On August 20, 2021, the Standing Committee of the National People’s Congress of the People’s Republic of China passed the Personal Information Protection Law (“PIPL”) of the People’s Republic of China, which will come into effect on November 1, 2021.
In this article, we will summarize the most important provisions in the PIPL, which is divided into eight different chapters.
- Application of the PIPL: As in the General Data Protection Regulation (“GDPR”), the PIPL has extraterritorial reach over certain processing activities carried out outside China and concerning data subjects located in China. The PIPL will apply when the purpose of the activity is to (a) provide a product or service to an individual located in China, (b) analyze or assess the behavior of an individual located in China, or (c) carry out any other activity established by law or administrative regulations. Also, foreign processors not based in China that come under the scope of the PIPL must establish a special agency or appoint a local representative in China to handle compliance-related affairs.
- Processing principles: Under the PIPL, the processing of personal information must follow the principles of lawfulness, fairness, necessity and good faith, purpose limitation and data minimization, publicity and transparency ( particularly, the purpose, method and scope of the processing must be clearly indicated). Also, data processors will be held accountable for their processing activities and must take the necessary measures to ensure the security of the personal information processed.
- Lawfulness of processing: When the legal basis used is consent, the PIPL establishes that, for certain processing activities (e.g., processing sensitive personal information, providing personal information to third parties, publicizing personal information and crossborder transfers of personal information), a separate consent is required. The PIPL also regulates other legal bases for processing personal information, including the performance of a contract to which the personal information subject is a party or when it is necessary to implement HR management according to the labor rules and regulations and the collective bargaining agreement. Likewise, the PIPL regulates that personal information can be processed when necessary to respond to public health emergencies, and to carry out news reporting and media supervision for public interest (within a reasonable scope), as well as under other circumstances when established by law or administrative regulations.
- Information to individuals: Before the processing, the data processor must provide certain information, including the name or title of the data processor and its contact information, the processing purpose and methods, types of personal information being processed and storage period, and the methods and procedures under which individuals can exercise their rights under the PIPL. We highlight that when sensitive personal information is involved, the data processor must indicate the reason for processing that information and the impact of the processing on the individual’s rights and interests.
- Data processor’s obligations: The PIPL establishes the following obligations for data processors: drafting internal management policies and procedures; implementing security measures, such as encryption and de-personalization; and implementing response plans for personal information security incidents.
- Crossborder transfer of personal information: For the transfer of personal information overseas for business needs, the PIPL establishes certain requirements (at least one of the requirements must be met), including passing the security assessment organized by the Cyberspace Administration of China (“CAC”), obtaining a personal information protection certification from a professional agency, entering into a contract with the overseas recipient following the standard contract drafted by CAC (which has not yet been issued) and meeting other obligations under laws or administrative regulations that CAC may apply.
- Other requirements: Similar to the GDPR, the PIPL also imposes the obligation to conduct a privacy impact assessment in certain circumstances and specific obligations on certain types of businesses, including critical information infrastructure operators and data processors whose data processing reaches the threshold established by CAC (this has yet to be defined), which will have to meet additional obligations, such as the appointment of a data protection officer.
Lastly, as the PIPL only provides an exemption for the processing of data concerning personal and household affairs, for now, the obligations under the PIPL apply to all data processors regardless of their size. Thus, small business must also be aware of the new obligations introduced by the PIPL. However, the principles regulated under this new law are high level, and we will be carefully watching its implementation and any developments.
Authors: Jane Jin e Ivette Pardo