After rounds of public consultation on the draft laws,
the Personal Information Protection Law (PIPL) has finally been officially passed
by the Chinese legislature on 20 August 2021. The PIPL imposes stringent legal
restrictions on the processing, use and management of personal data, and it signals
China’s important first step to align its personal information protection laws
to international standards.
The PIPL will come into effect on 1 November 2021 in
China. It will no doubt have a major impact on the personal information
processing activities of companies conducting business in China.
In this article, we will go through the must-know of
the PIPL and its significance, drawing from our experience in advising on
personal information protection under the existing legal framework in China
with particular focus on the following aspects:
-
1. Extraterritorial
jurisdiction
-
2. Governing
cross-border transfer of personal information
-
3. Requirement
of obtaining consent
-
4. Regulation
of automated decision-making
-
5. Penalties
and legal consequences
-
6. Compliance
of PIPL
I. EXTRATERRITORIAL JURISDICTION
The newly passed PIPL is
applicable to any organization and individual who processes personal
information of natural persons within the territory of China. In particular,
the PIPL is extraterritorial which means that even overseas domiciled companies
carrying out personal information processing activities outside of China but
for the purpose of providing services or products to natural persons in China, or
to analyze and evaluate the activities of natural persons in China, will be
subject to the law. This will affect a wide range of foreign companies such as companies
offering e-commerce services that are accessible to Chinese consumers (e.g.
selling products on online website, or providing online courses). It is also
mandatory for foreign companies to appoint local representatives or to establish
designated supervisory agencies in China to ensure compliance of the regulatory
requirements under PIPL.
II. GOVERNING CROSS-BORDER TRANSFER OF
PERSONAL INFORMATION
Companies shall be mindful of their data transfer
strategies under the PIPL and shall ensure compliance of any one of the following
conditions when personal information is provided to any party outside the
territory of China:
Th 1. The personal information processors shall
pass the security assessment conducted by the state cyberspace administration.
2. The
personal information processors shall obtain certification in relation to
personal information protection from professional institutions according to the
regulations of the state cyberspace administration.
3. The personal information processors
shall enter into a contract with the overseas receiving parties to agree on the
rights and obligations of both parties. Such contract shall be in accordance
with the model contract stipulated by the state cyberspace administration.
4. The personal information processors must
fulfil the criteria stipulated in other laws and regulations, or in the rules
set by the state cyberspace administration.
p
The personal inforrmation processors shall also ensure the personal information processing activities undertaken by the overseas receiving parties meet the personal information protection standard as prescribed in the PIPL.
In particular, companies shall be aware of whether
they will be classified as “critical information infrastructure operator”, such
as for companies operating in public communications, information service,
energy, transport, water conservancy, finance, public service and e-government
sectors or whether the quantity of personal information processed by the
company reach the threshold specified by the state cyberspace administration.
In those cases, the PIPL requires all personal information collected and
generated within the territory of China to be stored domestically. If it is
truly necessary to provide the personal information to an overseas receiving
party, the security assessment organized by the state cyberspace administration
shall still first be passed. Online shopping platforms, hotel services, and
other sectors that process large volume of personal information in China may be
affected by the introduction of this new requirement. We expect that further
clarification and additional operational guidelines will be issued to clarify
the quantity of personal information that will fall under the aforesaid requirement
and the threshold thereof.
Where there is cross-border transfer of personal
information, the PIPL now requires personal information processors to notify the
individuals a list of information including but not limited to names of the overseas
receiving parties, their contact information, purposes and methods of
processing the individual’s personal information, the methods and procedures
for individuals to exercise their rights provided in the PIPL against the overseas
receiving parties. The hurdle is higher given the fact that personal
information processors shall obtain separate consent from such individuals.
III. REQUIREMENT OF OBTAINING CONSENT
One of the main focus of the PIPL is that it sets out a general rule
that the personal information processors shall obtain an individual’s consent
before processing personal information except under minor exceptional
circumstances. The PIPL requires such consent to be given voluntarily and
explicitly by an individual on a fully informed basis and if and when required,
separate or written consent shall be obtained. If there are any change of the
purpose or method of processing of personal information, a fresh consent shall
be obtained by the individual again. The personal information processors are also
required to provide a convenient way for the individual to withdraw his or her
consent.
It is worth noting that the PIPL has imposed stricter requirements on
personal information processors if they wish to obtain sensitive information
from individuals. Examples of sensitive information include biometrics, medical
and health data, financial information and location data. Personal information
processors shall obtain separate consent from individual before processing his
or her sensitive data. In addition to the requirements as abovementioned,
personal information processors shall notify individuals of the necessity of
the processing of sensitive personal information and the impact on individual’s
rights and interest.
IV. REGULATION OF AUTOMATED
DECISION-MAKING
With the worldwide digitalization,
companies may increasingly adopt mechanisms of “automated decision-making” in
their information systems to enhance their services or businesses or for
conducting commercial marketing. Automated decision making is now governed
under the PIPL and is defined as activities of automatically analysing and
assessing individuals’ behavioural habits, hobbies, or financial, health and
credit status through computer programs and making decisions thereon.
If companies make use of personal
information when conducting automated decision-making, they should ensure the
transparency of the decision-making and the fairness and impartiality of the
result, and if there are any differential treatment to individuals in terms of
trading price or other trading conditions it should be justified reasonably. The
PIPL allows the individual to have the right to request the personal
information processor to give explanations and to refuse to accept the personal
information processor making decisions solely based on automated decision
making, if such decision has a major impact on an individual’s rights and
interests.
In addition, where companies use
automated decision-making to carry out information push or to conduct business
marketing to individuals, the companies shall simultaneously provide options that
are not based on the individuals' personal characteristics in order to be in
compliance of the PIPL. Alternatively, the companies may provide convenient methods
for the individuals to refuse such information push or business marketing
carried out solely based on automated decision making.
V. PENALTIES AND LEGAL CONSEQUENCES
Personal information
processors shall take note of their legal liability under the PIPL. If personal
information processors are found to be in violation of the PIPL, personal
information protection authorities may issue order for rectification, issue
warnings to personal information processor, and confiscate any illegal income.
In cases of serious nature of breach, personal information protection
authorities may impose a fine not more than RMB 50 million or not more than 5%
of annual turnover of the previous year, and may even order suspension of
relevant business and notify authorities-in-charge to revoke business permits
or business licenses. In particular, the personal information protection
authorities may impose a fine not less than RMB 100,000 and not more than RMB 1
million on executives directly in charge or any other officers that are directly
in charge, and such personnel directly in charge may even be prohibited from
acting as directors, supervisors, senior executives or persons in charge of
personal information protection of the related companies for a certain period
of time.
VI. CONCLUSION
In view of the PIPL, companies
with China-based operations should review and update their existing data collection
and processing policies and terms and conditions before November to ensure that
it is in line with the PIPL provisions.
© Vivien Chan & Co., Newsletter issue 09, September 2021
All Rights Reserved
About Us
Vivien Chan & Co. is a full-service law practice with offices in Hong Kong (1985) and Beijing (1993). We are consistently recognized as a premier law firm for and in Greater China. With over 35 years of doing business in Greater China, our Hong Kong and China teams have an in-depth understanding and knowledge of the legal culture and market dynamics.
