Great Wall of China

What is it and why should I care?

 China’s privacy law, the Personal Information Protection Law (PIPL), goes into effect on 1 November 2021[1] and is going to change the way that companies handle the personal information of individuals inside of China. This is the first comprehensive Chinese data privacy law, but it is part of an enhanced privacy and security regime that China appears ready to aggressively enforce. The law has multiple purposes, but a key driver is certainly China’s desire to deter online fraud, data theft, and intrusive data collection by its own domestic technology companies. Essentially free, unregulated data allowed companies to grow and innovate quickly; however, rampant fraud, consumer discrimination, and other abuses have led the government to implement a series of laws to tighten control over these practices. In addition to curbing such abuses, the Chinese government is also making a place for itself as a leader in international data privacy

 

The PIPL comes on the heels of the Chinese Data Security Law (DSL) (effective 1 September 2021), both of which are joining the Cybersecurity Law (effective 1 June 2017) to create a unified data protection regime for the nation that, according to some estimates, houses 40% of worldwide data. All three laws are geared toward cybersecurity protections in various ways. The Cybersecurity Law’s goals are to secure the cyberspace sovereignty, national security, and public interests of the People’s Republic of China, while the Data Security Law aims to focus on data processing activities, data development, and data utilization.

The PIPL is different in that its main focus is to protect the rights and interests of individuals in their personal information (PI), regulate PI processing activities, and promote the “rational” or “reasonable and fair” use of PI. Regarding geographic scope, the Cybersecurity Law focuses on network creation, operation, and maintenance inside of China, while the DSL focuses on processing activities carried out both inside and outside of China. In this way, the PIPL is more like the DSL in that it too has extraterritorial reach in certain situations, though the PIPL is more narrowly focused on PI while the DSL addresses all electronic information.

The PIPL addresses individual privacy by imposing substantial limitations on how personal information can be collected, used, stored, and otherwise processed by private companies . What it is unlikely to do is to directly limit the surveillance activities of the Chinese government. There will likely be a trickle down effect, however—private companies will reduce data collection and processing to comply, and the government traditionally relies on being able to access information held by private companies. The regime has preserved a “government-sized loophole” in Article 63, where PIPL states, that when supervisory government agencies act to “fulfill their duties and responsibilities according to the law, concerned parties shall provide assistance and cooperation, and they may not obstruct or impede them.”[2]

Key Definitions 

In order to understand the PIPL, a few key definitions are important.

Personal Information (PI) under the PIPL is “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.”[3] By including not only identified but “identifiable” individuals in this definition, China has, like other jurisdictions passing sweeping privacy legislation, greatly expanded the potential reach of the data that is covered by this law.

A Personal Information Handler (PI Handler) is an organization or individual that, “in personal information handling activities, autonomously decide[s] handling purposes.” Because the PI Handler is the decisionmaker when it comes to the processing of PI, the Handler is what would be referred to as the controller in other jurisdictions. “Handling” itself is what other jurisdictions commonly refer to as “processing.” Any collection, storage, use, transmission, provision, disclosure,deletions, or other processing is included in the definition.[4]

Territorial Scope

The PIPL applies to the handling of all personal information about natural persons when the handling is done in China, but, like the privacy laws in Europe, Brazil, California, and other emerging US jurisdictions, the PIPL extends its reach beyond China’s borders. PIPL also applies when the PI of individuals in China is processed:

  1. To provide goods or services to individuals in China,
  2. To analyze the activities or assess the behaviors of individuals in China, or
  3. For other purposes to be specified by laws and regulations.

A key question is whether handling the PI of Chinese representatives of businesses by PI Handlers outside of China in order to do business with Chinese companies falls under the reach of the law. Some argue that these business-to-business relationships fall outside of the PIPL. When a company in the UK negotiates the purchase of goods from a Chinese company, it is not “providing a good or service” to someone in China. Rather, it is procuring a good or service from China. Similarly, if a company in the UK is selling a good or service to a business in China, is the PI of the employee in China that engages in the purchase protected, or, since the sale was to the business, not the individual, is it outside of the PIPL?

By way of example: USA Company is making widgets for sale in the United States and Canada. They contract with China Company to manufacture a chip used in the widgets. USA Company’s Supply Chain Director collects the email addresses and phone numbers of multiple China Company employees in order to both place and ensure timely fulfillment of the order. USA Company is not providing a good or service to persons in China, and they are not analyzing the behavior of persons in China. But is that reading drawing it too finely?

There is no definitive answer to these questions at this time. However, because the PIPL is, in many ways, based on the European Union’s General Data Protection Regulation (GDPR), it may be helpful to turn to the corresponding language in the GDPR for assistance in determining its scope.

 

GDPR (Article 3) PIPL (Article 3)
(1)   This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

(2)   This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a)   The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)   the monitoring of their behaviour as far as their behaviour takes place within the Union….

 

This Law applies to the activities of handling the personal information of natural persons within the borders of the People’s Republic of China.

 

Where one of the following circumstances is present in handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China, this Law applies as well:

  1. Where the purpose is to provide products or services to natural persons inside the borders;
  2. Where analyzing or assessing activities of natural persons inside the borders;
  3. Other circumstances provided in laws or administrative regulations.

 

 

Both regulations establish that, for processing of the PI of data subjects that occurs outside of the jurisdiction, the activities fall under the scope of the regulation if the purpose of the processing is to offer/provide goods or services to the individuals or monitor, analyze, or assess the behavior of the individuals. The drafting is incredibly similar, and the GDPR has universally been interpreted as applying to the contact information of individuals engaging in business-to-business transactions where at least one of the individuals is in the EU.

Given the likelihood that the PIPL intended its scope to resemble that of the GDPR (the GDPR and the experience of its implementation served as a reference for the drafters of PIPL), it is most likely that processing PI of individuals in China who are engaging in business-to-business transactions with organizations outside of China is covered by the PIPL. Under that reading, a business whose sole interaction with the PI of persons inside of China is the handling of the contact information of the Chinese team members who are, for example, selling widgets to the non-Chinese company, is subject to the PIPL.

What is Personal Information (PI) under the PIPL?

Article 4 defines PI as:

All kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling. Personal information handling includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.

This broad definition of PI is very similar to the GDPR, as well as the definitions found in China’s Cybersecurity Law (2017) and Civil Code (2021) and in Hong Kong’s Personal Data Privacy Ordinance. The Chinese Cybersecurity Law and Civil Code define PI as information recorded by electronic or other means and used alone in or combination with other information to recognize the identity of a natural person but do not address “identifiable” natural persons. By including “identifiable” natural persons, the PIPL will, like the GDPR, touch a very broad set of data. 

Are there Exclusions from What is Included in PI?

In the United States, privacy laws in California, Virginia, and Colorado have excluded employee data from the majority of the restrictions included in their privacy laws. China has not followed that route; instead, it once again follows in the footsteps of the GDPR and specifically includes employee data in the coverage of the PIPL.

Article 13 of PIPL establishes that one of the legal bases for handling PI in China is specifically for human resources management. Specifically, it states that handlers may process data:

[w]here necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded contracts.

Clearly, if human resources management is a lawful basis for processing, employee data is not exempt from coverage under the PIPL.

Further, there is, as yet, no real clarity around what is meant by Article 3’s language that the PIPL applies in “Other circumstances provided in laws or administrative regulations.” It may be that China will issue further regulations, or, alternatively, we will see this language used as a catch-all in order to bring business-to-business actors under the scope of PIPL when it suits China to do so. So, unlike other privacy regimes with clear exemptions, the Chinese law appears drafted to intentionally allow more data to be included in its coverage in the future.

Principles of PIPL

Like the GDPR, the PIPL establishes the principles upon which it is founded, which provide a lens for interpreting the regulation itself. Article 5 of the PIPL states that all PI handling (processing) should be done according to the principles of legality, propriety, necessity, and sincerity. Some of those terms are fairly novel in the privacy space, but, given the background against which China has decided to implement this regulation and the further instruction that handling PI in a way that is “misleading, swindling, or coercive,” is prohibited,[5] helps clarify the goals. An organization’s intent, not only its actions, could potentially bring it out of compliance with the Chinese law if, for example, it is using the data it collects for the purpose of accomplishing fraudulent or otherwise deceptive practices.

In addition to requiring the data handling be for ‘aboveboard’ purposes, the PIPL also mandates openness and transparency in PI handling. Those requirements touch on both notice and scope issues which will be explored in more depth in this piece.[6] Responsibility and security also underlie the PIPL—PI Handlers are required to ensure the quality and correctness of PI in order to protect individuals against the adverse effects of incorrect PI, and they also have to protect PI against threats. These principles all work together to establish a regime in which Data Handlers cannot avoid responsibility (or liability) if they mishandle information or mislead individuals regarding the way their information will be handled.[7]

Enforcement and Penalties

PI Handlers are subject to both civil and potentially criminal liability for violating the PIPL. Article 66 of the PIPL establishes that it can be enforced through lawsuits brought by the People’s Procuratorates, consumer protection organizations (designated by statute), and other organizations China’s Cyberspace Administration (CAC) may designate. Additionally, the law specifically contemplates that some violations may rise to the level of constituting a crime. While it does not clearly lay out a case in which violation of PIPL alone would be a crime, it is likely safe to conclude that a violation in terms of fraud or coercion could be both a violation of PIPL and a crime in its own right.[8]

One of the regulatory actions available to the government is to simply order the PIPL violator to correct the problem. If correction is refused, then a fine of up to 1 million Yuan (approximately $154,000 USD) may be imposed on top of other sanctions. Other potential sanctions include: confiscation of unlawful income (i.e., any income made through violation of the PIPL), provisional suspension or termination of the unlawful program/service/or application. In a departure from other privacy laws, the person or personnel directly responsible for the violation may also be fined individually. Those fines will range between 10,000 and 100,000 Yuan (approximately $1,500 to $15,000 USD).

Some violations may rise to the level of “grave” violations. The PIPL does not specify what might make a violation grave. In the European Union, violations of the underlying principles of the GDPR are the most serious violations that carry the highest penalties. In California, “intentional” violations receive the highest fines. If China follows those examples, it is likely that “grave violations” refer to situations where the number of individuals affected is great, where the information was sensitive, where the violation was repeated or in some other way egregious, or otherwise of greater severity than the more unintentional or inadvertent process, not principle, type of violations.

Where the violation is grave, penalties include ordering the correction of the violation, the confiscation of unlawful income, and fines of up to 50 million Yuan (approximately $7.7 million USD) or 5% of annual revenue. For some businesses, the more concerning potential penalty may not be the fine but the possibility that all related business activities would be suspended, that the cessation of business for rectification might be ordered, and that the company’s administrative or business licenses in China might be canceled.[9]  Additionally, the personnel directly responsible for the violation could be fined between 100,000 and 1 million Yuan (approximately $1,500 to $15,000 USD). Those personnel might also be prohibited from holding certain high-level positions for a period of time.[10]

The government departments overseeing enforcement of the PIPL are authorized to:

  1. Interview concerned parties and investigate circumstances related to PI handling activities;
  2. Consult and reproduce a concerned party’s contracts, records, and receipts as well as other relevant material related to PI handling activities;
  3. Conduct on-site inspections and investigations of suspected unlawful PI handling activities;
  4. Inspect equipment and articles relevant to PI handling activities; and, when there is evidence the equipment or articles are used to engage in illegal PI handling activities, the government departments may seal or confiscate them (following required procedures).[11]

If a foreign PI handler engages in acts that violate the PIPL or harms the national security or public interest of China, that entity may be placed on a list that limits or prohibits their ability to access PI, it may receive a formal warning, or the government may adopt other additional measures to prohibit the provision of PI to the entity.[12]

Handlers’ Duties 

Pi Handlers’ duties under the PIPL are varied. They are responsible to take into consideration the purpose of their handling, the methods used, the categories of PI (for example, whether sensitive information included), the influence the handling could have on individuals’ rights and interests, and potential security risks when deciding how to adopt appropriate measures to fulfill the PIPL.

Specifically, PI Handlers are responsible for adopting, as appropriate, the following measures:

  1. Formulating internal management structures and operating rules;
  2. Implementing categorized management of personal information;
  3. Adopting corresponding technical security measures such as encryption, de-identification,[13] etc.;
  4. Reasonably determining operational limits for personal information handling, and regularly conducting security education and training for employees;
  5. Formulating and organizing the implementation of personal information security incident response plans;
  6. Other measures provided in laws or administrative regulations.[14]

They are also responsible for engaging in regular audits[15] and taking corrective action when security breaches occur.[16] Security breaches are explored in more depth below.

PI Handlers are, when the PIPL is taken in its entirety, responsible to ensure that PI is treated in accordance with all of the principles, purposes, and requirements of the PIPL. They are required to handle PI with openness and transparency, which they do through observing the PIPL’s notice requirements.[17] Other requirements, such as responding to requests for correction or explanation,[18] go toward the principles of both openness, quality, and responsibility.[19] PI Handlers are also responsible for protecting against adverse effects on individuals’ rights and interests resulting from inaccurate or incomplete data.[20]

Depending on the amount of PI Handling occurring, a Handler may be required to appoint a Personal Information Protection Officer (similar to a Data Protection Officer, or DPO, under the GDPR). The PIPL is not clear on when such an appointment will be necessary. It leaves further clarification on that point up to the CAC.[21]

PI Handlers meeting certain requirements are also responsible for appointing a designated representative in China[22] and conducting Personal Information Protection Impact Assessments.[23] These requirements are explored in more depth below.

PI Handlers are also required to ensure the safety of information when they pass it on to other parties, either to a joint PI Handler or to a processor (or “Entrusted Person” in the PIPL’s terminology) for the purpose of further handling the information on behalf of the PI Handler.

Joint PI Handlers

It is possible for there to be joint PI Handlers (i.e., a joint controller situation). If two or more PI Handlers jointly decide on the handling purposes and methods, they have to outline the rights and obligations of each party in an agreement.[24] That agreement between the parties does not impact data subjects’ rights under the PIPL—an individual can still demand that one or all of the joint PI Handlers fulfill the Handler obligations in regards to deletion, correction, explanation, etc. (as further described in the Individual Rights section).[25] If joint PI Handlers harm the rights and interests of an individual in a way that results in damages, the handlers are subject to joint liability.[26]

Entrusted Persons

Under the PIPL, an Entrusted Person is what is referred to as a Processor in some other jurisdictions. When a PI Handler “entrusts” PI to another entity or individual, that entity or individual becomes an “Entrusted Person.” The PI Handler and Entrusted Person must enter an agreement that establishes the purpose of the Entrusted Person’s handling of the PI, the time limit, the handling method, categories of PI to be handled, protection measures, and the rights and duties of both parties to the agreement, such as the PI Handler’s right to supervise the handling activities of the Entrusted Person.[27]

Like processors under the GDPR and similar laws, Entrusted Persons are not allowed to handle the PI for any methods not stated in the agreement with the PI Handler or for the Entrusted Person’s own purposes (if they do handle it for their own purposes, the EP is likely a joint PI Handler and needs to meet all the requirements imposed on a PI Handler).[28] An Entrusted Person is also required to get the agreement of the PI Handler before it can further entrust the PI to another Entrusted Person (i.e., they need approval for the use of a subprocessor).[29] Entrusted Persons have to safeguard the PI they handle and must assist the PI Handler in fulfilling its obligations under the PIPL.[30] They must also return all PI to the PI Handler (or delete it) when the contract ends.[31]

Notice

Notice is an integral requirement of the PIPL. All PI Handlers are required to provide notice before they can process any PI. In order for the Notice to be sufficient under the PIPL, it must explicitly, truthfully, and fully inform individuals in clear and easily understood language.[32] The Notice must include:

  1. The name and contact method of the personal information handler;
  2. The purpose of personal information handling and the handling methods, the categories of handled personal information, and the retention period;
  3. Methods and procedures for individuals to exercise the rights provided in this Law;
  4. Other items that laws or administrative regulations provide shall be notified.

Anytime one of the required pieces of information changes, the PI Handler is required to notify the data subjects of the change. Additionally, if Handlers notify data subjects through formal PI handling rules, those rules should be made public and convenient to read and store.[33] For many companies, this can be accomplished by making their PI handling rules part of the privacy notice they list online and, if they are operating a brick and mortar location, by posting signage directing individuals to the privacy notice online or providing physical copies of the notice at the time that PI is collected. There is a caveat that would allow some data handlers to potentially retain anonymity: If the laws or administrative regulations in place provide that confidentiality is to be preserved or notification is not necessary, a PI Handler would be able to withhold the information required by subpoint 1 above.

Additionally, the PIPL contemplates that there may be emergency circumstances making notification before the PI handling impossible. If the processing without notification is necessary “in order to protect natural persons’ lives, health, and the security of their property, personal information handlers shall notify them after the conclusion of the emergency circumstances.”[34] This exception to prior notice is similar to exceptions seen in the GDPR and California’s CCPA although the addition of allowing for emergency processing to protect the security of property is novel. Under the GDPR, processing data to protect vital interests provides a legal basis for processing data without giving notice (as it does under the PIPL), but only where the individual is incapable of giving consent. These situations are most likely to arise in a healthcare emergency type of situation. The CCPA specifically allows for emergency processing of PI by a government actor without proper notice in situations where the person is at risk of danger, death, or serious injury. The PIPL explicitly goes further than those privacy laws, making clear that property interests are included in those that might justify an exemption to the notice requirement.

Identity Recognition

Notice may not be enough to justify using image collection and recognition equipment in public venues. Such PI Handling is allowed if it is used for public safety and is accompanied by clear signage explaining the purpose and use of the collection.[35] However, PI Handlers are not allowed to use these images for any purpose other than public security (for example, to analyse foot traffic outside of a particular location to help decide the best hours of operation, etc.) unless it obtains the individual consent of each individual whose image is being collected.[36]

Automated Decision-making

Automated decision-making is one of the areas in which PI Handlers face additional regulations under the PIPL in order to ensure that the principles of transparency, fairness, and justice are followed.[37] Automated decision-making is defined by the PIPL as “the activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, hobbies, financial, health, credit, or other status, and make decisions [based thereupon].”[38]

PI Handlers engaging in this type of decision-making are not allowed to (unreasonably) differentiate between individuals in regard to trade conditions such as price.[39] Ride hailing applications are an excellent example of the type of activity this section of the PIPL is targeting. In China, the world’s largest ridesharing app, Didi, has faced the ire of Chinese authorities over a number of issues including its pricing practices. A number of ride sharing apps have been severely criticized for charging individuals different prices based on algorithms that, among other things, lure newer users with lower prices while showing regular users higher prices.

Under the PIPL, an entity that is conducting push delivery or commercial sales through automated decision-making methods is required to also provide individuals with a “convenient” method to opt out or to not be targeted based on characteristics.[40]

Additionally, when the use of automated decision-making produces decisions with a major influence on the rights and interests of the individual, the individuals have the right to require personal information handlers to explain the matter, and to refuse to let the PI Handler make decisions solely through automated decision-making methods.[41] Some organizations are likely to object to this requirement, seeing an explanation of how their automated decision-making works as a disclosure of intellectual property regarding trade secrets or other confidential information. Determining what is required by “explaining the matter” will assist companies in knowing exactly what they are required to disclose in order to be compliant.

Legal Basis for Processing

Article 13 of the PIPL lays down the requirement that any PI Handler must have an appropriate legal basis for processing any Personal Information. PI Handlers may only handle personal information if one or more of the following circumstances is present:

  1. Where they have obtained individuals’ consent;
  2. Where necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded contracts;
  3. Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
  4. Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;
  5. Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
  6. When handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of this Law.
  7. Other circumstances provided in laws and administrative regulations.

When handling personal information that has already been disclosed by the individual themself (point 6 above), the PI Handler is only allowed to handle the personal information within a “reasonable scope” and may not handle the PI at all if the individual clearly refuses the PI Handling.[42] It is also illegal to handle previously disclosed PI without obtaining consent if the handling has a major influence on the person’s right and interests.[43]

Consent

Consent receives a fair amount of attention in the PIPL. To qualify as valid consent, it must be given voluntarily through an explicit statement by individuals with full knowledge. If the PI Handler changes the purpose, method, or categories of information being processed, new consent has to be obtained.[44] If consent is the legal basis a PI Handler is relying on, the Handler has to be prepared to stop processing the data if the individual rescinds their consent. The PIPL specifically requires Handlers to provide a process for individuals to rescind consent. While the law does not lay out specific requirements for what that method needs to look like, it does say that the method has to be “convenient.”

Under the GDPR, consent is only considered to be freely given if the individual is informed about their right to withdraw consent and that withdrawal is as easy to perform as giving consent. If, for example, an individual can give consent by checking a box on an online form and entering in certain PI, a similar type of online form should also be available for the withdrawal of consent. While the PIPL is not as specific as the GDPR in requiring that withdrawing consent be as easy as giving consent, it is likely that some reference to the process of initially giving consent will be made when determining whether the process of withdrawing it meets the ‘convenience’ standard of the PIPL.

While consent is generally not required if one of the legal bases in 2–7 above is relied upon, there are some situations in which it will be required, including any time that an organization is handling sensitive personal information or engaging in a cross-border transfer. Those situations will be discussed further below.

Sensitive Information under PIPL

Under the PIPL, sensitive information is defined as “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security [sic], such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14.”[45] This definition is, in many ways, more broad than definitions of sensitive information in other data privacy laws.

The GDPR sets forth a specific list of information that qualifies as sensitive, but the PIPL gives a non-exhaustive list accompanied by loose language.” It will certainly be difficult for businesses to determine which information, if leaked, could cause harm to a person’s ‘dignity.’ For example, a customer’s purchase history is generally understood to be PI, but in most situations it would not be considered “sensitive” the way that an individual’s health information would be. However, if a company sells products that might be considered embarrassing in some cultures, would the purchase history then also be considered sensitive because its misuse ‘infringes’ on someone’s dignity?

Once an organization has determined that it is processing sensitive personal information, it will have to take certain measures to process it lawfully. Most importantly, sensitive information can only be processed under the PIPL with consent.[46] That consent must be explicit, and, if the PI is related to minors under the age of 14, the consent must come from the parent or guardian.[47] In addition to the general notice requirements for obtaining consent, individuals must also be informed of the “necessity and influence on [their] rights and interests” in order to process their sensitive PI.[48] PI Handlers can then process the information only for the specific purpose consented to and while following strict security measures. A protection impact assessment must also be conducted in advance before sensitive information can be processed.[49]

Cross-Border Handling

In order to process data that is being transferred from within China to outside of China, which is referred to as cross-border handling, the PIPL requires PI Handlers to ensure that the parties outside China properly protect the PI they receive.[50] That means that, as part of the notice and consent requirements, individuals must be informed that their personal information will be processed outside of China, and they must also be informed as to how to exercise their rights under the PIPL in relation to the foreign handler.[51]

Before engaging in cross-border handling, a company is required to perform a protection impact assessment.[52] Furthermore, if a data handler wants to move PI out of China, it must meet one of the following requirements:

  1. Pass a security assessment organized by China’s Cyberspace Administration (CAC);
  2. Undergo a PI certification by a CAC-accredited professional institution;
  3. Enter into a contract with the overseas recipient  in accordance with a standard contract formulated by CAC;
  4. Meet other conditions as specified in law, administrative regulation, or CAC rules.[53]

Even if an organization plans to engage in cross-border data transfers without relying on standard contracts, it would still need to ensure that the protections of the PIPL are followed when the data is exported, so a Data Processing Agreement would be highly recommended even though the PIPL would not specifically require it in those situations.

Handling Purposes & Data Minimization

In order to handle personal information under the PIPL, a Handler must have a clear and reasonable purpose according to Article 6. The actual processing must be directly related to that purpose and collection of the data limited to the smallest scope possible that still allows the Handler to accomplish its purpose. As part of accomplishing these principles of the PIPL, excessive collection of PI is prohibited and handlers have to use the method of processing that will have the smallest influence on the individuals’ rights and interests. Additionally, personal information retention periods must be the shortest possible time frame needed to accomplish the purpose of the PI Handling.[54] Essentially, the PIPL establishes a data minimization standard.

Security Breaches

Under the PIPL, PI Handlers have duties toward both the Chinese government and the data subjects when there is a security breach. Breaches include any time there is “a personal information leak, distortion, or loss [that] occurs or might have occurred.”[55] PI Handlers are required to adopt remedial measures immediately and notify both the government and the data subjects.

However, in some situations the PI Handler may avoid having to notify the data subjects. If the PI Handlers are able to avoid harm to the individuals by adopting remedial measures, they do not have to notify the individuals. For example, if the breach involves the loss or theft of a laptop that has sensitive PI on it, and the organization is able to remotely wipe the data before it can be accessed, the danger to individuals has likely been avoided and they would not have to be notified.

All security breach notifications are required to include:

  1. The information categories, causes, and possible harms caused by the breach;
  2. The remedial measures taken by the PI Handler;
  3. Measures individuals can take to mitigate the possible harm; and
  4. Contact method for the PI Handler.[56]

Designated Representative

If an organization is located outside of China and is handling the PI of persons inside of China, it will have to set up a special organization or designate a representative inside of China. The designated representative will be responsible for matters related to the organization’s PI handling. The name of that individual/organization and its contact information has to be submitted to Chinese authorities that have the authority to oversee PI protection.[57] This requirement is substantially similar to the GDPR’s representative requirement although China has not set up an exemption for organizations that only engage in occasional or low risk processing activities.

Protection Impact Assessment

There are several situations in which the PIPL requires PI handlers to perform a personal information protection impact assessment (“PIPIA” or, more commonly in other jurisdictions, “PIA”). If at least one of the following circumstances is present, a PIA must be conducted in advance of the handling:

  1. Handling sensitive personal information;
  2. Using personal information to conduct automated decision-making;
  3. Entrusting personal information handling/providing personal information to other personal information handlers (i.e., using processors and subprocessors), or disclosing personal information;
  4. Providing personal information abroad (i.e., engaging in cross-border transfers); and
  5. Other personal information handling activities with a major influence on individuals (for example, impacting an individual’s ability to gain employment).[58]

These situations are similar to those in which a data protection impact assessment must be conducted under the GDPR in the EU. However, while the PIPL specifies that a PIA must be conducted when automated decision-making is involved, it does not go as far as the GDPR which says that a PIA is required anytime a processing activity involves the use of “new technologies.”[59] On the other hand, the PIPL (unlike the GDPR) requires a PIA whenever a PI Handler discloses PI to another entity, including Entrusted Persons (processors, or vendors). PI Handlers should be aware of their duties under this requirement because the PIPL also requires all handlers to regularly engage in audits of their handling activities in relation to legal compliance.[60]

When engaging in PIA’s (the records of which must be preserved for at least 3 years), PI Handlers should include:

  1. Whether or not the PI handling purpose, handling method, etc., are lawful, legitimate, and necessary;
  2. The influence on individuals’ rights and interests,
  3. The security risks; and
  4. Whether protective measures undertaken are legal, effective, and suitable to the degree of risk.

These requirements are similar to, although less detailed than, those requirements seen in the GDPR. The GDPR specifically requires that a PIA include an assessment of the proportionality of the processing activity, while the closest the PIPL comes to that requirement is to make a determination as to whether the protective measures the PI Handler puts in place are “suitable” to the degree of risk. The PIPL also does not envisage seeking individuals’ input as part of the PIA, whereas the GDPR does.[61]

While the PIPL does not include the GDPR’s specific requirement that PI Handlers create a new PIA when there is a change in the risk involved in the handling, it does, in a separate section, require PI Handlers to engage regular audits, and one would assume that, if an audit detected a risk previously unidentified in the PIA, a Chinese departmental authority would expect a new PIA to be created at least when the risk was identified via audit.[62]

Platform Providers

There are also special regulations put in place for PI Handlers that provide internet platform services, have a large number of users, and whose business models are “complex.”[63] These “platform providers” are, in addition to the responsibilities for PI Handlers generally, required to:

  1. Establish and complete personal information protection compliance systems and structures according to State regulations, and establish an independent body composed mainly of outside members to supervise personal information protection circumstances;
  2. Abide by the principles of openness, fairness, and justice; formulate platform rules; and clarify the standards for intra-platform product or service providers’ handling of personal information and their personal information protection duties;
  3. Stop providing services to product or service providers on the platform that seriously violate laws or administrative regulations in handling personal information;
  4. Regularly release personal information protection social responsibility reports, and accept society’s supervision.[64]

These additional regulations clearly target large tech companies and represent China’s expressed goal of creating more barriers to the type of free-for-all PI Handling that has been occurring in the state.

A Note on Foreign Governments

The PIPL prohibits PI handlers from sharing any domestically stored PI with a foreign government without first obtaining the approval of the Chinese government.[65] If a foreign judicial or law enforcement body wants to access PI stored in China, it has to make its request directly to competent authorities in the government of China.

Additionally, if any foreign powers adopt prohibitions or limitations that discriminate against China in PI protection, the PIPL explicitly states that China “may adopt reciprocal measures against said country or region on the basis of actual circumstances.”[66] This specific provision highlights one of the goals of the PIPL—making China one of the world leaders in data protection. This provision makes clear that China plans to be vocal in the area of privacy protection and that, if any other jurisdiction attempts to make it more difficult for China to do business, it will strike back.

A Note on the Chinese Government

Chapter VI of the PIPL outlines Chinese governmental duties and responsibilities under the PIPL. While the majority of the PIPL does not constrict government activities, this Chapter does place some restrictions on the government, largely geared toward deterring corruption and encouraging reporting. The Cyberspace Administration of China (CAC) is given responsibility for the central planning and management of the privacy regulations, and State Council departments are responsible for the more on-the-ground activities of providing for personal information protection, supervision, and management, part of which includes overseeing county-level departments in carrying out the work.[67]

The personal information and protection duties of all of these departments that report to the CAC include:

  1. Conducting personal information protection propaganda and education, and guiding and supervising personal information handlers’ conduct of personal information protection work;
  2. Accepting and handling personal information protection-related complaints and reports;
  3. Organizing evaluation of the personal information protection situation such as procedures used, and publishing the evaluation results.
  4. Investigating and dealing with unlawful personal information handling activities;
  5. Other duties and responsibilities provided in laws or administrative regulations.[68]

Some actions have been specifically approved as appropriate measures for the enforcement departments to use in fulfilling their responsibilities. Those measures include:

  1. Interviewing relevant parties and investigating circumstances related to personal information handling activities;
  2. Reviewing and copying a concerned party’s contracts, records, and receipts as well as other material related to its personal information handling activities;
  3. Conducting on-site inspection and conducting investigations of suspected unlawful personal information handling activities;
  4. Inspecting equipment and articles relevant to personal information handling activities;
  5. Confiscating or sealing equipment used to engage in illegal personal information handling activities;[69]
  6. Requiring PI Handlers to entrust specialized institutions to conduct compliance audits of their handling activities.[70]

The PIPL also makes it illegal for individuals or organizations to impede the work of a department that is carrying out its responsibilities under PIPL.[71] Because individuals have the right to file complaints with the departments regarding unlawful PI handling, the departments are responsible for publishing methods for contacting them and for acting on the complaints.[72] If the authorized departments determine that there is a high risk in the PI handling activities or security breaches occur, they may require the PI Handlers to adopt certain protective and/or corrective measures.[73] As part of their authority to investigate, the department authorities may speak with an organization’s legal representative or the person who is responsible for complying with the regulatory requirements. If, in the course of an investigation, the authorities determine that there is a likelihood that there is a mishandling of PI that rises to the level of criminal activity, the PIPL instructs them to hand the case over to the criminal authorities.[74]

The CAC, meanwhile, is focused primarily on higher-level planning and enforcement. It is responsible to:

  1. Formulate concrete personal information protection rules and standards;
  2. Formulate specialized personal information protection rules and standards for small-scale personal information handlers and new technologies and new applications for handling sensitive personal information, facial recognition, artificial intelligence, etc.;
  3. Support the research, development, and broad adoption of secure and convenient electronic identity authentication technology, and promote the construction of public online identity authentication services;
  4. Advance the construction of service systems to socialize personal information protection, and support relevant organizations to launch personal information protection evaluation and certification services; and
  5. Perfect personal information protection complaint and reporting work mechanisms.[75]

Individual Rights

Under the PIPL, individuals in China have rights similar to those granted by privacy laws in other jurisdictions. One of the most important rights is the right to make decisions regarding their own PI.[76] (For individuals who are deceased, their next of kin may exercise the individual’s rights under the PIPL unless the individual arranged otherwise before their death.[77]) So that their decisions are informed, individuals have the right to know what is being done with their data, including the right to ask a PI Handler to explain its PI Handling rules.[78] This is an interesting requirement that could be read as going beyond what has been seen in other jurisdictions with similar sweeping privacy laws. Beyond simple notice, a PI Handler could potentially be forced to explain its internal data handling practices not only to a regulator but to individuals themselves.

Additionally, individuals have the right review and obtain a copy of their PI[79] and to limit or refuse the handling of their PI.[80] They can also request that their PI be transferred to another data handler, and PI Handlers are required to provide a means for the transfer.[81]

PI Handlers have a proactive duty to delete PI in the following situations, and individuals can request the deletion if the PI Handler has not fulfilled its deletion duties:

  1. The handling purpose has been achieved, is impossible to achieve, or [the personal information] is no longer necessary to achieve the handling purpose;
  2. Personal information handlers cease the provision of products or services,
  3. The retention period has expired;
  4. The individual rescinds consent (where the handling was based on consent);
  5. The PI was handled in violation of the PIPL or other laws, administrative regulations, or agreements;
  6. Other circumstances provided by laws or administrative regulations.[82]

The PIPL allows PI Handlers to retain some PI despite a deletion request if the retention period has not yet expired or “the deletion is technically hard to realize”—in those limited circumstances, a PI Handler may continue to store and protect the data but must cease other handling processes.[83]

Where their PI  is incorrect or incomplete, Individuals can request its correction or completion of it, and the PI Handlers are required to, after verification, correct the PI in a timely manner.[84] (No explanation is given around what a PI Handler needs to do to “verify” the information.)

PI Handlers have to provide individuals with a “convenient” method for submitting requests regarding their rights. Where PI Handlers deny an individual’s request the Handlers are required to provide the individual with an explanation.[85] Individuals (and organizations) also have the right to file a complaint or report with the authorized departments if they suspect unlawful PI handling;[86] if their PI requests regarding their rights are denied, individuals may file suit in the People’s Court.[87] When departments receive reports of unlawful processing from individuals, they are required to process the reports promptly and notify the complainant of the outcome of the complaint.[88]

In review, Individuals have the following rights:

  1. To know (i.e., notice) and decide regarding the handling of their PI;
  2. To limit or refuse handling;
  3. To consult and copy their PI;
  4. To transfer their PI;
  5. To correct or complete their PI;
  6. To an explanation of a Handlers handling rules;
  7. To deletion of their PI; and
  8. To exercise the rights of a deceased next of kin.

The PIPL does not set specific time limits for PI Handlers to respond to PI requests from individuals. The closest it comes is the repeated instruction that requests should be handled in a “timely manner.” That may be interpreted in many ways. If an organization is already subject to the GDPR in Europe or the CCPA in California it may want to adopt a 30- or 45-day rule that mimics the other jurisdictions. The PIPL also fails to require any specific communication with an individual submitting a rights request other than the notification regarding the final disposition of that request. Other jurisdictions require some sort of notice that the request has been received and is being worked on, so, while the PIPL does not, it would be a best practice to send out that sort of notification in order to assure the individual that the PI Handler is fulfilling its duties.

Summary

China’s PIPL is a broad privacy law that is on par with other privacy laws that have changed the international landscape governing PI collection and processing. One of the stated purposes of the PIPL is to “vigorously participate[] in the formulation of international rules [or norms] for personal information protection, stimulate[] international exchange and cooperation in the area of personal information protection, and promote[] mutual recognition of personal information protection rules [or norms], standards, etc.  with other countries, regions, adn international organizations.”[89] While this law does not bring Chinese law into line with other jurisdictions in such a way as to allow, for example, the EU to issue an adequacy decision for China, it does set up a national regime of privacy protection that grants rights to individuals. That is a significant change and directly impacts approximately 18% of the world’s population.

SixFifty can help!

Get the legal documents you need for PIPL compliance at sixfifty.com/china

Footnotes

[1] PIPL Article 74.

[2] PIPL Article 63 (emphasis added).

[3] PIPL Article 4. See also Article 73(4): “Anonymization” refers to the process of personal information undergoing handling to make it impossible to distinguish specific natural persons and impossible to restore.

[4] PIPL Article 4.

[5] PIPL Article 5

[6] PIPL Article 7

[7] PIPL see Articles 8-9

[8] PIPL Article 71

[9] PIPL Article 66

[10] Id.

[11] PIPL Article 63.

[12] PIPL Article 42.

[13] Article 73(3) defines de-identification as “the process of personal information undergoing handling to ensure it is impossible to identify specific natural persons without the support of additional information.”

[14] PIPL Article 51.

[15] PIPL Article 54.

[16] PIPL Article 57.

[17] PIPL Articles 7 & 17 and the Notice section below.

[18] See the Individual Rights section below for a full description of requests individuals are given the right to submit.

[19] PIPL Articles 8 & 9.

[20] PIPL Article 8.

[21] PIPL Article 52.

[22] PIPL Article 53.

[23] PIPL Article 55.

[24] PIPL Article 20.

[25] Id.

[26] Id.

[27] PIPL Article 21.

[28] PIPL Article 21.

[29] Id.

[30] PIPL Article 59.

[31] PIPL Article 21.

[32] PIPL Article 17.

[33] Id.

[34] PIPL Article 18

[35] PIPL Article 26.

[36] Id.

[37] PIPL Article 24.

[38] PIPL Article 73(2).

[39] PIPL Article 24.

[40] PIPL Article 24.

[41] Id.

[42] PIPL Article 27.

[43] Id.

[44] PIPL Article 14.

[45] PIPL Article 48.

[46] PIPL Article 29. Additionally, laws or regulations may require that, in some situations, that consent be written.

[47] PIPL Article 31.

[48] PIPL Article 30.

[49] PIPL Article 55.

[50] PIPL Article 38.

[51] PIPL Article 39.

[52] PIPL Article 55.4. See Protection Impact Assessment, infra.

[53] PIPL Article 38.

[54] PIPL Article 19.

[55] PIPL Article 57.

[56] Id.

[57] PIPL Article 53.

[58] PIPL Article 55.

[59] GDPR Article 35.

[60] PIPL Article 54.

[61] Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations. GDPR Article 35(9).

[62] See PIPL Article 54.

[63] PIPL Article 58.

[64] PIPL Article 58. (Note: The ambiguous phrase “accept society’s supervision” is neither defined nor further explained in the PIPL.)

[65] PIPL Article 41.

[66] PIPL Article 43.

[67] PIPL Article 60.

[68] PIPL Article 61.

[69] PIPL Article 63.

[70] PIPL Article 64.

[71] PIPL Article 63.

[72] PIPL Article 65.

[73] PIPL Article 64.

[74] PIPL Article 64.

[75] PIPL Article 62.

[76] PIPL Article 44.

[77] PIPL Article 49. This is a departure from the GDPR, in which individual’s PI rights die with them. See PIPL Article 49 and GDPR Recital 27.

[78] PIPL Article 48.

[79] PIPL Article 45. In addition, PI Handlers are required to make the information available to individuals in a timely manner. Id.

[80] Unless laws or administrative regulations stipulate otherwise. PIPL Article 44.

[81] PIPL Article 45.

[82] PIPL Article 47.

[83] Id.

[84] PIPL Article 46.

[85] PIPL Article 50.

[86] PIPL Article 65.

[87] PIPL Article 50.

[88] PIPL Article 65.

[89] PIPL Article 12