On August 20, 2021, China’s 13th Standing Committee of the National People’s Congress passed the Personal Information Protection Law (the “PIPL”). As we previously reported, the PIPL is China’s first comprehensive data protection law. It is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The PIPL will become effective on November 1, 2021. Below are some of the key provisions under the PIPL.
Application of the PIPL
The PIPL will govern personal information processing activities carried out by entities or individuals within China. In addition, similar to the GDPR, the PIPL will apply to an entity’s processing activities conducted outside of China, and therefore to entities not established in China, if the entity processes personal information about individuals located in China in the context of (1) offering goods or services to individuals in China, or (2) analyzing and evaluating the behavior of individuals in China.
Personal Information Processing Framework
The PIPL establishes a comprehensive framework governing the processing of personal information. As with the GDPR, the law requires companies to abide by certain data protection principles, including data minimization and purpose limitation. The PIPL also requires covered entities to provide notice to data subjects that complies with the law’s prescribed content requirements.
In addition, much like the GDPR, the PIPL requires a legal basis to process personal information, but the legal bases available under the PIPL are narrower than those available under the GDPR. Under the PIPL, “notice and consent” is the primary legal basis for lawful processing. As such, individual consent likely will be the primary legal basis on which companies rely. There are exceptions to when notice and consent is necessary, depending on the complexity and circumstances of the personal information processing activity. For example, entities may process personal information without first obtaining consent where necessary to conclude or perform a contract. In addition, entities may process personal information without first obtaining consent where necessary for human resource purposes.
Notably, regardless of the available legal basis for processing, separate consent is required in the following circumstances:
-
the disclosure of personal information to a third party;
-
the processing of “sensitive” personal information; and
-
the transfer of personal information outside of China.
The PIPL also specifies rules regulating specific types of processing activities (e.g., joint processing, data processing by third parties such as vendors, data sharing, the publication of personal information, and automated decision-making), as well as rules applicable to different types of data, such as “sensitive” personal information. In addition, the PIPL prohibits data-enabled price discrimination against existing customers.
Security Assessments and Transfers of Personal Information Outside of China
Under the PIPL, critical information infrastructure (“CII”) operators and entities that process a certain volume of personal information exceeding an amount to be determined by the Cyberspace Administration of China (“CAC”) must (1) store locally in China the personal information they collect and generate in China and (2) pass a government security assessment to the extent they seek to transfer personal information outside of China. As noted above, all entities, including CII operators, also must obtain specific consent from individuals prior to transferring their data outside of China.
Data Subject Rights and Data Processor Obligations
As we previously reported regarding an earlier draft, the PIPL provides a number of data subject rights, including rights of access, correction, and deletion of personal information. Most of the data processor obligations in the final version of the PIPL are similar to those provided under the second draft of the PIPL.
Authorities Protecting Personal Information
Various authorities, including the CAC, relevant departments of the State Council, and local government departments at our above the county level, will have supervisory, planning, coordinating, and administrative responsibilities under the PIPL. Penalties for serious violations of the PIPL include fines for just under 50 million RMB or 5% of an entity’s revenue in the prior year.