On Aug. 20, 2021, after two rounds of public comments on Chinaâs draftÂ Personal Information Protection LawÂ (PIPL),1Â China promulgated the final version of theÂ PIPL, which takes effect Nov. 1, 2021. Together, theÂ PIPL,Â Cybersecurity LawÂ (which came into force June 1, 2017) andÂ Data Security LawÂ (which came into force Sept. 1, 2021) now form the fundamental legal framework that governs data security and processing of personal information (PI) and non-personal information. TheÂ PIPLÂ harmonizes theÂ Cybersecurity LawÂ andÂ Data Security Law2Â by incorporating well-recognized data protection principles, including obtaining express and informed consent before collecting the individualsâ information; implementing a classified data protection system (with the introduction of enhanced protection for âsensitive personal informationâ); and setting a default rule for the âcritical information infrastructure operatorsâ (CIIOs) and processors dealing with large amounts of PI they have collected or generated to store within China. TheÂ PIPLÂ authorizes the Cyberspace Administration of China (CAC) to lead overall planning and coordination of PI protection and the relevant supervisory and regulatory work. This GT Alert summarizes theÂ PIPL.
Territorial Scope of theÂ PIPL
TheÂ PIPLÂ applies to all processing activities carried out in China, and has extraterritorial application to overseas processing of the PI of individuals located in China (where the purpose of such activities is to provide a product or service to such individuals), or to analyzing or assessing the behavior of such individuals (Article 3). The processors covered by the extraterritorial application of theÂ PIPLÂ must establish a specialized agency or designate a representative in China to handle the matters related to the protection of PI, and the name of such agency or the information (including the name and contact information) of such representative must be registered with the competent authorities (Article 53).
If the PI rights and interests of any citizen of China are infringed, or the national security or public interests of China are endangered by any overseas organization or individual, the CAC may take measures against such overseas organization or individual, including blacklisting, restricting, or prohibiting such overseas organization or individual from receiving the PI (Article 42).
TheÂ PIPLÂ adopts a similar approach as that of theÂ Data Security Law, by introducing reciprocal measures against any country or region that takes any discriminatory prohibition, restriction, or any other measures against China. However, theÂ Data Security LawÂ limits the applicable scope of such discriminatory measures to data and data development and use technology, while theÂ PIPLÂ sets the relevancy to PI protection (Article 43).
PI and Enhanced Protection for Sensitive PI
Excluding information that has been anonymized, âpersonal informationâ under theÂ PIPLÂ refers to any kind of information related to an identified or identifiable natural person, recorded electronically or otherwise. âProcessingâ includes the collection, storage, use, transmission, provision, disclosure, and deletion of PI (Article 4). PI processing activities must follow the basic principles of lawfulness, legitimacy, necessity, and good faith (without misleading, fraud, or coercion); openness and transparency (with the rules, purpose, method and scope of processing activities disclosed); direct and specific relevance; minimum impact on personal rights and interests; minimum necessary scope of collection; quality assurance (avoiding inaccuracy and incompleteness; and prohibition against illegality (prohibiting illegal sale, provision, or publication; and prohibiting activities endangering national security and public interest) (Articles 5, 6, 7, 8 and 10).
TheÂ PIPLÂ defines âsensitive personal informationâ as biometrics, religious beliefs, specific identities, medical and health, financial accounts, whereabouts and other information, as well as any PI of a minor under the age of 14 (Article 28). PI processors may process sensitive PI only with a specific purpose and sufficient necessity, and with strict protection measures taken (including the in-advance impact assessment (the record for which must be kept for at least three years), record-keeping of the processing activities, informing the individual of the necessity and impact on personal rights and interests, and a separate consent obtained from the individual) (Articles 29, 30 and 56). Special rules must be formulated by processors for processing the PI of minors under the age of 14 (Article 31).
Consent and Separate Consent
Informed âconsentâ as the general legal basis for processing of PI must be made by individuals voluntarily and expressly (Article 14). TheÂ PIPLÂ provides exceptions where consent is not required, including where necessary to conclude or perform a contract (with the individual as a party), necessary for certain human resource management purposes, necessary for performing legal duties or obligations, or necessary for responding to a public health emergency or protection of life, etc. (Article 13).
Separate consent must be obtained from individuals prior to information transfer, where the original PI processor transfers the PI it processed to other processors, and the individuals must be informed as to the details of other processors (including the name and contact information of the recipient, the purpose and method of processing, and the type of PI) (Article 23). Outbound transfers of PI additionally require the processor to inform the individuals of the methods and procedures for the individuals to exercise their rights under theÂ PIPLÂ against the overseas recipient (Article 39). Separate consent is also required for the public disclosure of any PI processed by the processors (Article 25) and as mentioned above, for the processing of sensitive PI (Article 29).
In response to the specific privacy challenges brought by the mass adoption of surveillance cameras and artificial intelligence in modern cities in China, theÂ PIPLÂ requires any image capturing or personal identification equipment installed in a public place to be necessary to maintain public security, and with prominent reminders visible. The personal images and identification information collected from the equipment may only be used to maintain public security, except when separate consent is obtained from individuals (Article 26).
TheÂ PIPLÂ defines âautomated decision-makingâ as analysis or assessment as well as automatic decision-making of personal behavior and habits, interests and hobbies, financial, health or credit status or other information through a computer program (Article 73). The processors using PI for automated decision-making must ensure the transparency of the decision-making and fairness and impartiality of the results, and the automated decision-making must not be used to impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction conditions. If the automated decision-making is used for commercial marketing or information pushing to individuals, processors must provide individuals with options that are not based on the individualsâ personal characteristics, or convenient methods for the individuals to refuse such commercial marketing or information pushing. In addition, theÂ PIPLÂ allows individuals to have the right to request processors to give explanations or refuse to accept the processors making decisions solely based on automated decision-making, if such decisions have a major impact on the individualsâ rights and interests. (Article 24).
Designation of Data Protection Officer
TheÂ PIPLÂ requires the designation of a data protection officer (DPO) as the responsible person to supervise PI processing activities and protection measures taken by certain processors,Â i.e., those processing PI at a volume that exceeds the threshold to be specified by the CAC. The contact information of the DPO must be disclosed to the public, and the details of the DPO (including name and contact information) must be registered with the relevant authorities (Article 52).
Stricter Requirements on Critical Internet Platform Service Providers
Faced with technology innovation and significant growth of tech giants in China, theÂ PIPLÂ imposes stricter requirements on the critical internet platform service providers that have a large user base and operate complex types of business. Such internet platform service providers must (i) establish a comprehensive PI-protection compliance policy and system, and form an independent supervision team mainly composed of external members, (ii) formulate platform rules to specify the standards for PI processing and the obligations of PI protection, by following the principles of openness, fairness, and impartiality, (iii) cease to provide the service to those in-platform product or service providers that seriously violate the applicable laws or administrative regulations in processing PI, (iv) regularly publish a report on the social responsibility for PI protection, and accept public supervision (Article 58).
Cross-Border Transfer of PI
The cross-border (outbound in particular) transfer of PI required for business or other needs is permitted under theÂ PIPLÂ only if one of the following conditions is satisfied: (i) passing the security assessment organized by the CAC, (ii) obtaining the accreditation from the professional agency appointed by the CAC, (iii) executing with the overseas recipient the standard agreements approved by the CAC (which set out each partyâs respective rights and obligations), (iv) any other conditions prescribed by the law and administrative regulations or set by the CAC. In addition, the PI processor must ensure the processing activities carried out by the overseas recipient meet theÂ PIPLâsÂ protection standards (Article 38).
Generally, the PI collected and generated in China by the CIIOs or the PI processors that process PI reaching certain volumes (as determined by the CAC), must be stored within China. If it is necessary to provide such information to an overseas recipient, passing the security assessment organized by the CAC will serve as a green light for the cross-border transfer of PI (Article 40). The same rule applies to the PI processed by the national authorities (which in general must be stored in China) â the CACâs security assessment organized must be passed prior to the necessary outbound provision or transfer of the PI processed by the national authorities (Article 36).
TheÂ PIPLÂ adopts a similar restriction as theÂ Data Security LawÂ for outbound data transfer upon requests of foreign judicial or law enforcement authorities, except theÂ PIPLÂ governs PI while theÂ Data Security LawÂ applies to all data (no matter if recorded in electronic or other form). Chinese authorities will handle the requests from overseas judicial or law enforcement authorities for provision of PI stored in China in accordance with applicable international treaties or agreements, or in accordance with the principles of equality and reciprocity. Without approval from the competent authorities, PI processors may not provide any PI stored in China to a foreign judicial or law enforcement authority (Article 41).
Legal Liabilities forÂ PIPLÂ Violations
Breach of theÂ PIPLÂ can result in three kinds of legal liability â administrative, civil, and criminal.
Administrative liability. The responsible processor may have to relinquish the illegal gains, and may be fined up to 50 million Chinese yuan or 5% of the prior yearâs annual revenue (whether the revenue refers to the global revenue or only the revenue generated in China is to be specified). The non-monetary administrative penalties include rectification orders, warnings, suspension or cessation of services, cessation of operations or revocation of permits or business licenses, and recording such violation into the credit file and disclosure to the public. In addition, the person in charge or other directly liable individual may be fined up to 1 million Chinese yuan, and prohibited from acting as a director, supervisor, senior officer or DPO at the relevant company (Article 66).
Civil liability. The responsible processor will bear the tort liability (including compensation for damages), if the rights and interests of PI are damaged by the processing activities. TheÂ PIPLÂ introduces a presumption of liability on the processor, and the burden of proof will be borne by the processor (Article 69). This emphasizes the importance of processors keeping proper records and evidence to prove the lawfulness and appropriateness of their activities. If the rights and interests of many individuals are infringed by a processor in violation of theÂ PIPL, the prosecutors, consumer organizations, and organizations designated by the CAC may take legal action against the processor (Article 70).
Criminal liability. TheÂ PIPLÂ refers to the Chinese criminal code to pursue criminal liability of the responsible parties (Article 71).
1Â SeeÂ January 2021 GT Alert, China Releases Draft Personal Information Protection Law.
2Â SeeÂ July 2021 GT Alert, China Finalizes Data Security Law.
Â©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 265