China’s Personal Information Protection Law – How does it affect your business?

Who is bound by the PIPL?

The law applies to any processing of personal information that takes place in the territory of China, regardless of the jurisdiction of the data processor or data subjects. Similar to the European Union’s General Data Protection Regulation (GDPR), the PIPL has extraterritorial effects under one of the following circumstances:

• if the data processor is providing a product or service to individuals located within China;
• if the data processor is analyzing or assessing the behaviors of individuals located within China; and/or 
• in other circumstances as stipulated by laws or administrative regulations.

Legal basis for processing personal information

Significant progress has been made in the PIPL, which provides for additional legal grounds compared with the Cyber Security Law, which has been welcomed by businesses for providing more flexibility. It appears that the majority of the above legal grounds mirror what is found in the GDPR, although perhaps one of the most commonly used grounds under the GDPR, legitimate interest, is not included in the PIPL. 

PIPL establishes legal basis for personal data

The PIPL lays down seven legal bases for processing personal information. Data processing is lawful if:

• the data subject has given his or her consent, which must be provided separately in certain scenarios;
• it is necessary for the conclusion or performance of a contract, or necessary for carrying out HR management under an employment policy or collective contracts;
• it is necessary for performing statutory duties or obligations;
• it is necessary for responding to a public health emergency, or for protecting the life, health or property safety of a natural person in case of emergencies;
• it is used for news reporting or public interest purposes; 
• it takes place in cases which personal information has been disclosed by the individual or otherwise legally disclosed; or
• it takes place in other circumstance as stipulated by laws or administrative regulations.

Requirements for cross-border transfer of personal information

Under the PIPL, data processors may provide personal information to a recipient outside China for business reasons after satisfying at least one of the following conditions:

• a security assessment organized by the authority has been passed;
• a certification of personal information protection has been conducted by a professional institution;
• a contract has been concluded with the overseas recipient based on the standard contract provided by the national cyberspace authority, specifying the rights and obligations of both parties.

In addition, critical information infrastructure (CII) operators are required to store within China the personal information collected or generated by them in domestic business operations. Non-CII operators are subject to the same data localization requirements if the processed personal information reaches the threshold amount of personal information prescribed by the national cyberspace authority. 

Obligations of data processors

The PIPL imposes a number of obligations on data processors, including:

• The relevant data processors are required to appoint a data protection officer (DPO) to supervise the data processing and oversee the protection measures if the processed personal information reaches the prescribed threshold. 
• Foreign companies without a business presence in China will need to set up a special agency or appoint a representative in China to deal with data protection matters, if the data processing outside of China is subject to the PIPL.
• A personal information protection impact assessment is necessary to process sensitive personal information, to use personal information in automated decision-making, to subcontract the data processing and to transfer personal information out of China, etc. The data processor must also keep a record of such assessments.

Legal consequences and compliance suggestions

The PIPL establishes rigorous punitive measures for the violation of personal information protections. Violators may be subject to confiscation of illegal gains, a fine of up to RMB 50 million or 5% of its turnover from the previous year, suspension of its business and/or revocation of its business license or permits. 

High penalties loom

Any person with direct responsibility will be fined up to RMB 1 million and may also be banned from serving as a director, supervisor, senior officer or personal information protection officer at the relevant company for a certain period of time.

Companies should consider the following suggestions as they review their activities for compliance with the PIPL:

• review the organization’s personal information processing activities to assess the life cycle of personal information;
• carry out risk assessments for personal information processing activities to identify potential risks, determine risk levels, and prioritize remedial actions;
• review and evaluate the current data processing activities, and develop a compliance mechanism and rectification plans; and
  
• organize the implementation of compliance and rectification plans by reviewing and updating the relevant documentation.