Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up hereStart Now
Published on October 11, 2021 AUTHOR - Privacy Research Team
On August 20, 2021, China's Personal Information Protection Law (the “PIPL”) was officially adopted after its third revision. The PIPL will go into effect on November 1st, 2021. The first and second drafts of PIPL were released on 21 October 2020 and 29 April 2021 respectively. This article will talk about the 10 major changes between the second draft and the finalized version of the PIPL.
Under the finalised version of the PIPL, there are seven legal basis of the data processing:
The only substantial change made from the second draft is the addition of the clause of contractual necessity in the finalized PIPL. This is a specific reference to labour governance rules that are signed in accordance with laws. This new addition will have a huge impact in the employment context.
Consent requirements under the finalized PIPL remain consistent with previous PIPL drafts. Furthermore, similar to the previous drafts, the term “separate consent” is not yet defined under the final form of the PIPL.
Compared with the second draft, article 28 of the finalized PIPL purports data of minors aged under 14 as “sensitive personal information”, and requires need to obtain separate consent from the minor's guardian before processing their data.
The finalized PIPL enhances its cross-border data transfer system, as compared to the second draft, introduces 3 changes:
The finalized version of the PIPL brings the following changes to data subject rights:
Organizations tend to collect personal information for different purposes, such as to understand customers’ behavior patterns and interests. However, sometimes, it is specifically collected for the purpose of sending them notification emails, text messages, etc.
In the final revision, under the General Provision section in Article (6), the regulatory authority has specified the restriction on personal information (PI) processing. The PIPL specifies that other than definite and reasonable purpose, the PI processing “be directly related to the purpose of processing.” In addition to that, the collection of personal information should be very limited.
In the first draft and second draft, the regulatory authorities restricted organizations from processing data which violated the laws and administrative regulations. In the finalized version, the regulatory authority further expanded the unlawful collection and processing of data.
As per the finalized version, organizations are prohibited from collecting and processing data illegally, disclosing it to any third-party, or using it in a way that would result in any damage to national or public interest.
As per Article (15) of the second draft, PI processors were required to obtain the consent of the parent or a guardian before processing. The final version of PIPL merges Article (15) with Article (31), specifying that special processing rules should be created by the PI processor for data subjects under the age of 14.
The second draft of the PIPL required automated decision-making systems to be transparent, fair, and reasonable. It also gave individuals the ability to inquire further about the decision made by the automated system or reject it altogether.
The final draft of PIPL merges Article (25) with Article (24), additionally requiring PI processors to “not engage in unreasonable differential treatment of individuals in trading conditions,” and prohibiting price discrimination through automated decision-making.
Article (55) of the second draft stated the requirement of assessing risks of certain personal information processing activities in advance and keeping a record of the processing. However, in the finalized PIPL, Article (55) named this risk assessment as “personal information protection impact assessment” and added a separate new Article (56) detailing the scenarios where this impact assessment will be required.
Upon violations and non-compliance, PIPL penalizes fines of up to 1 million RMB on the processor and up to 100,000 RMB on the person supervising the processor. Serious fines may be imposed on the processor of up to 50 million RMB or 5% of turnover of the previous year.
The revised version of PIPL imposes serious penalties on the liable persons, including the processor and those in charge of the processor, prohibiting them from serving as managers or directors in any organization.
The finalized PIPL is set to go into effect in less than 2 months and organizations are not yet ready to comply with all the requirements set in place. Organizations need to incorporate automation if they hope to improve their processes in time for the enforcement of the PIPL.
See how easy it is to manage privacy compliance with robotic automation.
PO Box 13039,
Coyote CA 95013