Overview of Personal Information Protection Law of the People’s Republic of China

Key Definitions under the PIPL

• “Personal Information Handling” includes personal information collection, storage, use, processing, transmission, provision, publishing, deletion, etc.
• “Personal information handler” refers to organizations and individuals that autonomously determine handling purposes of personal information.
• “Personal information” is all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons. This does not include anonymized personal information.
• “Sensitive personal information” means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
• “Automated decision-making” refers to the use of computer programs to automatically analyze or assess individual behaviors and habits, interests and hobbies, or situations relating to finance, health, or credit status, etc., and engage in decision-making activities.

Legal Basis of Processing Under the PIPL

The PIPL provides seven legal basis for the processing of personal information. These legal basis are:

• Individual’s consent;
• Performance or fulfilling a contract;
• Necessary to fulfill statutory obligations (legal obligations);
• Necessary to respond to sudden public health incidents or protect individuals’ lives and health, or the security of their property in emergencies;
• News reporting, public opinion supervision, and other such activities for the public interest;
• Personal information publicly disclosed by an individual or other legally disclosed information;
• Other circumstances provided in Chinese laws and administrative regulations.

Consent Obligations Under the PIPL

Where data processing is based on an individual’s consent, the PIPL requires the consent to be clear, voluntary, and well-informed. Following are specific consent requirements for certain situations:

• Specific opt-in consent is required for the processing of sensitive personal information;
• Specific consent is required for the disclosure of personal information;
• Personal information handlers handling already disclosed personal information, where there is a major impact on individual rights and interests, shall obtain personal consent;
• Collected personal images and personal distinguishing identity characteristic information can only be used for the purpose of public security. If personal information handlers want to use it for other purposes, they are required to collect separate consent from individuals; and
• Parental consent is required for the processing of personal information of children below the age of 14.

Individuals also have the right to withdraw consent. Personal information handler shall not refuse to provide products or services on the basis that an individual does not consent to the processing of personal information or withdraws his/her consent, except in those situations where the processing of personal information is “necessary” for the provision of products or services.

Privacy Notice Requirements under the PIPL

Personal information handlers must provide individuals an explicit privacy notice “before handling” of their personal information. This notice should include relevant information including the identity and contact method of the personal information handler, any subsequent third party handlers, the purpose and methods of personal information handling, the categories of handled personal information, the retention period, and procedures for individuals to exercise their individual rights under the PIPL.

Obligations of Personal Information Handlers

1. Data Protection Program:

As per the obligation set out under the Chapter V of the PIPL, personal information handlers should have a data protection program in place. The PIPL also provides a non-exhaustive list of specific program measures, such as:

• Implement classified management system of personal information
• Formulate internal management structures and operating rules
• Regular compliance audits and privacy impact assessments
• Adoption of corresponding technical security measures such as encryption, de-identification, etc
• Employee Awareness & Training
• Individual rights request mechanism
• Security Breach Response and reporting requirements

2. Personal Information Protection Officers:

Personal information handlers are required to appoint Personal Information Protection Officers ( also called DPOs) in specific situations, depending on the volume of personal information processed. Personal information handlers shall disclose the methods of contacting DPO and report the names of the officers and contact methods to the departments fulfilling personal information protection duties and responsibilities.
Personal information handlers outside the borders of China are required to establish a dedicated entity or appoint a representative within the borders of China to be responsible for matters related to the personal information they handle. Such entities must provide the name and contact method of the representative to the relevant departments responsible for implementing the PIPL.

3. Personal Information Protection Assessments & Audits

Personal information handlers must conduct a personal information protection impact assessment before the processing in one of the following scenarios:

• Handling sensitive personal information;
• Using personal information to conduct automated decision-making;
• Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
• Providing personal information abroad;
• Other personal information handling activities with a major influence on individuals.

The content of the personal information protection impact assessment shall include:

• Whether or not the personal information handling purpose, handling method, etc., are lawful, legitimate, and necessary;
• The impact on individual’s rights and interests, and the security risks; and
• Whether protective measures undertaken are legal, effective, and suitable to the degree of risk.

Personal information protection impact assessment reports and handling status records shall be preserved for at least three years.

Moreover, as per the Personal Information Protection Compliance Audit Management Measures, personal information processors managing data of over 10 million individuals must conduct audits every two years. They are obligated to cooperate with the audit, correct any identified issues, and report to the relevant authorities. If processing information of more than 1 million individuals, the personal information processors shall designate a person responsible for audits. In cases of significant risks or large-scale data breaches, audits can be performed by specialized organizations.

4. Security Breach Mechanism and Notifications:

In the event of a security breach, the PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. Where adopted measures can effectively avoid security breach harms, personal information handlers do not have to notify individuals.

Furthermore, the Data Security Regulations emphasize breach prevention and incident response. There is a 24-hour requirement for notification of breaches impacting national security or public interest.

5. Requirements of Entrusted Parties (Third Parties Processors)

If personal information handlers engage entrusted parties for the handling of personal information, they are required to conclude an agreement with the entrusted parties on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person.

Entrusted parties shall handle personal information according to the agreement, and are required to take necessary measures to safeguard the security of the personal information they handle and assist personal information handlers in fulfilling the obligations provided in the PIPL.

6. Specific Obligations for Internet Platform Services:

The PIPL requires personal information handlers that provide internet platform services to a “large” number of users and have complex business models to:

1. Establish and complete personal information protection compliance structures;
2. Establish an independent body to supervise personal information handling;
3. Follow the principles of openness, fairness, and justice;
4. Immediately cease their service offerings when in serious violation of the law; and

Regularly publish reports on the social responsibility of personal information handling.

Cross Border Transfers of Personal Information

For the cross-border transfer of personal information, personal information handlers must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. It also imposes an obligation on personal information exporters to ensure data protection standards are met after transfer.

Personal information handlers are also required to meet one of the following conditions:

1. Passing a security assessment organized by the CAC and informatization department (this requirement is for the operators of Critical Information Infrastructure and organizations that transfer personal organization of more than one million individuals or sensitive personal information of more than 10,000 individuals; or
2. Undergoing personal information protection certification conducted by a specialized body according to provisions by the CAC and informatization department (this is a requirement for organizations that transfer personal information of between 100,000 and one million individuals; or sensitive PI of less than 10,000 individuals); or
3. Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the cyberspace and information department, agreeing upon the rights and responsibilities of both sides (this is a requirement for organizations that transfer personal information of between 100,000 and one million individuals; or sensitive PI of less than 10,000 individuals); or
4. Other conditions provided in laws or administrative regulations or by the State cybersecurity and information department.

The thresholds have been added by the Regulations on Promoting and Standardizing the Cross-border Flow of Data. These regulations grant also exemptions from security assessments for data transfers related to trade, transport, academia, non-important or non-personal business data, contractual obligations, employee management, and emergencies

Furthermore, the Data Security Regulations expand on the relaxations by introducing additional legal bases for cross-border data transfers. In addition to the existing three mechanisms, businesses may now rely on the following justifications:

• transfers necessary for contract signing or performance;
• transfers of employee data necessary for cross-border human resources management;
• emergency situations;
• transfers necessary for performing mandatory duties; or
• transfers permitted under other laws and regulations.

It’s also important to note that operators of Critical Information Infrastructure and entities that transfer a large volume of personal information must locally store personal information collected in China and undergo a security assessment to transfer if necessary. The PIPL also explicitly allows the cross-border transfer of personal information when treaties or international agreements are in place.

If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, personal information handlers must file an application with the relevant competent authority for approval.

Automated Decision Making

For the automated decision making, the PIPL prescribes the following strict requirements for the personal information handlers:

• Personal information handlers must guarantee transparency, fairness, and reasonability of the result of automated decision-making.
• Personal information handlers should not engage in unreasonable differential treatment of individuals in trading conditions and specifically prohibits price discrimination through automated decision-making.
• If using automated decision-making for targeted marketing offerings, personal information handlers should provide an option for individuals to receive information not based on personal characteristics or offer a convenient method of refusal.

Regulatory Authority and Enforcement

The PIPL does not create an independent regulatory authority to oversee its compliance. The Cyberspace Administration of China is the primary body responsible for data protection enforcement, but there are several other state council departments that may also regulate the PIPL.

Non-compliance involves unlawfully processing personal information or failure to adopt proper necessary security protection measures in accordance with further regulations. The departments fulfilling data protection duties may order a correction, confiscate unlawful income, and issue a warning. The PIPL prescribes the following penalties for violations and non-compliance:

• An organization that refuses to correct the violations may be subject to baseline fines of up to 1 million RMB.
• If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organization’s annual revenue for the prior financial year.
• The personnel who are directly responsible for the personal information processing may be fined up to RMB 1 million.
• The PIPL also provides a private right of action to individuals.

How Securiti Can Help

Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PIPL, as well as other privacy and security regulations all over the world. See how it works. Request a demo today.