The Personal Information Protection Law (PIPL) will be the first law in China on personal privacy protection. It’s following a trend that happened in other countries too, where personal information is protected by the law (for example, GDPR in Europe).
If you are running a company that collects any data of Chinese individuals (it doesn’t matter if it is data of your employees, salespeople, or your customers), you need to start evaluating your situation to become compliant.
The article will give you an overview of the regulations that soon will come into effect, changing how both local and foreign companies manage data in China.
- An overview of the new China’s Personal Information Protection Law
- If companies have already invested in compliance with GDPR, will the Chinese law require additional measures?
- What is the punishment if companies violate the law?
An overview of the new China’s Personal Information Protection Law
On August 20, 2021, China passed the Personal Information Protection Law (PIPL). The new regulation will come into effect on November 1, 2021, giving businesses a little over two months to prepare.
With publishing the First Draft for comment in October 2020 and the Second Draft for comment in April 2021, the PIPL legislation has attracted a lot of attention as a fundamental law comparable to the European Union’s General Data Protection Regulation (GDPR).
But what are the principal regulations that will affect companies?
First of all, we want to clarify that regulation applies to the activities of handling the personal information of natural persons within the borders of the People’s Republic of China, or if you operate activities outside the boundaries of China, but you provide products or services to people inside the borders, or if you are outside of China but you analyze the behavior of individuals in China.
What is personal information?
Personal information refers to any information on identified or identifiable natural persons that have been recorded by electronic or other means, excluding information that has been anonymized.
Personal data handling includes data collection, storage, use, processing, transfer, provision, disclosure, and deletion, amongst other things.
The law goes on to define sensitive information as “personal information that, if leaked or illegally used, could result in discrimination against individuals or grave harm to a person or property security, such as information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, and other similar information.”
Based on article 13 of the Personal Information Protection Law, personal information handlers may only handle personal information if one of the following conditions applies:
- Obtaining individuals’ consent;
- Where necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded collective contracts;
- Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
- Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;
- Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
- While handling personal information disclosed by individuals themselves or otherwise already lawfully disclosed, the personal data should be held within a reasonable scope uder the provisions of this Law;
- Other circumstances are provided in laws and administrative regulations.
The focus is on consent
The consent given by individuals to companies to collect and process the data is one of the fundamentals of the new Personal Information Protection Law. It is borrowed by the GDPR law, and it is necessary to notice that consent is present throughout the law outside the provision of the legal base.
Based on article 14, where personal information is handled based on individual consent, the consent is provided by individuals under the precondition of complete knowledge, and in a voluntary and explicit statement.
It is important to understand from a legal point of view, design or IT point of view. Companies will have to build systems to collect consent from individuals, to collect and use their data.
It also applies to marketing purposes. Individuals must have full knowledge of how the information will be collected and used by the company to give a proper consent.
Individuals have the same right to withdraw consent under the GDPR (Art. 15). China’s Personal Information Protection Law also states that handlers may not refuse to provide products or services based on an individual’s refusal to consent to the processing of PI (personal information) or withdrawal of consent, unless the PI is “necessary” for the provision of products or services, which is based on the GDPR’s “freely given” validity condition (Art. 16).
If you are a company processing children’s personal information under 14 years old, you must obtain consent from the parents.
Special mention for Automated Decision-Making and facial recognition
The Personal Information Protection Law has particular requirements that govern the use of Automated Decision-Making Systems (ADM). The Law defines ADM as “actions that use personal information to evaluate, assess, and decide via computer programs automatically, individual behaviors, and habits, interests, and hobbies, or financial, health, or credit status issues.”.
When using ADM for personal information, entities must guarantee transparency and fairness of the results. For example, suppose ADM is used for marketing purposes, in that case, the entities should give an option to individuals to receive information not based on personal characteristics or offer a convenient method of refusal.
About facial recognition used in public areas, these must be used only to safeguard public security. Information gathered in this way cannot be published or disclosed unless the individual gives consent.
Cross-border data transfer
The Chinese law takes a three-fold measure to control the data transfer out of China:
- From the individual’s perspective, you must receive informed consent from each individual data subject;
- You must receive the government assessment or authority before you can transfer data outside of China. Alternatively, you can sign a data transfer agreement that strictly follows the model contract that the authority will publish;
- The authority will maintain a black list that lists out the companies endangering national security, public security, or individual rights.
When personal information handlers provide personal information outside of the People’s Republic of China’s borders, they must inform the individual of the foreign receiving party’s name or personal name, contact method, handling purpose, handling methods, and personal information categories, as well as ways or procedures for individuals to exercise their rights under this law.
Individuals have different rights regarding their data and how companies process them.
The Personal Information Protection Law recognizes the following rights for individuals:
- Right to know, decide, refuse, and limit the handling of their personal information by others, unless laws or regulations stipulate otherwise (Art. 44).
- Right to access and copy their personal information in a timely manner, except when the laws and regulations require confidentiality (Art. 45).
- Right to correct or complete inaccurate personal information in a timely manner (Art. 46).
- Right to deletion of (i) the agreed retention period has expired, or the handling purpose has been achieved; (ii) personal information handlers cease the provision of services; (iii) the individual rescinds consent; (iv) the information is handled in violation of laws, regulations or agreements (Art. 47).
- Right to request handlers explain their handling rules (Art. 48).
- Right to data portability to a designated handler (Art. 45, para. 3). Specific conditions for porting data will be determined by state cybersecurity and information departments.
Personal information handler’s rights
With this law, it becomes extremely important how personal information handlers (companies, entities, etc.) collect and use the data.
Suppose a company processes a large amount of data, in that case, this company will need to appoint a data protection officer responsible for personal information protection and publish the name and contact of such persons.
Handlers must conduct a personal information protection impact assessment to evaluate if the aims and methods of handling are legal, the impact of such processing on individuals, and whether the security measures in place are appropriate to ensure compliance.
Data handlers must also implement technical security measures such as encryption, de-identification, and other similar measures, as well as establish operational limitations for information handling and undertake regular security education and training for personnel.
Foreign companies processing personal data originally from China, must either set up an organization in China or appoint a representative in China, particularly managing the data protection issues.
If companies have already invested in compliance with GDPR, will the Chinese law require additional measures?
There are measures to be taken. The first one is to review definitions of your current policies and privacy notice. Although the Chinese government borrowed some laws from international norms, such as the right to delete, to access, and the so-called portability right, the Chinese law has significant conceptual differences from the GDPR.
For example, in the new China’s Personal Information Protection Law there is no indication of the term data controller, but the term used is data processor to refer to all the entities that collect and process personal data for their purposes or other people’s purposes.
So basically, different from the GDPR where data controller and data processor are two different entities, the data processor will be both data controller and data processor in Chinese law.
That is why, if you drafted the policies based on that differentiation, you would need to readjust them following the new definition of the PIPL.
What is the punishment if companies violate the law?
The punishment is for both the entity that collects the data and the officer appointed. The fines can be up to 50 million RMB (roughly equal to 9 million USD), or about 5% of the company’s annual revenue.
The entity’s officers may also be fined up to 1 million RMB (roughly equal to 160,000 USD). Furthermore, officers who violate the law may be banned from taking certain positions such as directors, data protection officers, or other high-level management jobs.
Before getting fines, the violator will be required to correct the illegal activities first. However, during the period of correction, the violator’s business might be needed to be suspended. And if you are collecting data through a mobile application, your APP might be taken down during the correction period.
The new Personal Information Protection Law significantly reduces many of the data abuses that have plagued Chinese consumers for years. In addition, it goes to considerable measures to preserve users’ privacy and control over their personal data.
And we are sure that the Chinese government will strictly implement this law.
Compliance becomes critical for companies to remain on the right side of the law. But having policies in place to treat data will also put you in a good light in the eyes of consumers and your clients.
It will also become essential for companies to choose the right partners in China that deal with data in compliance with the regulations.
Here at HROne, for example, we always prioritized the protection of data for our company and our clients. For this reason, we decided to get the certification ISO/IEC 27001:2013 for Information Security Management Systems, to certify that the employees, processes, and the IT systems that we utilize here at HROne conform worth the standard risk management processes set forth by the International Standardization Organization (ISO) while also following the systematic approach of managing our client’s sensitive information.