'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

Overview of Personal Information Protection Law of the People's Republic of China

China has passed a comprehensive data protection law that is considered to be at par with other major global data privacy laws such as the GDPR and CCPA. The Personal Information Protection Law (the “PIPL”) is China’s primary data protection law that aims to:

  1. Protect the rights and interests of individuals;
  2. Regulate personal information processing activities;
  3. Safeguard the lawful and “orderly flow” of data; and
  4. Facilitate reasonable use of personal information.

The PIPL will go into effect on November 1, 2021. The PIPL and China’s Data Security Law are big steps towards strengthening China’s regulatory framework for privacy and data protection.

Application Scope of the PIPL

  • The PIPL applies to organizations and individuals’ handling the personal information of natural persons within the borders of China.
  • The PIPL also extends its application scope to processing activities by handlers established outside of China, if one of the following circumstances is present:
    1. Where the purpose is to provide products or services to natural persons inside China’s borders;
    2. Where conducting analysis or assessment of activities of natural persons inside China’s borders;
    3. Other circumstances provided in laws or administrative regulations.

The PIPL applies to both the public and private sectors. The PIPL does not apply to natural persons handling personal information for personal or family affairs.

Key Definitions under the PIPL

  • “Personal Information Handling” includes personal information collection, storage, use, processing, transmission, provision, publishing, deletion, etc.
  • “Personal information handler” refers to organizations and individuals that autonomously determine handling purposes of personal information.
  • “Personal information” is all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons. This does not include anonymized personal information.
  • “Sensitive personal information” means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
  • Automated decision-making” refers to the use of computer programs to automatically analyze or assess individual behaviors and habits, interests and hobbies, or situations relating to finance, health, or credit status, etc., and engage in decision-making activities.

Personal Information Processing Principles under the PIPL

Accuracy

The handling of personal information shall ensure the quality of personal information, and avoid adverse effects on individual rights and interests from inaccurate or incomplete personal information.

Accountability and Security

Personal information handlers shall bear responsibility for their personal information handling activities, and adopt the necessary measures to safeguard the security of the personal information they handle.

Purpose Limitation

Personal information handling shall have a clear and reasonable purpose, and shall be directly related to the handling purpose.

Collection Limitation

The collection of personal information shall be limited to the purpose of personal information handling (data minimization).

Openness and Transparency

The principles of openness and transparency shall be observed in the handling of personal information, disclosing the rules for handling personal information, and clearly indicating the purpose, method, and scope of handling.

Lawfulness and Necessity

The principles of lawfulness, propriety, necessity, and sincerity shall be observed for personal information handling.

Legal Basis of Processing Under the PIPL

The PIPL provides seven legal basis for the processing of personal information. These legal basis are:

  • Individual’s consent;
  • Performance or fulfilling a contract;
  • Necessary to fulfill statutory obligations (legal obligations);
  • Necessary to respond to sudden public health incidents or protect individuals’ lives and health, or the security of their property in emergencies;
  • News reporting, public opinion supervision, and other such activities for the public interest;
  • Personal information publicly disclosed by an individual or other legally disclosed information;
  • Other circumstances provided in Chinese laws and administrative regulations.

Consent Obligations Under the PIPL

Where data processing is based on an individual’s consent, the PIPL requires the consent to be clear, voluntary, and well-informed. Following are specific consent requirements for certain situations:

  • Specific opt-in consent is required for the processing of sensitive personal information;
  • Specific consent is required for the disclosure of personal information;
  • Personal information handlers handling already disclosed personal information, where there is a major impact on individual rights and interests, shall obtain personal consent;
  • Collected personal images and personal distinguishing identity characteristic information can only be used for the purpose of public security. If personal information handlers want to use it for other purposes, they are required to collect separate consent from individuals; and
  • Parental consent is required for the processing of personal information of children below the age of 14.

Individuals also have the right to withdraw consent. Personal information handler shall not refuse to provide products or services on the basis that an individual does not consent to the processing of personal information or withdraws his/her consent, except in those situations where the processing of personal information is “necessary” for the provision of products or services.

Privacy Notice Requirements under the PIPL

Personal information handlers must provide individuals an explicit privacy notice “before handling” of their personal information. This notice should include relevant information including the identity and contact method of the personal information handler, any subsequent third party handlers, the purpose and methods of personal information handling, the categories of handled personal information, the retention period, and procedures for individuals to exercise their individual rights under the PIPL.

Individuals’ Rights Under the PIPL

All individuals may invoke the following rights (Data Subject Rights “DSR”) by sending a request to the personal information handler. These rights can be exercised under certain situations and also have limitations:

Information, Limit, Objection

The individuals have a right to know, decide, refuse, and limit the handling of their personal information by others unless laws or regulations stipulate otherwise.

Access

The individuals have a right to access and copy their personal information in a timely manner, except when the laws and regulations require confidentiality.

Rectification

The individuals have a right to correct or complete inaccurate personal information in a timely manner.

Explanation

The individuals have a right to request handlers explain their personal information handling rules.

Deletion

The individual has a right to deletion of his/her personal information if (i) the agreed retention period has expired, or the handling purpose has been achieved; (ii) personal information handlers cease the provision of services; (iii) the individual rescinds consent where the processing of personal information was based on the individual’s consent; (iv) the information is handled in violation of laws, regulations or agreements.

Port

The individuals can request a personal information handler to transfer their personal information to another personal information handler. Specific conditions for porting data will be determined by state cybersecurity and information departments.

  • Time period to fulfill a DSR request: The PIPL provides that personal information handlers shall fulfill the DSR requests in a timely manner. It does not provide the specific timeline and extension period requirements.
  • Denial of a DSR request: If personal information handlers reject a DSR request, then they are required to explain the reason for doing so. Individuals may file a lawsuit with a People's Court according to the law to challenge the rejection of their DSR requests.
  • DSR mechanism: The PIPL requires that personal information handlers shall establish mechanisms to accept and process requests from individuals to exercise their rights.
  • Inherited Rights: All the DSR extend beyond an individual’s death and can be exercised by the next of kin of the decedent unless otherwise arranged by the decedent during their lifetime.

Obligations of Personal Information Handlers

1. Data Protection Program:

As per the obligation set out under the Chapter V of the PIPL, personal information handlers should have a data protection program in place. The PIPL also provides a non-exhaustive list of specific program measures, such as:

  • Implement classified management system of personal information
  • Formulate internal management structures and operating rules
  • Regular compliance audits and privacy impact assessments
  • Adoption of corresponding technical security measures such as encryption, de-identification, etc
  • Employee Awareness & Training
  • Individual rights request mechanism
  • Security Breach Response and reporting requirements

2. Personal Information Protection Officers:

Personal information handlers are required to appoint Personal Information Protection Officers ( also called DPOs) in specific situations, depending on the volume of personal information processed. Personal information handlers shall disclose the methods of contacting DPO and report the names of the officers and contact methods to the departments fulfilling personal information protection duties and responsibilities.
Personal information handlers outside the borders of China are required to establish a dedicated entity or appoint a representative within the borders of China to be responsible for matters related to the personal information they handle. Such entities must provide the name and contact method of the representative to the relevant departments responsible for implementing the PIPL.

3. Personal Information Protection Assessment:

Personal information handlers must conduct a personal information protection impact assessment before the processing in the following scenarios:

  • Handling sensitive personal information;
  • Using personal information to conduct automated decision-making;
  • Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
  • Providing personal information abroad;
  • Other personal information handling activities with a major influence on individuals.

The content of the personal information protection impact assessment shall include:

  • Whether or not the personal information handling purpose, handling method, etc., are lawful, legitimate, and necessary;
  • The impact on individual’s rights and interests, and the security risks; and
  • Whether protective measures undertaken are legal, effective, and suitable to the degree of risk.

Personal information protection impact assessment reports and handling status records shall be preserved for at least three years.

4. Security Breach Mechanism and Notifications:

In the event of a security breach, the PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. Where adopted measures can effectively avoid security breach harms, personal information handlers do not have to notify individuals.

5. Requirements of Entrusted Parties (Third Parties Processors)

If personal information handlers engage entrusted parties for the handling of personal information, they are required to conclude an agreement with the entrusted parties on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person.

Entrusted parties shall handle personal information according to the agreement, and are required to take necessary measures to safeguard the security of the personal information they handle and assist personal information handlers in fulfilling the obligations provided in the PIPL.

6. Specific Obligations for Internet Platform Services:

The PIPL requires personal information handlers that provide internet platform services to a “large” number of users and have complex business models to:

  1. Establish and complete personal information protection compliance structures;
  2. Establish an independent body to supervise personal information handling;
  3. Follow the principles of openness, fairness, and justice;
  4. Immediately cease their service offerings when in serious violation of the law; and
  5. Regularly publish reports on the social responsibility of personal information handling.

Cross Border Transfers of Personal Information

For the cross-border transfer of personal information, personal information handlers must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. It also imposes an obligation on personal information exporters to ensure data protection standards are met after transfer.
Personal information handlers are also required to meet one of the following conditions:

  • Passing a security assessment organized by the State cybersecurity and informatization department (related to operators of Critical Information Infrastructure and organizations that transfer a large volume of personal information);
  • Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
  • Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;
  • Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.

Operators of Critical Information Infrastructure and entities that transfer a large volume of personal information must locally store personal information collected in China and undergo a security assessment to transfer if necessary. The PIPL also explicitly allows the cross-border transfer of personal information when treaties or international agreements are in place.

If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, personal information handlers must file an application with the relevant competent authority for approval.

Automated Decision Making

For the automated decision making, the PIPL prescribes the following strict requirements for the personal information handlers:

  • Personal information handlers must guarantee transparency, fairness, and reasonability of the result of automated decision-making.
  • Personal information handlers should not engage in unreasonable differential treatment of individuals in trading conditions and specifically prohibits price discrimination through automated decision-making.
  • If using automated decision-making for targeted marketing offerings, personal information handlers should provide an option for individuals to receive information not based on personal characteristics or offer a convenient method of refusal.

Regulatory Authority and Enforcement

The PIPL does not create an independent regulatory authority to oversee its compliance. The Cyberspace Administration of China is the primary body responsible for data protection enforcement, but there are several other state council departments that may also regulate the PIPL.

Non-compliance involves unlawfully processing personal information or failure to adopt proper necessary security protection measures in accordance with further regulations. The departments fulfilling data protection duties may order a correction, confiscate unlawful income, and issue a warning. The PIPL prescribes the following penalties for violations and non-compliance:

  • An organization that refuses to correct the violations may be subject to baseline fines of up to 1 million RMB.
  • If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organization’s annual revenue for the prior financial year.
  • The personnel who are directly responsible for the personal information processing may be fined up to RMB 1 million.
  • The PIPL also provides a private right of action to individuals.

How Securiti Can Help

Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PIPL, as well as other privacy and security regulations all over the world. See how it works. Request a demo today.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.