Personal Information Protection Law of the People's Republic of China

Chinese personal information rights law

Personal Information Protection Law of China

National People's Congress
Long title Personal Information Protection Law of the People's Republic of China
Territorial extent	People's Republic of China excluding China's Special Administrative Regions
Enacted by	13th National People's Congress
Enacted	August 20, 2021
Commenced	November 1, 2021
Related legislation
Cybersecurity Law of the People's Republic of China Data Security Law of the People's Republic of China
Summary
This law is formulated in order to protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.
Keywords
Civil code
Status: In force

The Personal Information Protection Law of the People's Republic of China (Chinese: 中华人民共和国个人信息保护法; pinyin: Zhōnghuá rénmín gònghéguó gèrén xìnxī bǎohù fǎ) referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

The PIPL was adopted on August 20, 2021, and is effective November 1, 2021.^[1] It is related to, and builds on top of both China's Cybersecurity Law ("CSL") and China's Data Security Law ("DSL").

A reference English version was published on December 29, 2021.

History

On August 20, 2021, the Standing Committee of the 13th National People's Congress passed the Private Information Protection Law or ("PIPL"). The law, which took effect on November 1, 2021, applies to the activities of handling the personal information of natural persons within the borders of the China.

In comparison to countries in the West, China has developed its privacy laws over time at a slower pace. In recent years, though, China has more actively developed regulations, as the nation is considered a “global cyberforce.” China’s policies differ from Western nations, in that their perception of privacy is different due to historical and cultural reasons.^[2]

Provisions

Scope

The PIPL generally covers all organizations operating in China processing personal information.

Long Arm Jurisdiction

Some provisions also include Long Arm Jurisdiction over data collection and processes of organizations outside of China. These apply when:

The purpose is to provide products or services to natural persons inside the borders;
Analyzing or assessing activities of natural persons inside the borders;
Other circumstances provided in laws or administrative regulations.

This presumably applies to offshore or multi-national companies with Chinese customers in China,^[3] for example Amazon who might be shipping goods to a Chinese buyer, or Apple who may have Chinese users in the American App Store.

All such entities are required to establish a dedicated entity or appoint a representative within China.

Exemptions

There are few exemptions, but one that was added during late drafting provides a non-consent legal basis for handling employee data, though employee consent is still needed for overseas transfer, such as to a global corporate parent.^[4]^[5]

Key Themes

Individual privacy, control and consent are consistent themes throughout the law, which lays down key principles including:

Personal Information - Defining personal information, including sensitive information;
Legal Basis - All data collection must have a legal basis for collection. There are several bases, but unlike in the GDPR, there is no legitimate interests basis;
Consent - A key legal basis is consent, which, unlike in the GDPR, must be obtained for each type of data processing activity, especially for transferring an individual's data overseas. Consent must also be "informed" with various types of notification and required content specified in the law;
Sensitive Data - Some types of personal information is sensitive, and the law provides an open-ended list of examples (unlike the GDPR's specific list of "special categories"), including biometrics, religion, specially-designated status, medical health, financial accounts, and location tracking;
Protecting Children - All personal information of minors under the age of 14 is sensitive, and specific consent is required from parents to process this information. This is much stricter than in the GDPR;
Individual Rights - The PIPL gives individuals several key rights over their information, such as the right to correct, delete, and view or transfer the data collected about them.
Responsibilities - Several articles lay out the various responsibilities of various parties collecting, transferring, and handling personal information;
Government Use of Personal Information - The PIPL includes when and how government agencies can collect and process data on individuals, including for national security, emergency, and other purposes;
Overseas Transfers - Specific restrictions on transfer of personal data outside of China;
Enforcement - Severe penalties for violations.

Definitions

The law defines the following:

Personal Information - Any type of information that identifies or can identify natural persons recorded electronically or by other means, but does not include anonymized information.
Sensitive Personal Information - Personal information that once leaked or illegally used can easily cause natural persons to suffer encroachments on their dignity or harms to their persons or property; including information such as biometrics (including facial recognition), religious faith, particular identities, medical care and health, financial status, and location tracking, as well as the personal information of minors under the age of 14.
Individuals - People whose data is being collected for processed (similar to the GDPR's Data Subject).
Personal Information Handlers: - Organizations or individuals that independently make decisions about the purposes and methods of personal information handling in personal information handling activities.
Entrusted Persons - External entities who Information Handlers entrust to handle personal information, essentially third parties.
Large Processors - Companies that process large amounts of data, as defined in Article 40, including Critical Information Infrastructure Operators ("CIIO") from the China's Critical Infrastructure Regulations.
Handling of Personal Information: Personal information handling includes personal information collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.
Automated Decision-Making: The use of computer programs to automatically analyse, evaluate, and make decisions on personal information on personal behavior habits, hobbies or economic, health, credit status, and so forth.
De-Identification: The process of handling personal information to make it impossible to identify a specific natural person without the help of additional information.
Anonymization: The process in which personal information is handled so that it cannot be used to identify a specific natural person and cannot be restored after being so handled.

Legal Basis

All personal information collection and processing must have one of the following legal bases:^[6]

Individuals’ consent obtained;
Where necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded collective contracts;
Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;
Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
When handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of this Law.
Other circumstances provided in laws and administrative regulations.

Unlike in the GDPR, there is no legitimate interests basis.^[7] Therefore, most consumers will likely be covered by giving their direct consent (such as for cookies, newsletters, etc.) or by contract fulfillment (such as shipping goods to them or providing services).

Consent

Consent is a major concern of the PIPL and a key legal basis on which handlers can process personal information.

If there is no other legal basis for processing data, handlers must get consent for data collection and processing, and this consent can be revoked by any individual at any time. Handlers are not allowed to refuse to provide products or services if an individual withholds or withdraws their consent for non-essential processing.

Separate consent is also specifically required in a number of situations:

Transfer of personal data by data controllers to third parties (Article 23);
Publication of personal data (Article 25);
Publication or provision of personal data collected by equipment installed in the public places for security purposes, such as personal images (Article 26);
Processing of sensitive personal data (Article 29); and
Cross-border transfers of personal data (Article 39).

Consent for these situations cannot be "bundled" and thus must be obtained separately from the individual.^[8]

Where a change occurs in the purpose of personal information handling, the handling method, or the categories of handled personal information, the individual's consent shall be obtained again.^[6]

Individual Rights

Individuals have several specific rights under the PIPL - they can:^[6]

Know & Decide - Refuse and limit how their data is handled.
Access & Copy - View and copy their data.
Correct or Complete - Request to correct inaccurate data.
Erasure - Request their information be deleted and/or revoke consent.
Explanation - Request handlers explain their handling of an individual's personal information.
Portability - Request moving their data to another handler.

Automated Decision Making

There are specific rules for automated decision making in the PIPL, including the right of individuals to opt-out, such as disabling product recommendations.

The law specifically requires "transparency of the decision-making and the fairness and justice of the handling result shall be guaranteed, and they may not engage in unreasonable differential treatment of individuals in trading conditions such as trade price, etc."^[6]

For companies pushing delivery or commercial sales to individuals through automated decision-making methods shall simultaneously provide the option to not target an individual's characteristics, or provide the individual with a convenient method to refuse.

When the use of automated decision-making produces decisions with a major influence on the rights and interests of the individual, they have the right to require personal information handlers to explain the matter, and they have the right to refuse that personal information handlers make decisions solely through automated decision-making methods.

Automated Decision Making is defined as "refers to the activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions."^[6]

Facial Recognition

The PIPL specifically covers the use of facial recognition in public spaces, including that it can only be used for public security reasons unless each individual separately consents:

"The installation of image collection or personal identity recognition equipment in public venues shall occur as required to safeguard public security and observe relevant State regulations, and clear indicating signs shall be installed. Collected personal images and personal distinguishing identity characteristic information can only be used for the purpose of safeguarding public security; it may not be used for other purposes, except where individuals’ separate consent is obtained."^[6]

Handler Obligations

Personal information handlers have several specific obligations:^[6]

Formulating internal management structures and operating rules;
Implementing categorized management of personal information;
Adopting corresponding technical security measures such as encryption, de-identification, etc.;
Reasonably determining operational limits for personal information handling, and regularly conducting security education and training for employees;
Formulating and organizing the implementation of personal information security incident response plans;
Other measures provided in laws or administrative regulations.

All handlers must "regularly engage in audits of their personal information handling and compliance with laws and administrative regulations."

Personal Information Protection Officers

In addition, at a certain (not yet defined) data handling scale, handlers must appoint "personal information protection officers, to be responsible for supervising personal information handling activities as well as adopted protection measures, etc."

Impact Assessment

Under the following circumstances, handlers must perform a personal information protection impact assessment and report the results:^[6]

Handling sensitive personal information;
Using personal information to conduct automated decision-making;
Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
Providing personal information abroad;
Other personal information handling activities with a major influence on individuals.

Such assessments must include:

Whether or not the personal information handling purpose, handling method, etc., are lawful, legitimate, and necessary;
The influence on individuals' rights and interests, and the security risks;
Whether protective measures undertaken are legal, effective, and suitable to the degree of risk.

Data Localization

The PIPL has specific requirements on data localization, the storage and processing of personal information in China.^[7]

Data Security

Information handlers have several responsibilities, including adopting the following measures to ensure personal information handling conforms to the provisions of laws and administrative regulations, and prevent unauthorized access as well as personal information leaks, distortion, or loss:

Formulating internal management structures and operating rules;
Implementing categorized management of personal information;
Adopting corresponding technical security measures such as encryption, de-identification, etc.;
Reasonably determining operational limits for personal information handling, and regularly conducting security education and training for employees;
Formulating and organizing the implementation of personal information security incident response plans;
Other measures provided in laws or administrative regulations.

Impact Assessments

Impact Assessments are required in a number of situations, including:

Handling sensitive personal information;
Using personal information to conduct automated decision-making;
Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
Providing personal information abroad;
Other personal information handling activities with a major influence on individuals.

Contractual Elements

Agreements are required when a handler entrusts personal data handling to another handler. Some law firms have suggested this will resuit in specific standard contractual clauses ("SCC"), similar to in the GDPR.^[8]

Breach Notification

All data leaks must be reported internally, and if "harm may have been created" they may be required to notify the individuals affected. Notification details must include:

The information categories, causes, and possible harm caused by the leak, distortion, or loss that occurred or might have occurred;
The remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm;
Contact method of the personal information handler.

Large Handlers

Large-scale handlers, such as those "providing important Internet platform services, that have a large number of users, and whose business models are complex" also have the obligations:

Establish and complete personal information protection compliance systems and structures according to State regulations, and establish an independent body composed mainly of outside members to supervise personal information protection circumstances;
Abide by the principles of openness, fairness, and justice; formulate platform rules; and clarify the standards for intra-platform product or service providers' handling of personal information and their personal information protection duties;
Stop providing services to product or service providers on the platform that seriously violate laws or administrative regulations in handling personal information;
Regularly release personal information protection social responsibility reports, and accept society's supervision.

Overseas Transfers

Moving personal information outside of China is only allowed if one of these conditions is satisfied:^[6]

Passing a security assessment organized by the State cybersecurity and information department according to Article 40 of this Law;
Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and information department;
Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and information department, agreeing upon the rights and responsibilities of both sides;
Other conditions provided in laws or administrative regulations or by the State cybersecurity and information department.

All such transfers require each individual's separate consent and notification about "the foreign receiving side’s name or personal name, contact method, handling purpose, handling methods, and personal information categories, as well as ways or procedures for individuals to exercise the rights provided in this Law with the foreign receiving side, and other such matters."^[6]

Sharing data with foreign governments

Information handlers are prohibited from sharing any personal information with foreign judicial or law enforcement agencies with approval.^[6]

This has raised concerns among law firms about how multi-national corporations would or could respond to judicial inquiries in other countries, such as a warrant for data held about a Chinese citizen in those countries.

Government Departments

The PIPL includes legal basis for how government ("State Organs") can collect and process data. Generally, the government must follow the same rules as non-government entities, including notifications. There are some exceptions, such as when it "shall impede State organs’ fulfillment of their statutory duties and responsibilities".^[6]

Enforcement

The PIPL has several enforcement mechanisms, including warnings, orders to stop illegal activity, fines, and confiscation of unlawful income. Illegal acts may also be recorded in China's Social Credit System. In addition, individuals can also sue handlers for violation of their rights.

Reactions

Initial reaction has been mostly by numerous law firms publishing notices and whitepapers outlining the new law, its key provisions, and recommended initial courses of action to prepare for compliance.

Articles of the Law

The PIPL has eight chapters and 73 articles, concerning processing rules, sensitive data, government data use, cross-border transfers, rights of individuals, processor obligations, legal liabilities, and miscellaneous supplemental provisions.^[9]

Chapter 1 - General Provisions

Article 1 - Purpose
Article 2 - Legal protection of personal information
Article 3 - General scope
Article 4 - Personal Information and handling definition
Article 5 - Principles of legality, propriety, necessity, and sincerity
Article 6 - Clear and reasonable purpose
Article 7 - Openness and transparency
Article 8 - Quality of personal information
Article 9 - Personal information handlers bear responsibility
Article 10 - No illegally collection, use, processing, or transmission of personal information
Article 11 - Personal information protection structure
Article 12 - International rules and norms for personal information protection

Chapter 2 - Personal Information Handling Rules

Section 1: Ordinary Provisions

Article 13 - Legal basis for processing
Article 14 - Consent and notification
Article 15 - Consent and revocation
Article 16 - No service refusal if consent is revoked
Article 17 - Notifications
Article 18 - Notification exclusions
Article 19 - Information retention periods
Article 20 - Joint handling
Article 21 - Entrusted handling
Article 22 - Handling transfers
Article 23 - Providing information to other handlers
Article 24 - Automated decision making
Article 25 - Information disclosure prohibited
Article 26 - Facial recognition limits
Article 27 - Handling public information

Section II: Rules for Handling Sensitive Personal Information

Article 28 - Sensitive information definition
Article 29 - Separate consent for sensitive information handling
Article 30 - Sensitive information notification
Article 31 - Personal information of minors
Article 32 - Application of other restrictions on sensitive information

Section III: Specific Provisions on State Organs Handling Personal Information

Article 33 - Application to state organs
Article 34 - State organ requirements
Article 35 - Notification duties
Article 36 - Data storage in China requirement
Article 37 - Public affairs

Chapter 3 - Cross-Border Provision of Personal Information

Article 38 - Conditions for transfers
Article 39 - Notification and consent
Article 40 - Large scale processor requirements
Article 41 - Foreign judicial or law enforcement agency requests
Article 42 - Violations and enforcement
Article 43 - Foreign country or region discriminatory prohibitions

Chapter 4 - Individuals’ Rights

Article 44 - Right to know, decide, limit, and refuse
Article 45 - Right to consult, copy, and transfer information
Article 46 - Right to correct
Article 47 - Right to delete
Article 48 - Right to request explanation
Article 49 - Rights of deceased
Article 50 - Requirements for handlers to process rights requests

Chapter 5 - Personal Information Handlers’ Duties

Article 51 - Personal information protection program
Article 52 - Designating representatives
Article 52 - Designating representatives for international handlers
Article 54 - Auditing
Article 55 - Impact assessment criteria
Article 56 - Impact assessment requirements
Article 57 - Data breaches notification
Article 58 - Internet platform requirements
Article 59 - Entrusted persons requirements

Chapter 6 - Departments Fulfilling Personal Information Protection Duties and Responsibilities

Article 60 - State cybersecurity and information department roles
Article 61 - Protection department roles
Article 62 - Oversight requirements
Article 63 - Protection department measures
Article 64 - Protection enforcement
Article 65 - Complaints and whistle blowers

Chapter 7 - Legal Liability

Article 66 - Right to complain
Article 67 - Monetary penalties
Article 68 - Administrative fines and criminal responsibility
Article 69 - Liability for damages
Article 70 - Legal action
Article 71 - Punishment and criminal liability

Chapter 8 - Supplemental Provisions

Article 72 - Exemption for personal or family affairs
Article 73 - Definitions
Article 74 - Start date

Citations

^ "中华人民共和国个人信息保护法_中国人大网". www.npc.gov.cn. Retrieved 2023-10-16.
^ "Recent evolution of the personal privacy legal protection in people's Republic of China". iris.uniroma1.it. Retrieved 2023-10-06.
^ "China Passes the Personal Information Protection Law, to Take Effect on November 1". Gibson Dunn. 2021-09-10. Retrieved 2021-09-29.
^ "Employee Personal Information Protection in China – Are You Up to Speed?". Crowell & Moring LLP. 2021-08-25. Retrieved 2021-09-29.
^ Briefing, China (2021-02-02). "Employers in China Should Prepare for Compliance Expectations Under Draft PIPL". China Briefing News. Retrieved 2021-09-30.
^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j ^k ^l "Translation: Personal Information Protection Law of the People's Republic of China | DigiChina". digichina.stanford.edu. Retrieved 2021-09-29.
^ ^a ^b "China's Personal Information Protection Law (PIPL): Key Questions Answered | Morrison & Foerster". www.mofo.com. Retrieved 2021-09-29.
^ ^a ^b "The journey has just begun: China passes its Personal Information Protection Law". www.hoganlovells.com. Retrieved 2021-09-29.
^ "China PIPL Law". www.npc.gov.cn. Retrieved 2021-09-29.