Navigating China Episode 20: PIPL has finally arrived, bringing helpful clarification (rather than substantial change) to China’s data privacy framework

In good news for organisations handling personal information, China’s Personal Information Protection Law (“PIPL”) was finalised on 20 August 2021, and will come into force on 1 November 2021.

Rather than bringing substantial changes to the existing China data privacy framework, the PIPL helpfully consolidates and clarifies obligations on processing of personal information at a national law level. However, as with all China laws, the PIPL is drafted as high level principles, and we anticipate additional guidelines will be published in the coming months outlining the practical compliance steps organisations will need to take when updating their China data protection compliance programmes.

To be clear, this is not China’s own GDPR. Instead the PIPL is a robust data privacy framework designed to safeguard individuals’ personal data against abuse, but at the same time to reflect cultural and business attitudes to data in China, as well as new technologies (including advances in AI, biometrics and data analytics), and to enable flows of personal data. While some of the principles may appear similar to compliance obligations under GDPR and data laws elsewhere in Asia – and notwithstanding that the Chinese authorities studied data protection laws from around the world when drafting the PIPL, and that the PIPL reiterates China’s desire to be at the forefront of international discussions on data privacy regulatory frameworks – in practice the PIPL compliance obligations are likely to be interpreted and enforced differently. Therefore, a localised (or regional) compliance programme is strongly recommended, and indeed will enable organisations to seize opportunities to do more with their China data (within a compliant framework).

We have summarised the key compliance obligations under the PIPL below, with new obligations in bold for ease of reference:

Relevant Laws/Regulations

The PIPL becomes the primary, national-level law governing processing of personal information, but does not replace the existing data privacy framework. Therefore, as well as the PIPL, organisations must also consider (inter alia):

  • Cybersecurity Law
  • Data Security Law
  • Personal Information Security Specification (“PIS Specification”)
  • E-Commerce Law
  • Consumer Protection Law
  • Civil Code
  • regulations, measures, guidelines made under each of the above
  • industry regulations for regulated sectors (such as financial services, insurance, healthcare, e-commerce and marketing administration)
  • public sector information management rules
  • app and livestreaming compliance regulations
  • local laws and regulations (e.g. the recently published Shenzhen Data Regulation)
Applicability of PIPL and Extra-Territorial Effect
  • The PIPL has extra-territorial effect, and applies both to:
    • data processing activities within Mainland China; and
    • processing of Mainland China residents’ data outside of Mainland China:

      (a) for the purposes of providing products or services to China residents;
      (b) for analytics or evaluation of behavior of China residents; or
      (c) for any other reasons as required by law or regulations.

  • The PIPL applies to both the public and private sectors.
Definition of Personal information and Sensitive Personal information
  • “Personal information” means any kind of information relating to an identified or identifiable natural person, either electronically or otherwise recorded, but excluding information that has been anonymised. (This latter part is particularly helpful, as anonymisation has not until relatively recently been universally recognized in China).
  • “Sensitive personal information” means personal information that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, including (but not limited to): (i) biometric data; (ii) religion; (iii) specific social status; (iv) medical health information; (v) financial accounts; (vi) tracking/location information; and (vii) minors data (aged under 14).
Fair Processing; Notice and Consent
  • Processing must be fair (a principle of “good faith” or “sincerity” is included in the PIPL).
  • In this regard, notified consent remains the primary (if not sole) basis for processing of personal information.
  • Requirements for privacy notices remain as per the existing framework (in terms of content requirements, form and format, transparency, ease of understanding etc.).
  • Express, informed consent must generally be obtained from data subjects for all processing of personal information.   
  • The PIPL sets out limited consent exemptions, including (inter alia) in connection with some employee data handling or emergencies, but in practice we doubt organisations will rely on them.
  • In addition, separate, explicit consent must be obtained for the following activities:

    (a) processing sensitive personal information;
    (b) overseas transfers;
    (c) public disclosure of personal information;
    (d) to provide data to another data controller for processing; and
    (e) use of image or identification data collected in public through image or identification device for any purposes order than maintaining public security. (This aligns with other recent guidance putting clearer parameters around use of biometric data in China).

It remains unclear what “separate” consent means in practice, and we await further guidance on this. For now, it appears to suggest organisations should avoid bundled or forced consent to such activities, especially on app interfaces.

Purposes/Restrictions on Use
  • Collection and processing of data must be directly related to the purpose of processing specified in the privacy notice.
  • Excessive data collection must be avoided. Interestingly the provisions of the PIPL around data minimisation appear to be targeted at apps and big data analytics. Additional restrictions are placed on use of biometric data collected in public places. 
  • There are prohibitions on illegal collection, use, processing, sale, disclosure and transfer of personal information.
Disclosure of Personal Information
  • The existing position remains, whereby transfers of personal information to data processors or joint/independent data controllers require a contract to be put in place covering key (specified) measures designed to safeguard the data to equivalent PIPL standards. In practice, this means initial due diligence, sufficient contractual protections and ongoing monitoring etc.
  • The PIPL also anticipates that a new publicly-available entity list may be published, listings foreign organisations to whom local China organisations may not transfer personal information, where such transfer may harm national security or public interest.
Overseas Transfers/Data Localisation
  • Data controllers may only transfer or access personal information outside of Mainland China if:

    (a) one of the following criteria is fulfilled:

      • the organisation has passed a CAC security evaluation;
      • the organisation has obtained certification from a CAC-accredited agency;
      • the organisation has put in place CAC standard contractual clauses (not yet published) with the data recipient; or
      • for compliance with laws and regulations or other requirements imposed by the CAC;

 (b) they have adopted necessary measures to ensure the data recipient’s data processing activities comply with standards comparable to those set out in the PIPL. In practice this means initial due diligence, sufficient contractual protections and ongoing monitoring etc.;

(c) notice and separate, explicit consent has been given/obtained (see above); and

(d) a PIIA has been undertaken (see below).

The PIPL does not include a specific requirement to keep copies of personal information in China, but the regulators’ expectations in this regard may remain.

  •  However, certain personal information (and non-personal data) must still remain in (and cannot be accessed outside of) Mainland China. This includes (this is not an exhaustive list):

    (a) personal information processed by critical information infrastructure operators (“CIIOs”), unless a CAC-conducted security assessment has been completed;
    (b)
    personal information processed by data controllers above a threshold/volume to be identified by the CAC (not yet published), unless a CAC-conducted security assessment has been completed;
    (c) certain data under industry-specific regulations; and
    (d) certain restricted data categories (such as “state secrets”, some “important data”, geolocation and online mapping data etc.).

Government Access to/Disclosure of Personal Information
  • Data controllers must not provide personal information stored within China to overseas legal or enforcement authorities unless approval is obtained from a designated Chinese authority. This aligns with a similar provision in the new Data Security Law. It remains unclear whether this extends to, say, requests from overseas industry regulators.

  • Chinese authorities may provide personal information stored within China to overseas legal or enforcement authorities upon request, if and to the extent that there are international treaties or regulations in place to maintain fairness and for mutual benefit.
Security and Confidentiality
  • Personal information must be kept confidential, and security measures must be deployed, as prescribed by the Cybersecurity Law and the Data Security Law and their underlying measures, guidelines and technical standards.

  • Additional safeguards must be applied for sensitive personal information and processing by CIIOs.

  • The PIPL includes a specific obligation on data controllers to adopt corresponding encryption or deidentification technologies, and to adopt access controls and training.
Additional Obligations: IIPPs; Large Volume Data Controllers; and/or Complex Businesses

Organisations that fall into one of the following categories (not yet defined):

  • “important internet platform providers”;
  • data controllers processing data of a “large volume of users”; or
  • “complex businesses”,

    must comply with additional measures when processing personal information, namely:

    (a) set up personal information protection compliance mechanisms;
    (b) set up external independent data protection organisations to supervise data protection mechanisms;
    (c) establish platform regulations;
    (d) establish and publish processing obligations and processing rules that regulate products and service providers in an open and fair manner;
    (e) stop the provision of products or service providers if they violate the law or regulations as regards processing of personal information; and
    (f) publish from time to time social responsibility reports as regards processing of personal information.

Other data controller obligations
  • Controllers of minors’ data: those organisations processing minors’ personal information must establish specific information processing regulations. This appears to align with existing obligations under the existing minors’ data regulations.

  • Accuracy: the usual principle of ensuring personal information is accurate and up to date applies.
  • Retention: the existing principle remains, of not retaining personal information for longer than is needed for the purpose(s) for which the personal data is collected, unless required or permitted by applicable law. Once no longer needed, the data should be de-identified or deleted/destroyed.
  • Automated-decision making and profiling:
    • Analytics or evaluation based on computer programme around behaviour, interests, hobbies, credit information, health or decision making activities, must be transparent, open and fair, and should not apply any differential treatment between individuals.

    • Any push information or business marketing should not be directed to an individual’s character and should provide individuals with a convenient way to opt out.
Incident management and notification
  • Organisations must implement and test a data incident contingency plan. This aligns with the new Data Security Law.
  • Immediate remedial action must be taken in the event of any suspected or actual data disclosure, loss or tampering.
  • Immediate notification: (i) internally, to the DPO; and (ii) externally, to the regulator (the PIPL refers to the CAC establishing (local) “personal information protection departments” (“PIPD”) for such purposes, but this is yet to be confirmed) is required, and should include:

    (a) affected data categories;
    (b) reasons for the incident, and potential consequences;
    (c) remedial measures, and mechanisms required by data controller to minimise impact; and
    (d) contact information for data controller.

  • If the data controller can effectively avoid the disclosure, loss or tampering of data, there is no need to notify data subjects. Otherwise data subjects may also need to be notified under other laws and regulations within the data protection framework. Further, if the PIPD believes it may cause impact to individuals, they may request that the data controller notifies individuals.
Data subject rights
  • The PIPL clarifies that these are:
    • Right to access and copy of data.
    • Right to transfer. This appears to be a right to data portability (as per the PIS Specification), although no specific details have been provided at this stage.
    • Right to correct or supplement.
    • Right to deletion in certain circumstances.
    • Right to limit or withdraw consent.
    • Right to request details of processing (including for automated decision making, and can refuse such decision) and of handling rules.
    • Rights to access, copy, correct or delete personal information of a deceased can be requested by a close relative for its legitimate and proper interests.

Data subjects also have rights to: (i) complain and (ii) deregister accounts under the PIS Specification. 

  • Responses must be in a timely manner (with reference to timescales in the PIS Specification). The PIPL clarifies situations where data controllers can refuse to comply with certain data subject rights, and on how to respond to/reject data subject requests.

  •  Data subjects may bring civil action against a data controller refusing to honour their data subject rights.   
Governance obligations
  • Data protection officer (“DPO”):
    • A data controller should appoint a DPO if it process personal information over a certain volume (as specified by the CAC).
    • Details of the DPO should be published, and registered with the data protection authority.
    • Data controllers based outside of Mainland China but processing China personal information should establish a specific organisation or representative within China and report such representative’s details to the data protection authority.

  • Internal governance policies and procedures: organisations must establish internal management regulations or standards.
  • Data classification and management mechanisms: organisations must implement data classification and management mechanisms. This appears to align with the new tiered data classification obligations under the Data Security Law.
  • Compliance audits: these must be undertaken regularly.
  • Training: organisations must provide data privacy training.
  • Personal information impact assessments (“PIIA”):
    • PIIAs must be undertaken in situations including (inter alia):

      (a) processing of sensitive personal information;
      (b) conducting automated decision-making processing activities;
      (c) appointing data processor to process data;
      (d) providing personal information to other data controllers;
      (e) disclose personal information to the public;
      (f) overseas data transfers;
      (g) conducting processing activities that may have a significant impact to an individual’s interest.

    •  PIIA should include an assessment on:

      (a) whether purpose of use and means of processing is legitimate, proper and necessary;
      (b) impact and risks to individuals’ interests; and
      (c) applicability of protection measures, and risk appetite.

    • All PIIA and processing records should be kept for at least three years.

  • Record-keeping: while record-keeping obligations are contained in other existing laws and regulations comprising China’s data privacy framework, the PIPL does not specifically include obligations to maintain ROPAs etc. However, the PPIA section of the PIPL does contain a reference to keeping “all PIIA and processing records” for at least three years. It is unclear if that refers to records of all processing activities, or just those referenced in the PIIAs.
Data Processors
  • The PIPL specifies that any organisation that is appointed as a data processor must act in accordance with the PIPL. It is unclear if this broad statement effectively brings direct liability of data processors to comply with all of the PIPL, or if this is a broad statement of principle referring to contractual (indirect) obligations to comply;
  • In addition, the PIPL specifically requires data processors to:
    • adopt necessary data security measures to protect the safety of personal information;
    • assist data controllers to comply with obligations of this PIPL;
    • process data only as requested by data controller unless with concept;
    • return or delete data upon completion of the data processing; and
    • have in place a contract with the data controller.
RegulatorsIt is now clear that the CAC has primary responsibility for data protection, including breach notification. However, the PSB and industry-regulators will still have a role in both management and enforcement of data protection; and the TC260 technical committee will continue to have delegated responsibility to publish technical standards.
Sanctions

The PIPL provides a range of sanctions, including (inter alia):

  • enforcement notices and warnings;
  • administrative fines of up to (for the most serious offences) 5% of the previous year’s annual revenue (unclear if local or global revenue) or up to RMB50 million, and confiscation of unlawful income. Note the PIPL imposes much higher fines than under other existing data privacy regulations);
  • cessation of processing;
  • suspension of apps and/or services;
  • suspension of business;
  • suspension of management/officials role;
  • criminal sanctions (for certain offences, and under relevant criminal laws);
  • civil claims;
  • social credit score or equivalent business credit files may be affected.

While the PIPL has now introduced higher fines, we anticipate that in practice the operational and contractual risks faced by organisations not complying with China’s data privacy framework – alongside increasing reputational risks – remain very significant and should be managed very carefully.

Critical Information Infrastructure Operators: the Chinese authorities have now also helpfully published the Regulations on the Security and Protection of Critical Information Infrastructure. These confirm that organisations will be notified by the relevant industry regulators if they are deemed to be CIIOs. These relevant industry regulators will be identified in due course by the CAC. The first industry to publish their own guidance on this is the automotive industry, identifying CIIOs within the automotive industry.  

For further information about how your organisation should respond to the PIPL, please contact Carolyn Bigg or Venus Cheung.