The Personal Information Protection Law is the first law dedicated to protecting personal information in China, provides comprehensive penalty and enforcement mechanisms, including administrative penalties, private actions, public interest actions (China’s equivalent of class actions), public security administration, and criminal penalties. Every individual or organization that acts as a data handler, including state organizations as stipulated in Article 33, will be subject to the enforcement of the PIPL.
Supervisory authorities
Unlike the EU General Data Protection Regulation and the California Consumer Protection Act, which respectively empower a unified supervisory authority responsible for enforcement, the PIPL jointly offers this role to multiple governmental departments (the “supervisory authorities”), including the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology, the Ministry of Public Security, the State Administration for Market Regulation, financial regulators, as well as their respective counterparts at local levels. In this multi-level protection system, the CAC takes a leading and coordinating role, and the relevant departments’ supervisory authorities in personal information protection are limited to their respective designated areas.
Article 63 provides certain administrative enforcement powers to the supervisory authorities. The supervisory authorities can conduct several investigatory measures and handlers are obligated to assist and cooperate. The investigatory measures include interviewing relevant parties of a personal information processing activity; viewing and duplicating the parties’ contracts, account books and other relevant materials; conducting on-site inspections; and examining relevant equipment and articles. Among these measures, the sequestration and confiscation of wrongdoers’ equipment or property are the most powerful ones.
Administrative penalties
The PIPL creates two tiers of administrative penalties for violations: general ones and grave ones (a term left undefined in the PIPL). Only supervisory authorities at a provincial or higher level have the power to impose penalties for grave violations. For general violations, fines imposed on handlers can reach up to RMB 1 million (approximately $156,000) and on its management officers up to RMB 100,000 (approximately $15,600). For grave violations, fines imposed on companies can reach as high as RMB 50 million (~$7.8 million) or 5% of the previous year's annual revenue and on its management officers from RMB 100,000 (~$15,600) to 1 million (~$156,000). In addition, the PIPL also empowers supervisory authorities to invoke other penalties, including request for rectification, warning, disgorgement of profits, suspension of business, or even revocation of the business license. If a grave violation occurs, management officers can be prohibited from holding similar positions in the relevant business for a certain (unspecified) time period. In addition, any violation may be recorded in China’s credit system and announced to the public.
Article 65 confers a right on anyone who has knowledge of violations to lodge a complaint or report to the supervisory authorities. This means that, not limited to data subjects, any third party — including a handler’s competitor or a whistleblower — may submit a complaint to the supervisory authorities. Upon receipt of such a report, the supervisory authorities shall take necessary steps in response and provide feedback in a timely manner.
Private actions
Before the PIPL came into force, the Civil Code had provided a cause of action for data subjects to seek monetary damages or compensation in court from anyone who infringed their personal information rights. What the PIPL creates in this area is to set forth the burden of proof and the damages for this kind of cause of action. Like the GDPR, after a data subject demonstrates an infringement, the PIPL shifts the burden to the defendant to prove that they are not at fault. This makes it much easier for a data subject to make their case in court. Consequently, handlers will not only have to make compliance efforts but also preserve evidence of what they did to lower the risk of their exposure to potential litigation. In terms of the damages determination, courts do not have to limit themselves to data subjects’ actual losses when assessing the amount of damages to award, and may alternatively rely on the gains obtained by the handlers resulting from the infringement. If it is difficult to determine either amount, the courts shall then have full discretion in this regard. This is designed to resolve the difficulties of data subject in showing damages in court when personal information is breached and will create a deterrent effect on handlers.
In addition to the infringement of personal information rights, any refusal of the handler to entertain a data subject’s request to exercise their rights afforded by the PIPL may also give rise to a cause of action under Article 50.
Public interest actions
The PIPL establishes that China’s class action equivalent — the public interest action mechanism — applies to the protection of personal information. This expands the scope of this unique mechanism, which has been deployed in the areas of environmental protection, consumer protection (including food and drug safety) and state asset protection areas, among others.
Like class actions in the United States, a public interest action in China is filed on behalf of a group of people. In this digital era, personal information breach incidents mostly involve a massive number of victims, but it is time-consuming and costly for these data subjects to enforce their respective rights in court on an individual basis. Public interest actions help to resolve this problem by granting standing to a third-party organization. According to Article 70, third-party organizations include the people’s procuratorates (the equivalent of a prosecutor general’s office), statutorily designated consumer organizations, and organizations designated by the CAC.
One day after the adoption of the PIPL, the Supreme People’s Procuratorate issued an official notice confirming that public interest actions for personal information protection cases will be the focus of its work in the future.
Public security administration and criminal penalties
If a handler commits any violation, it may also be subject to public security administration or criminal penalties. Public security administration penalties will be imposed by the public security organs, in accordance with the Public Security Administration Punishments Law of China, when the violation is not severe enough to be subject to criminal liabilities. Public security administration penalties include warnings, fines and administrative detention. When a violation is severe enough, there are several criminal sanctions for breaches involving personal information under the Criminal Law of China. The most relevant one is “infringement of citizens' personal information,” which imposes criminal sanctions on anyone who, in violation of relevant rules, sells or discloses personal information to third parties. The sanctions imposed by the statute vary depending on the seriousness of the violation. The threshold for a violation to be subject to criminal penalties is relatively low. For instance, if they illegally procure, sell or provide more than 50 pieces of sensitive personal information, such as credit information, the wrongdoer will be criminally liable. The most serious violation will result in prison sentences up to seven years in addition to a fine.
Article 64 provides that the supervisory authorities, when engaging their administrative enforcement duties, shall timely transfer any violation with the potential to be a criminal offense to police authorities. In practice, this to some extent would expand the scope of authority of the Supervisory Authorities in the enforcement of the PIPL.
Relationship of personal information and important data
In the China data protection legal regime, “important data” as well as personal information is afforded a heightened degree of protection. Under certain circumstances, an accumulation of personal information may arguably be categorized as “important data.” For instance, the Several Provisions on Automobile Data Security Management (Trial Implementation) provides that personal information involving more than 100,000 data subjects, along with other data in the automobile context, shall be deemed “important data.” Consequently, any violation in relation to this category of personal information would additionally be subject to the enforcement applicable to “important data.”
Conclusion
The PIPL represents a major unifying moment in China’s long history of piecemeal data privacy policymaking, exhibiting considerable alignment with international trends in personal data protection, such as hefty fines and penalties. At the same time, this law merely provides a framework and broad principles, leaving some concepts such as “grave violation” undefined. While uncertainties remain as to enforcement in practice, given its entry into force in November 2021, many implementing regulations, rules and standards will be introduced in the near future, providing more detailed and concrete guidance.