Securiti PrivacyOps Named a Leader in The Forrester WaveTMDownload Now
China has passed a comprehensive data protection law that is considered to be at par with other major global data privacy laws such as the GDPR and CCPA. The Personal Information Protection Law (the “PIPL”) is China’s primary data protection law that aims to:
The PIPL applies to both the public and private sectors. The PIPL does not apply to natural persons handling personal information for personal or family affairs.
The PIPL provides seven legal basis for the processing of personal information. These legal basis are:
Where data processing is based on an individual’s consent, the PIPL requires the consent to be clear, voluntary, and well-informed. Following are specific consent requirements for certain situations:
Individuals also have the right to withdraw consent. Personal information handler shall not refuse to provide products or services on the basis that an individual does not consent to the processing of personal information or withdraws his/her consent, except in those situations where the processing of personal information is “necessary” for the provision of products or services.
Personal information handlers must provide individuals an explicit privacy notice “before handling” of their personal information. This notice should include relevant information including the identity and contact method of the personal information handler, any subsequent third party handlers, the purpose and methods of personal information handling, the categories of handled personal information, the retention period, and procedures for individuals to exercise their individual rights under the PIPL.
All individuals may invoke the following rights (Data Subject Rights “DSR”) by sending a request to the personal information handler. These rights can be exercised under certain situations and also have limitations:
As per the obligation set out under the Chapter V of the PIPL, personal information handlers should have a data protection program in place. The PIPL also provides a non-exhaustive list of specific program measures, such as:
Personal information handlers are required to appoint Personal Information Protection Officers ( also called DPOs) in specific situations, depending on the volume of personal information processed. Personal information handlers shall disclose the methods of contacting DPO and report the names of the officers and contact methods to the departments fulfilling personal information protection duties and responsibilities.
Personal information handlers outside the borders of China are required to establish a dedicated entity or appoint a representative within the borders of China to be responsible for matters related to the personal information they handle. Such entities must provide the name and contact method of the representative to the relevant departments responsible for implementing the PIPL.
Personal information handlers must conduct a personal information protection impact assessment before the processing in the following scenarios:
The content of the personal information protection impact assessment shall include:
Personal information protection impact assessment reports and handling status records shall be preserved for at least three years.
In the event of a security breach, the PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. Where adopted measures can effectively avoid security breach harms, personal information handlers do not have to notify individuals.
If personal information handlers engage entrusted parties for the handling of personal information, they are required to conclude an agreement with the entrusted parties on the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person.
Entrusted parties shall handle personal information according to the agreement, and are required to take necessary measures to safeguard the security of the personal information they handle and assist personal information handlers in fulfilling the obligations provided in the PIPL.
The PIPL requires personal information handlers that provide internet platform services to a “large” number of users and have complex business models to:
For the cross-border transfer of personal information, personal information handlers must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. It also imposes an obligation on personal information exporters to ensure data protection standards are met after transfer.
Personal information handlers are also required to meet one of the following conditions:
Operators of Critical Information Infrastructure and entities that transfer a large volume of personal information must locally store personal information collected in China and undergo a security assessment to transfer if necessary. The PIPL also explicitly allows the cross-border transfer of personal information when treaties or international agreements are in place.
If it is necessary to transfer personal information outside of China for international judicial assistance or administrative law enforcement, personal information handlers must file an application with the relevant competent authority for approval.
For the automated decision making, the PIPL prescribes the following strict requirements for the personal information handlers:
The PIPL does not create an independent regulatory authority to oversee its compliance. The Cyberspace Administration of China is the primary body responsible for data protection enforcement, but there are several other state council departments that may also regulate the PIPL.
Non-compliance involves unlawfully processing personal information or failure to adopt proper necessary security protection measures in accordance with further regulations. The departments fulfilling data protection duties may order a correction, confiscate unlawful income, and issue a warning. The PIPL prescribes the following penalties for violations and non-compliance:
Global privacy regulations are encouraging organizations to be responsible custodians of their consumers' data and automate privacy and security operations. In order to operationalize compliance, organizations need to incorporate robotic automation in order to keep up with the current digital landscape. Several organizations offer software that helps companies comply with global privacy regulations, but these solutions have been restricted to mainly process-driven tasks or rudimentary data-driven functions.
Securiti combines reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with the PIPL, as well as other privacy and security regulations all over the world. See how it works. Request a demo today.
See how easy it is to manage privacy compliance with robotic automation.