the Cyberspace Administration of China.

The Law has also enhanced the obligations to be fulfilled for the data subjects in case of transfer of personal data abroad. Pursuant in case of transfer of personal data abroad. Pursuant to Article 39 of the Law, in addition to obtaining consent for transfer processes, the data controller is obliged to inform the data subject about the name and contact information of the party to which the personal data is transferred, the purposes and methods of processing the personal data of the receiving party in the clarification process. In addition, it is stipulated that the receiving party to data subjects should constitute the required ways and procedures that can exercise their rights.

Data Subject's Rights

In parallel with GDPR, the Law regulates the rights of data subjects such as accessing, copying, modification, confirmation, deletion of their personal data. However, it reserves the right to withdraw data subjects' consent and restrict and reject the automatic decision-making processes.

Another noteworthy issue regarding data subject rights (In Turkish) is that data portability is regulated within the scope of the Law, as is the case with GDPR. In the event that personal data is transferred to another data controller specified upon the data subject's request, according to Article 45 of the Law, they are required to ensure the transfer in accordance with the conditions determined by the Cybersecurity Administration of China.

Personal Data Impact Assessment

Before the Law, the Personal Data Impact Assessment requirement was implemented through various regulations and guidelines that were not legally binding. Along with the Law, Personal Data Impact Assessment has become legally binding to be implemented when it comes to cases where sensitive personal data is processed, personal data is subject to automatic decision-making processes, third parties are appointed for the processing of personal data, personal data is publicly published, personal data is transferred abroad and the other scenarios where the data processing activity may have a major impact on the individual.

Data Protection Officer

The Law requires the appointment of a person responsible for the protection of personal data for companies that process data above a certain amount, similar to the position of Data Protection Officer, which is stipulated to be appointed under various conditions in GDPR.

Restrictive Requirements

Some additional requirements that internet and technology-related companies must comply with are regulated in the Law, and the obligations imposed on internet platform providers within the scope of Article 58 are as follows:

  • Initiation and maintenance of a personal data protection compliance program and establishment of an independent organization composed mainly of external members to audit the protection of personal data
  • Establishing platform rules for the protection of personal data based on the principles of openness, equity, and fairness
  • Stopping the provision of services to platforms that violate laws and administrative regulations in terms of protection of personal data

In addition, fulfilling the obligation to ensure the transparency, fairness, and impartiality of the results of automatic decision-making mechanisms and preventing differential treatment based on this is one of the important obligations imposed on companies by the Law.

Data Processor

Within the scope of the Law, it is regulated that data processors should take the necessary measures to ensure the security of personal data and assist the data controller in fulfilling its obligations.

Processing of Children's Personal Data

Within the scope of the Law, the personal information of persons under the age of 14 is classified as sensitive personal data on the grounds that they are children, and in this context, some additional obligations have been imposed on data controllers who process children's personal data (In Turkish). While this application was previously carried out through the Regulation on the Cyber Protection of Children's Personal Information, this issue has been rearranged through the Law.

The Burden of Proof of Data Controller

In accordance with Article 69 of the Law, a presumption of responsibility has been created for the data controller. Pursuant to this presumption, if the rights and interests of individuals are violated during the processing of personal data, the data controller is obliged to prove that they are not at fault. In cases where faultlessness cannot be proven, the data controller will be liable for damage and compensation under the Law. In this context, data controllers are obliged to keep evidence proving that they have taken appropriate measures regarding personal data.

Fines

Along with the Law, fines under the CSL capped at 1 million RMB (approximately $149,000) are determined as 50 million RMB (approximately $7,456,000) or 5% of the company's turnover in the previous year as well as it will be determined according to the nature of the personal data breach. In addition, the competent authorities have been given the right to revoke the company's license in case of a data breach.

Furthermore, various penalties have been prescribed by Law for those directly responsible for the data breach. In this context, the competent authorities are authorized to impose fines of RMB 1 million (approximately $149,000) to be imposed on the individuals. Besides the penalties, competent authorities can impose restrictions that prohibit individuals from working as directors, auditors, senior managers, or data protection officers under the Law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.