Exploring The Personal Information Protection Law in China
The Personal Information Protection Law in China was promulgated on August 20, 2021 by theStanding Committee of China’s National People’s Congress, and will take effect this upcoming November 1, 2021. This new law aims to “regulate personal information processing activities,” “facilitate reasonable use of personal information,” and “protect the rights and interests of individuals” (Article 1).
The PPIL, Data Security Law, and the Cybersecurity Law, in a broader cyber and data security governance perspective, will form an over-arching framework to govern cybersecurity, data security, and data protection in China for years to come.
But before we comb through China’s new Personal Information Protection Law (PPIL), let us first define some key terms as we delve deeper to the start of something exciting!
Key Terms, Defined
Throughout the Personal Information Protection Law in China, we will get to stumble upon the terms “Sensitive personal information,” “personal information,” “personal information processing entity,” “anonymization,” and “processing of personal information.” Upon the plain reading of it, it can be observed that “personal information” and “processing of personal information” are defined similarly under both of the PIPL and the GDPR. It is defined as all kinds of information relating to identified or identifiable natural persons recorded by electronic or other form, excluding anonymized information.
Moreover, “Sensitive personal information” is defined under the Personal Information Protection Law (PIPL) as “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14” (Article 28).
Furthermore, “anonymization” refers to the process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing (Articles 4 & 73). Also, it is to note that anonymized information is not deemed as personal information under the PIPL.
Lastly, “personal information processing entity” under the PIPL refers to “organization or individual that independently determines the purposes and means for processing of personal information” (Article 73). This also seems to appear as a similar concept to the GDPR’s “data controller” concept. This is the same with PIPL’s “entrusted party” with GDPR’s “data processor.”
The Total Package of the Personal Information Protection Law in China, unwrapped!
The Personal Information Protection Law in China consists of 8 chapters with 74 articles in total. These are:
- General Provisions;
- Personal Information Processing Rules;
- Rules for Cross-Border Provision of Personal Information;
- Individuals’ Rights in Personal Information Processing Activities;
- Obligations of Personal Information Processors;
- Departments Performing Personal Information Protection Functions;
- Legal Liabilities; and
- Miscellaneous Provisions.
Business Implications of the Personal Information Protection Law in China
The Personal Information Protection Law in China now adds another layer of complexity with respect to compliance with China’s security and data laws and regulations. As similarly required by the GDPR, it is now required for PIPL tohave a lawful basis to process personal information. In addition to consent, Article 13 of the said law provides for the following non-consent basis:
- Necessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts.
- Necessary to perform legal responsibilities or obligations.
- Necessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property.
- To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests.
- Processing of personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with the PIPL.
- Other circumstances as required by laws.
Under the PIPL, the definition of consent provides that it must be freely given, informed, demonstrated by a clear action of the individual, and may later be withdrawn (Articles 14 & 15). It aligns with the GDPR with its strict consent requirements.
But, there is a separate consent under the PIPL for certain processing activities, that is:
- (i) shares personal information with other processing entities;
- (ii) publicly discloses personal information;
- (iii) processes sensitive personal information; or
- (iv) transfers personal information overseas (Articles 23, 25, 29 and 39).
Furthermore, the Personal Information Protection Law in China also requires personal information processing organizations to carry out prior personal information protection impact assessments and for at least three years, retain the processing records for the processing activities below:
- Processing of sensitive personal information.
- Processing of personal information for automated decision-making.
- Entrusting vendors to process personal information, sharing personal information with other processing entities or publicly disclosing personal information.
- Transferring personal information overseas.
- Other personal information processing activities that may have significant impacts on the rights and interests of individuals.