Key Changes Under the Finalized PIPL
Legal basis of processing
Under the finalised version of the PIPL, there are seven legal basis of the data processing:
- Consent;
- Contractual necessity or necessity arising from the human resources management implemented in accordance with the labour rules and regulations of the employer formulated according to the law or collective contracts signed according to law;
- Compliance with legal responsibilities or obligations;
- Responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property;
- Processing personal information that is already made public within the reasonable scope and in accordance with the requirements of the PIPL;
- For purposes of carrying out news reporting and public opinion monitoring for public interests; and
- Other circumstances permitted by laws and regulations.
The only substantial change made from the second draft is the addition of the clause of contractual necessity in the finalized PIPL. This is a specific reference to labour governance rules that are signed in accordance with laws. This new addition will have a huge impact in the employment context.
Consent
Consent requirements under the finalized PIPL remain consistent with previous PIPL drafts. Furthermore, similar to the previous drafts, the term “separate consent” is not yet defined under the final form of the PIPL.
Compared with the second draft, article 28 of the finalized PIPL purports data of minors aged under 14 as “sensitive personal information”, and requires need to obtain separate consent from the minor's guardian before processing their data.
Cross-border data transfers
The finalized PIPL enhances its cross-border data transfer system, as compared to the second draft, introduces 3 changes:
- PIPL states that cross-border treaties concluded by China may prevail over other treaties.
- All personal information processors are required to adopt measures to ensure that processing activities of the destination country have an equivalent level of protection provided in the PIPL.
- The PIPL requires organizations to obtain approval from government authorities before transferring data to foriegn organs for international judicial assistance or administrative law enforcement.
Data subject rights
The finalized version of the PIPL brings the following changes to data subject rights:
- Deceased data subject rights: Next of the kin of the deceased data subject can request a copy, amendment and erasure of their relatives data.
- Data portability: A data subject has the right to request a data processor to have his data transferred to another data processor provided that such transfer follows the requirements set by the Cybersecurity Administration of China (“CAC”).
- Redress: If a data processor refuses to comply with a DSR, the data subject may seek redress in court of law.
Organizations tend to collect personal information for different purposes, such as to understand customers’ behavior patterns and interests. However, sometimes, it is specifically collected for the purpose of sending them notification emails, text messages, etc.
In the final revision, under the General Provision section in Article (6), the regulatory authority has specified the restriction on personal information (PI) processing. The PIPL specifies that other than definite and reasonable purpose, the PI processing “be directly related to the purpose of processing.” In addition to that, the collection of personal information should be very limited.
In the first draft and second draft, the regulatory authorities restricted organizations from processing data which violated the laws and administrative regulations. In the finalized version, the regulatory authority further expanded the unlawful collection and processing of data.
As per the finalized version, organizations are prohibited from collecting and processing data illegally, disclosing it to any third-party, or using it in a way that would result in any damage to national or public interest.
As per Article (15) of the second draft, PI processors were required to obtain the consent of the parent or a guardian before processing. The final version of PIPL merges Article (15) with Article (31), specifying that special processing rules should be created by the PI processor for data subjects under the age of 14.
Automated Decision Making
The second draft of the PIPL required automated decision-making systems to be transparent, fair, and reasonable. It also gave individuals the ability to inquire further about the decision made by the automated system or reject it altogether.
The final draft of PIPL merges Article (25) with Article (24), additionally requiring PI processors to “not engage in unreasonable differential treatment of individuals in trading conditions,” and prohibiting price discrimination through automated decision-making.
Article (55) of the second draft stated the requirement of assessing risks of certain personal information processing activities in advance and keeping a record of the processing. However, in the finalized PIPL, Article (55) named this risk assessment as “personal information protection impact assessment” and added a separate new Article (56) detailing the scenarios where this impact assessment will be required.
Penalties
Upon violations and non-compliance, PIPL penalizes fines of up to 1 million RMB on the processor and up to 100,000 RMB on the person supervising the processor. Serious fines may be imposed on the processor of up to 50 million RMB or 5% of turnover of the previous year.
The revised version of PIPL imposes serious penalties on the liable persons, including the processor and those in charge of the processor, prohibiting them from serving as managers or directors in any organization.
Conclusion
The finalized PIPL is set to go into effect in less than 2 months and organizations are not yet ready to comply with all the requirements set in place. Organizations need to incorporate automation if they hope to improve their processes in time for the enforcement of the PIPL.
Request a demo now to see how robotic automation and artificial intelligence can help you on your road to compliance with China’s PIPL.
