Editor's Note:
This is the second article of a five-part series that explores the most important features of China’s Personal Information Protection Law.
The Personal Information Protection Law of the People’s Republic China entered into force Nov. 1, 2021. As the first comprehensive personal data law of China, the PIPL imposes a number of legal obligations on businesses in relation to the collection, processing, provision, transfer, deletion and destruction of personal data.
Obligations of 'PIPs' under PIPL
Under the PIPL, personal information processor is the primary obligor in handling personal information. A PIP refers to an organization or individual that has the discretion to determine the purpose and method of processing personal information, which is similar to the definition of “data controller” under the EU General Data Protection Regulation. Key legal obligations of a PIP include:
Notification and consent
Compared to China’s Cybersecurity Law, which provides that collection of personal information must be based on consent given by the data subject, the PIPL expands the legal grounds for collection and processing of personal data such that consent is not the only permissible legal basis.
However, from an operational perspective, "notification + consent" likely remains one of the most commonly used legal bases in China, given that the “legitimate interest” ground, which is widely relied on under the GDPR, is not recognized under the PIPL. Therefore, what information should be part of the notification and what conditions should be met to obtain consent are the key compliance points businesses should pay close attention to when handling personal information.
Notification
Under the PIPL, a PIP is required to give a proper notification to the individual of the following items in a conspicuous and clear way, and in a truthful, accurate and complete manner, before processing personal information:
- The name and contact information of the PIP.
- The purpose and method of processing personal information, the type of personal information to be processed and its retention period.
- The way and procedure for individuals to exercise their rights.
- Other matters as required by the relevant laws and regulations.
Consent
The PIPL provides that valid consent must be voluntary, explicit and given by the individual on a fully informed basis. If there is any change to the category of personal information or the purpose or method of personal information processing, consent must be obtained again. Individuals have the right to withdraw their consent and the PIPs shall provide a convenient method for consent withdrawal. The PIPs may not refuse to provide products or services to individuals because the individuals do not give consent for the processing of their personal information or withdraw their consent, unless the processing of their personal information is necessary for providing the related products or services.
It is important to note that the PIPL requires separate consent from the data subject under the following special circumstances:
- Processing sensitive personal information: The scope of sensitive personal information under the PIPL is wider than that under the GDPR. According to the PIPL, sensitive personal information covers biometric information and personal information related to religious beliefs, specific identity, medical and health, financial account, geolocational tracking, as well as personal information of a minor under the age of 14.
- Sharing personal information with third parties.
- Transferring personal information abroad.
- Making personal information public.
- Installing personal image or identity recognition equipment in public places to collect personal information for a purpose other than public safety.
Businesses will need to review the relevant consent mechanisms and language in their privacy documentation (such as the privacy policy, consent, and employment contracts) to ensure that the PIPL requirement for separate consent is properly addressed.
Personal information impact assessment
The obligation to conduct a personal data impact assessment is included in both the GDPR and the PIPL, but the application scenarios under the PIPL are significantly different from those under the GDPR. The PIPL provides that a PIP is required to conduct a personal data impact assessment under any of the following circumstances:
- Processing sensitive personal information.
- Using personal information in automated decision making.
- Commissioning the processing of personal information to a third party.
- Transferring personal information outside China.
- Processing personal information which may significantly affect the interests of individuals.
With respect to how to conduct a personal information impact assessment, the PIPL requires the following aspects be included:
- Whether the purpose and method of processing personal information is legal, proportionate, and necessary.
- What impacts the processing may have on individuals’ interests and what security risk(s) it may trigger.
- Whether the protection measures are lawful, effective, and appropriate to the risk level.
The PIP is required to keep the impact assessment report on record for at least three years.
Automated decision-making
Big data analysis, user profiling and automated decision-making have been playing an increasingly important role in the digital economy of China. The PIPL stipulates that when a PIP uses personal information in automated decision-making, it must ensure the transparency of the decisions and the fairness and impartiality of the results and may not implement any unreasonable measures to discriminate against individuals in relation to pricing or other transactional terms.
The data subjects have the right to request an explanation regarding the use of the personal information or refute the decision made by the PIP solely based on automated decision-making if it impacts the data subjects significantly.
Recently, Chinese regulators have taken a series of enforcement actions to crack down on the misuse of algorithms and big data to discriminate against customers and consumers.
Organizational and technical measures
According to the PIPL, a PIP is required to adopt the following organizational and technical measures to prevent unauthorized access, damage, leakage, or loss of personal information:
- Formulating internal management mechanism and operating rules.
- Classifying personal information.
- Adopting encryption, de-identification and other security measures.
- Setting up proper access limits and conducting periodic trainings.
- Establishing and organizing a data breach incident response mechanism: It is provided in the PIPL that in the event of a data breach, the PIP is required to take remedial actions immediately and notify the competent regulators and affected data subjects.
Special obligations for large internet platforms
The PIPL imposes more stringent obligations on PIPs who provide important internet platform services, have a large user base or operate complicated businesses. Under the PIPL, those PIPs are required to:
- Establish a personal information protection compliance policy and system and establish an independent body composed of external members to supervise their personal information protection practices.
- Develop platform rules in accordance with the principles of transparency, fairness and impartiality.
- Cease the provision of any service to any product/service provider operating on their platform who commits a serious violation of personal information laws or regulations on their platform.
- Publish a social responsibility report on personal information protection on a regular basis and accept supervision from the public.
From the enforcement perspective, large internet platform companies have been closely scrutinized recently by Chinese authorities. Therefore, large internet platforms should be keenly aware of the personal data protection requirements and take necessary compliance steps.
Appointment of DPOs and representatives/agents
The PIPL provides that if the processed personal information reaches the threshold of personal information prescribed by China’s national cyberspace authority, the relevant PIPs are required to appoint a designated personal information officer (similar to DPO under the GDPR) to supervise data processing and oversee protection measures.
The PIPL is similar to the GDPR in terms of its extra-territorial application. Under the PIPL, foreign companies without a business presence in China will need to set up a special agency or appoint a representative in China to deal with data protection matters if the data processing outside of China is subject to the PIPL.
Obligations of “entrusted party of personal information”
The PIPL defines the term “entrusted party of personal information” as an organization or individual that processes personal information under the instruction of a PIP. This appears similar to the definition of “data processor” under the GDPR.
According to Article 21 of the PIPL, where a PIP commissions an entrusted party for personal information processing, the PIP and the entrusted party shall reach an agreement, specifying the purpose, period and method of the contracted processing, the type of personal information to be processed, the protection measures to be taken and other relevant rights and obligations.
The entrusted party can only process the personal information within the scope authorized by the PIP and may not process the personal information beyond the agreed purpose or method. If the entrustment contract expires, terminates or becomes void, the entrusted party must delete or return the entrusted personal information. Without approval from the PIP, the entrusted party is not allowed to sub-contract the personal information processing activity to any third parties.
From the personal information protection perspective, the entrusted party is required to take necessary measures to protect the personal information entrusted to it by the PIP and shall assist the PIP in complying with the obligations under the PIPL. This suggests that if a data breach incident occurs in relation to the personal information entrusted by the PIP, the entrusted party shall notify the PIP immediately, provide necessary information and offer other technical or administrative support to assist the PIP in satisfying its compliance requirements under the PIPL.
Rights of data subjects
The PIPL grants a wide range of rights to data subjects, many of which can find their roots in the GDPR.
Under the PIPL, individuals have the right to access and make copies of their personal information and PIPs shall provide such information at a timely fashion. Individuals are also entitled to correct, supplement and update incomplete, inaccurate or out-of-date personal information and may request deletion of their personal information in cases of expiration of processing purpose, cessation of products or services, withdrawal of consent by individuals, violation of laws or processing agreements, or any other situations provided by regulations.
Like the GDPR, the PIPL also provides the right of portability, whereby individuals have the right to request that the PIP transfer their personal information to another PIP.
Yet, it should be noted that the PIPL goes further than the GDPR, such as by giving individuals the right to bring claims against processing entities if they reject the individual’s request to exercise their rights, as well as the right to request that handlers explain their handling rules. Close relatives of a deceased may also exercise their PIPL rights following that individual’s passing.
Given these enhancements under the PIPL, businesses will need to revisit their processes that manage requests from data subjects to allow for these additional requirements in China and should have a template in place to respond to any requests to explain their handling rules.
Compliance suggestions
The PIPL contemplates administrative, civil and criminal penalties, with a reverse burden of proof, which requires a company to assume legal liability and pay compensation if individuals suffer loss due to data processing activities by the company, unless the company can prove its compliance with the PIPL. Given the comprehensive and augmented legal obligations provided in the PIPL, businesses are required to take and document their compliance actions, inter alia, among others:
- Reviewing the status quo of the personal information processing activities.
- Conducting risk assessments to identify potential risks, determine risk level, prioritize remedial actions.
- Developing and implementing rectification plans, including drafting and updating the relevant privacy documents such as the privacy policy, consent of data subjects, employment contracts, data processing agreements, and reviewing the management of individuals’ requests to enforce their rights.
- Staying abreast of China’s fast-changing regulatory and technical developments in data protection and privacy and taking appropriate compliance and risk management steps.
Photo by Macau Photo Agency on Unsplash