The Personal Information Protection Law (PIPL) is the first dedicated and comprehensive legislation in China addressing the personal data rights of individuals. While the substantive provisions of the PIPL do not depart in very many consequential ways from the regulations and guidelines enacted under the umbrella of the Cyber Security Law (CSL), including the Personal Information Security Specification (PI Security Specification), these measures have all been administrative regulations. As such they are reliant on enforcement upon actions taken by a loose mesh of different Chinese authorities, none of which are dedicated privacy regulators. By granting directly enforceable rights to individuals, the Civil Code and PIPL represent a new chapter in the protection of personal data in China.
The PIPL is also closely aligned with the GDPR.
Extraterritorial reach
The PIPL will apply to all data processing activities carried out in China (i.e. regardless of the place of incorporation of the processing entity). Additionally, the PIPL will have extraterritorial effect in similar circumstances to the GDPR. Namely in relation to:
- the provision of products or services to natural persons within China (i.e. sales activities)
- the analysing of the behaviour of natural persons within China (i.e. profiling activities).
The draft PIPL also allows for the scope of extraterritorial effect to be expanded in subsidiary regulation. Organisations processing personal data from a location outside of China will be required to appoint an agent or representative within China, and to notify the appointment to the relevant authorities.
In contrast the CSL had no explicit effect outside of China’s borders except in the case of entities that attack China’s critical information infrastructure.
Data subject rights
The PIPL will enshrine the following data subject rights in national law for the first time:
- a right of access
- a right to rectification
- a right to erasure
- a right to object to automated individual decision-making
- a right to object to profiling in the context of automated marketing and information delivery.
These rights largely mirror the individual privacy rights set out in the GDPR, but surprisingly without mentioning the right of data portability. Individuals will, however, be given a right to request a copy of any of the personal data an organisation holds about them. The PI Security Specification had provided for a more explicit right of data portability, where technologically practicable, albeit limited in scope to basic information about an individual and their health, psychological status, education and employment. The right to object to profiling is also expressed in a more limited fashion than the general right contained in the GDPR.
Individuals must be notified of the route for them to exercise these individual rights before their data is collected.
Bases for collection and use of personal data
Under the CSL, consent is the only legal basis for the collection and use of personal data.
The PIPL takes a somewhat more flexible approach. In addition to consent and various public interest grounds, the PIPL allows for the processing of personal data where essential for entering into or performing a contract. However, the PIPL does not allow personal data to be processed on the basis of establishing a legitimate interest in the manner of the GDPR.
Consent will therefore remain the predominant ground for processing personal data. The consent must be explicit and informed, with privacy notices presented in “easily understandable” language. There is no general requirement for the consent to be written, unless this is required by other laws or regulations. Individuals may withdraw their consent at any time.
Additional consent will be required if either the purpose or method of processing is changed or if an organisation wishes to collect additional personal data of a different type.
A key focus of the PI Security Specification is its injunction against bundling of consents for both core and ancillary functions/ services. This focus is carried over into the PIPL, which prohibits organisations from making the provision of services conditional on customers consenting to the collection and use of their personal data for non-essential/ non-core functions.
The PI Security Specification identifies functions such as enhancing the user experience or improving service quality as ancillary functions. Marketing, personalised preferences and location-based services (where a location fix is not essential) would be other examples. A separate consent has to be obtained for each such ancillary function - which must be optional.
Sensitive personal data
Although the concept of sensitive personal data had previously been recognised in the PI Security Specification, the PIPL is the first national law to establish a higher standard of protection for a special category of personal data. Examples of sensitive personal data in the law include information identifying a person’s race, nationality, religious beliefs, biometrics, medical history, health, financial position and location.
Under the PIPL, a separate consent will be required for processing sensitive personal data. Individuals must additionally be informed as to why it is necessary to collect and process their personal data and the impact of the processing on them.
Core obligations
In keeping with the CSL, the draft PIPL addresses the obligations of any organisations processing personal data, and does not formally distinguish on the basis of roles, i.e. between a ‘data controller’ and a ‘data processor’ (although it does establish joint and several liability for joint processors).
Breach notifications
The PIPL sets down a general requirement to immediately notify the relevant authorities and also a qualified obligation to notify affected individuals of data leaks. There are no threshold requirements, in terms of number of persons affected by the incident or its impact. Any “leakage” of personal data will need to be notified. The notification should explain, among other things, the remedial action that has already been taken and what individuals can do to mitigate the effects of the incident.
However, if the affected organisation is able to take measures to effectively “avoid the damage” caused by the incident, the PIPL explains that it “may not” be required to notify the individuals involved - unless required to do so by the relevant authorities. This is reflective of the current practice of enforcement authorities in China, and for that reason it is important to coordinate with regulators before sending notifications to individuals . Many of the regulators involved in data and cyber compliance in China are also involved in supervision of the internet and social media and may require organisations to take proactive measures to manage information about the incident on social media and in news reporting.
The draft PIPL does not prescribe the form of an individual notification nor whether it needs to be addressed directly to each person or if it can be made by way of a general communication.
Unlike the GDPR, the PIPL does not set a specific time limit for notifications.
Appointment of data protection officer (DPO)
The GDPR requires organisations involved in “large scale” processing of personal data to appoint a DPO. The draft PIPL takes a similar approach of requiring organisations to appoint a DPO when they pass a threshold volume of data processing. That threshold will be notified by the Cyber Security Administration in due course and can be expected to be reviewed periodically.
The name and contact details of the DPO will need to be disclosed in privacy notices and also notified to the authorities. The PIPL does not prescribe the appointment of an individual from within the organisation, but is more naturally interpreted as requiring the appointment of a specific person for the role.
Data protection impact assessments (DPIA)
Impact assessments will need to be conducted (and recorded) when:
- handling sensitive personal data
- using personal data in automated decision making
- disclosing personal data to a third party or transferring it overseas
- conducting any other processing activity that may have a significant impact on the individuals concerned.
The risk assessment should consider whether the purpose and method of processing is legitimate, proper and necessary, the risk level and impact on individuals and whether the security measures taken are commensurate to the level of risk. The written DPIA will have to be kept for at least three years, but will not need to be submitted to the authorities.
These requirements are broadly similar to those provided for in the GDPR.
Organisations will also be required to conduct regular audits of the processing activities and the protective measures taken, which the data protection authorities may require to be carried out by an external professional body. Conversely, the GDPR does not impose an explicit legal obligation to carry out audits but does require organisations to carry out regular reviews of their technical and organisational security measures proportionate to the data processing risk.
Technical and organisational measures
The draft PIPL identifies certain technical and organisational measures to be deployed depending on the nature of the individual processing activity, but does not mandate these. Organisational measures may include internal management systems, adopting a tiered approach to the management of personal data and implementing differentiated access controls. Appropriate technical security measures may include encryption and de-personalisation. It would not be surprising if the implementing measures for the law were more directive in this regard.
By contrast, the PI Security Specification recommends that all personal data be de-identified after collection and stored separately from any identifiers of an individual, and that all sensitive personal data is encrypted. This is another respect in which the PI Security Specification is likely to remain relevant following the introduction of the PIPL.
De-personalisation is defined in the draft as personal data that has been processed to remove all identifiers of an individual. De-personalised data is distinguished from fully anonymised data in that the personalised character of the data could be reconstructed from other sources of information. Irreversibly anonymised personal data will not be subject to the PIPL, whereas de-personalised data must be handled in the same manner as fully personalised information.
Transfers to third parties
Specific consent will be required to transfer personal data to a third party. Organisations will need to inform data subjects of the identity and contact information of the recipient, the purpose of the transfer, the types of personal data to be transferred and the method of processing. The third party recipient’s use of the data will be constrained by the same purpose and method of processing that had been communicated to the data subject.
In this respect, the PIPL appears to impose direct obligations on third party data processors, although without drawing any formal distinction between the organisation that controls the processing activity and a delegated processor. Third party processors will also be required to return or delete the personal data after the engagement has been fulfilled, and may not appoint sub-processors without the approval of the party engaging them.
One helpful exception to this general rule is for transfers of personal data that occur in the context of a merger, demerger or other form of business sale. Individuals will need to be informed of the identity and contact information of the surviving entity or new owner, who will stand in the shoes of the original data collector in terms of purpose limitations, etc.
Cross-border data transfer
Since the CSL was adopted, the Cyberspace Administration has released several proposed measures (the draft Security Assessment Measures) to regulate the cross-border transfer of personal data (and also of ‘important data’ – see further below).
The CSL itself requires only that operators of ‘Critical Information Infrastructure’ (a CIIO) stores both personal data and ‘important data’ in China. Regulatory approval is required to transfer any of that data overseas although no procedure for obtaining such approval has never been made public. None of the various permutations of measures which were intended to extend variations of these requirements to other network operators have ever been implemented.
In the last proposal released in June 2019, all network operators would have been required to obtain approval from their provincial branch of the Cyberspace Administration before undertaking a cross-border transfer. The draft PIPL steps back from that position to one that is somewhat closer in effect to the GDPR.
Under the PIPL, different measures will apply to (i) network operators who engage in cross-border transfer of data up to a certain threshold level (to be specified at a later date, (ii) network operators who engage in cross-border transfer of data above that threshold level, and (iii) to CIIOs.
Up to the specified threshold (i.e. category (i) above), organisations will be permitted to transfer personal data out of China if they meet one of the following three conditions; either:
- obtaining a personal data protection certification (likely akin to the GDPR’s ‘binding corporate rules’)
- entering into a contract with the overseas data recipient and supervising the overseas data recipient’s activities to ensure compliance with PIPL standards
- passing a government security assessment.
As with many legal provisions in China, the PIPL additionally provides for a catch-all of compliance with any other conditions that may subsequently be stipulated by law or by any Chinese authority.
The draft law does not elaborate on the minimum provisions of a data transfer agreement. These were set out in some detail in the June 2019 draft of the Security Assessment Measures - and follow the outline of the EU’s standard contractual clauses fairly closely.
Above that threshold, organisations will be required to pass the security assessment organised by the PRC cyberspace authorities before it can transfer data overseas, as will CIIOs. The draft PIPL does not lay down any requirements or process for undertaking a security assessment, and these requirements were also only very thinly described in the June 2019 draft of the Security Assessment Measures.
In both situations, organisations will be required to obtain separate consent from data subjects to transfer their personal data outside of China. And, as mentioned above, organisations must also conduct a DPIA before undertaking an overseas transfer (or indeed a domestic transfer to a third party located within China).
There are no exceptions for transfers to an overseas affiliate. It is worth noting that in a set of draft guidelines issued in 2017 (the draft Guidelines for Cross-Border Data Transfer), cross-border transfers were defined to include both transfers of data within an internal network and remote access from overseas.
Liability
As with the CSL, a violation of the PIPL will attract sanctions for both the organisation as well as any directly responsible personnel. The relevant authorities may issue a correction order, confiscate any unlawful income obtained as a result of the violation, and issue a warning to the organisation. If the correction is not made as ordered by the authorities, a fine of up to RMB 1 million may be imposed on the entity in breach. Personnel who are directly responsible for the entity’s breach may be fined up to RMB 100,000 (and no less than RMB 10,000).
If the circumstances are serious, the organisation may be fined up to RMB50,000,000 or 5% of its annual income, and the directly responsible personnel may be fined between RMB100,000 and RMB1,000,000. The organisation in question may also be required to suspend relevant businesses or even have their business licences revoked.
The organisation may also be entered into credit files and such information may be publicly disclosed.
Further, any breaches committed by directors and organisations may attract civil liability under the PIPL, mirroring the approach taken under the PRC Civil Code.
For an overview of what to expect in data privacy/ security law in China in 2021 and more detail on the draft Data Security Law please click below: