Feature Articles on China’s Personal Information Protection Law (1) – Personal Information Protection Law Summary (Mainland China)

Karl Zhang and Teresa Huang[1]

On August 20, 2021, the Standing Committee of the National People’s Congress passed the “Personal Information Protection Law (PIPL),” which will come into effect on November 1, 2021.  Its main contents are as follow:

1. Scope and definitions

(1) Scope of Application

In addition to processing a natural person’s personal information within the territory of the People’s Republic of China (China), the PIPL also has some degree of extraterritorial applicability.  For example, the PIPL extends to those processing personal information abroad but whose information subject is within China if any of the following conditions apply: (i) the information processing is for the purpose of providing goods or services to natural persons within China; (ii) the information processing involves analyzing or evaluating the behaviors of natural persons in China; and (iii) any other circumstances as stipulated by the law and administrative regulations.

(2) Personal Information’s Definition

Personal information refers to information regarding an identified or identifiable natural persons recorded electronically or by any other means, excluding any anonymized information.  Processing personal information include the collection, storage, use, processing, transmission, provision, disclosure, deletion of personal information, etc.

2. Rules for Personal Information Processing

(1) General Rule: “Inform & Consent” Rule and Exceptions

The personal information processor (“Processor”) shall fully inform and obtain explicit and voluntary consent from the information subject unless the following circumstances apply: (i) information processing is required to establish or perform a contract to which the information subject is a party, or necessary for implementing human resource management pursuant to labor rules and regulation and the collective contract established under law; (ii) information processing is required when fulfilling statutory responsibility or obligations; (iii) information processing is necessary for the safety of a natural person’s life, health and property under emergency circumstances or in response to public health emergencies; (iv) the information is processed within a reasonable scope to conduct news reports or public opinion supervision for the public interest; (v) the information was made public by the information subject or legally publicized and is processed within reasonable scope as stipulated by the PIPL; and (vi) any other circumstances as stipulated by the law and administrative regulations.

Before processing personal information, the Processor shall accurately, precisely and fully inform the information subject in an obvious, clear and understandable language of the following: (i) the name and contact information of the Processor; (ii) the purpose and method of the process and the type and retention period of the information to be processed; (iii) the methods and procedures for the information subject to exercise their rights as stipulated under the PIPL; and (iv) any other matters that should be notified as stipulated by the law and administrative regulations.

Processors using personal information for automated decision-making shall ensure the transparency of the decision-making as well as the fairness and impartiality of the result, and the Processor shall not impose any unreasonable differential treatment through its pricing or other transactional terms. Furthermore, information and commercial marketing delivered to individuals via such automated decision-making method shall make available the option to disable personalization embedded within such process or an easily accessible way to refuse such information.

(2) Rules for Processing Sensitive Personal Information

Sensitive personal information is defined as personal information whose leakage or illegal usage may easily lead to the infringement of human dignity or cause potential bodily harm or property damage against a natural person.  These include biometrics, religious beliefs, specific identity, medical health records, financial accounts, whereabouts, and personal information of minors under the age of fourteen.

The information subject’s separate consent—or written consent if the laws and regulations demand as such—must be obtained before any processing of sensitive personal information. The processing of such information must be sufficiently necessary and for specific purposes, and strict information protection measures shall be taken.  Moreover, if the information to be processed pertains to individuals under the age of 14, parental or other guardian’s consent must be obtained, and a distinctive information processing protocol must be established.

3. Rules for Cross-border Provision of Personal Information

(1) Cross-border Provision of Personal Information

Processors who have to provide personal information to overseas territories for business operations must meet at least one of the following conditions: (i) pass the security assessment established by the national cyberspace administration; (ii) obtain the personal information protection certification from a professional institution; (iii) enter into a standard contract, produced by the national cyberspace administration, with the overseas information receiver; and (iv) any other conditions as stipulated by the law and administrative regulations or by the national cyberspace administration. Moreover, Processors shall also take the necessary measures to ensure the international information receiver meets the prescribed protective standard.

(2) Infrastructure operators of critical information and Processors with significant amount of personal information

Infrastructure operators of critical information and Processors whose processed personal information exceeds the amount prescribed by the national cyberspace administration shall generally store domestically those information produced and gathered within China.  Those who need to provide such information overseas must pass the national cyberspace administration’s security assessment unless stated otherwise by the law, administrative regulations, or the national cyberspace administration.

(3) Mutual legal assistance and extraterritorial enforcement

Regarding mutual legal assistance and extraterritorial enforcement, the PIPL stipulates that the central authorities’ approval must be obtained before providing domestically stored personal information to an international judicial body or law enforcement agency.  Meanwhile, the national cyberspace administration may issue announcements on their restriction or blacklisting of certain overseas entities if such entity infringes upon domestic citizens’ information rights or interests, national security, or public interest through its information processing activity.  Moreover, the PIPL allows for equivalent counter-measures when other countries or territory has taken a discriminatory prohibition, restrictions, or any other similar measures mentioned above against China in terms of personal information protection.

4. Rights of the information subject during the information processing activity

(1) Rights to decide, review, duplicate, rectify, and delete

The PIPL guarantees the rights of an information subject to know, decide, restrict or reject, rectify, supplement, and delete its processed or soon to be processed personal information.  Furthermore, the information subject has the right to review and duplicate their information, and request its transference to their designated processor.  Additionally, the close relatives of a deceased information subject may exercise the aforementioned rights to review, duplicate, rectify and delete on their behalf.

(2) Circumstances where the personal information should be deleted by the Processor without request

Processor shall delete personal information without requests under any of the following circumstances: (i) the purpose for processing the information is either achieved, unachievable, or the information is no longer needed for the processing purpose; (ii) the Processor has stopped providing its goods or services, or if the retention period of the information has expired; (iii) the information subject withdraws consent; (iv) Processor has processed personal information in violation with the law, administrative regulations, or the  agreement; and (v) any other conditions as stipulated by the law and administrative regulations.

5. Processor’s Obligations

(1) General Obligations

The Processor shall take into account the purpose and methods of processing personal information; the type of personal information collected and its impact on the rights of the information subject; and potential safety risks while taking steps to ensure that their information processing is in line with the law and administrative regulation, and implementing measures to prevent unauthorized access, tampering, loss, or leakage of personal information.  If information leakage, tampering, or loss has occurred or is likely to occur, the Processor shall take immediate remedial measures and inform the department responsible for information protection and the information subject.

(2) Person in Charge of Personal Information Protection

Processors which process a certain amount of personal information as stipulated by the national cyberspace administration shall appoint a person in charge of personal information protection (“Person in Charge”) responsible for the supervision of information processing and implementing protective measures.  Moreover, the Person in Charge’s contact information must be made publically available; his/her name and contact information shall also be sent to the authorities performing the duties of personal information protection.

(3) Special Institution or Designated Representatives of Foreign Entity

Foreign Processors within the scope of the PIPL shall establish domestically a special institution or designate representatives responsible for matters pertaining to personal information protection and report such institution or representative’s name, contact information to the authorities performing the duties of personal information protection.

(4) Personal Information Protection Impact Assessment

Processors shall carry out personal information protection impact assessment in advance, and record its results under any of the following circumstances: (i) the information being processed is sensitive personal information; (ii) personal information is used for automated decision-making; (iii) retaining a third-party to process personal information, providing personal information to a third-party Processor or making personal information publicly available; (iv) sending personal information to foreign entities; and (v) other types of information processing that may severely impact an information subject’s rights and interests.

Personal information protection impact assessment shall include the following: (i) whether the processing method and its purpose are lawful, legitimate and necessary; (ii) its impact and safety risks on the information subject’s rights and interests; and (iii) whether the protective measures are lawful, effective, and appropriate for its risks.  The personal information protection impact assessment report and records shall be stored at least 3 years.

(5) Special Obligations of Processors of Critical Personal Information

Processors which provide critical Internet platform services involving a large amount of users and complex types of business shall perform the following obligations: (i) establish a sound personal information protection and compliance system following government regulations and set up an independent institution consisting primarily outside members to supervise information protection; (ii) follow the principle of openness, fairness, and justness to establish platform rules expressly stating the information processing rules and protective obligations for its platform’s product or services providers; (iii) cease providing platforming services to product or service provider on platforms which severely violates the law and administrative regulations when processing personal information; and (iv) routinely publish social responsibilities report on personal information protection and accept social supervisions.

6. Regulatory Department and Enforcement Measures

The national cyberspace administration is responsible for the overall planning and coordinating personal information protection and related supervision and management.  Related departments of the State Council are responsible for the supervision and management of personal information protection within each of their scope of functions in accordance with the PIPL, pertaining laws, and administrative regulations.  The personal information protection and supervision responsibilities of the relevant departments of the local people’s government at or above the county level shall be determined per applicable national regulations.

When performing personal information protection responsibilities, authorities performing personal information protection functions may  carry out the following measures: (i) inquiry related parties and investigate any activities related to personal information processing; (ii) review or duplicate any contracts, records, accounting books, and other information relating to personal information processing activities between the parties; (iii) conduct on-site inspections, investigate the processing activities of suspected violators; and (iv) inspect any equipment or objects related to personal information processing; if there’s evidence that such equipment or objects are used for illegal personal information processing activities, they may be seized or sealed after they’re reported in papers to and approved by the chief of this department.  When authorities performing personal information protection responsibilities perform their functions in accordance with the law, the parties shall assist, cooperate, and not refuse or obstruct.

7. Legal Responsibilities

In addition to criminal, civil, and administrative responsibilities for illegal processing of personal information pursuant to the Criminal Law, Civil Code, and Public Security Administration Punishment Law, the PIPL also stipulates the following legal responsibilities.

Those in violation of the rules on personal information processing or who failed to meet their protective obligations may be ordered for rectification, receive warnings and subject to confiscation of their illegal income; and application programs violating personal information processing rules may be ordered for suspension or termination.  If Processor refuses to rectify, it shall be fined up to RMB 1 million, and those directly responsible and liable shall be fined at least RMB 10,000 and up to RMB 100,000.  In addition, those in severe violations may be imposed a fine of less than RMB 50 million or less than 5% of the previous year’s turnover, its related business operations may be suspended or paused for rectification, and relevant authorities may be notified to revoke its relevant business permits or licenses; those directly responsible and liable shall be fined at least RMB 100,000 and up to RMB 1 million, and they may be prohibited for a period of time from serving as related businesses’ directors, supervisors, senior managers, and Person in Charge of personal information protection.

[1] The authors are lawyer and of-counsel at Shanghai Lee, Tsai & Partners.  However, the contents of this article merely reflect personal opinions and do not represent the position of this law firm.