Joyce Wen, Elva Chuang and Teresa Huang[1]
With the advancement of globalization and digitization, cross-border collection of personal information is increasingly frequent. To fully protect the rights and interests of individuals in the country and curb digital giants’ abusive collection of personal information, China’s 13th National People’s Congress Standing Committee has passed on its 30th meeting the Personal Information Protection Law (“PIPL”), which goes into effect on November 1, 2021. The PIPL extends the scope of the law to include foreign activities conducted by foreign entities, requiring “foreign information-processors”, who provide goods or services to natural persons within China or analyze or assess the behavior of natural persons within China, to follow the rules under the PIPL. In the era of advanced Internet, all foreign businesses with close economic and trade relations with the mainland and its people are highly likely to fall into the scope of the PIPL. As such, it is recommended that relevant foreign businesses check whether they’re under the PIPL’s regulation as soon as possible so to take corresponding measures. The following is a summary of the potential effects on foreign information-processors after the law goes into effect:
1. Foreign Information-Processors’ Scope and Definition
(1) Regulations
Article 3, Paragraph 2 of the PIPL stipulates that foreign processing of personal information[2] of natural persons within the territory of the People’s Republic of China is within its scope if any of the following applies: (i) the information processing is aimed to provide goods or services to natural persons within China; (ii) the information processing involves analyzing or evaluating the behaviors of natural persons in China; and (iii) any other circumstances as stipulated by the law and administrative regulations (hereinafter referred to as “Foreign Information-Processors”). According to the “Explanation Regarding People’s Republic of China’s PIPL (Draft)”[3] issued by the Deputy Director of the Legislative Affairs Committee of the Standing Committee of the National People’s Congress at the 22nd Meeting of the Standing Committee of the 13th National People’s Congress on October 13, 2020, by using other countries’ practices as references, this article aims to endow the PIPL with the necessary extraterritorial applicability to fully protect the rights and interests of individuals in the country.
(2) What constitutes “information processing aimed to provide goods or services to natural persons within China” or “analyzing or evaluating the behaviors of natural persons in China ” ?
Although the PIPL states that Foreign Information-Processors — including those who directly process information for the provision of goods or services, and who indirectly conduct behavioral analysis and assessment — are within the confines of its regulations, as of the writing of this article, no notices or opinions have been issued by the relevant competent authority to clarify the scope of Article 3, Paragraph 2. Therefore, the specific criteria for determining what constitute “information processing aimed to provide goods or services to natural persons within China” or “analyzing or evaluating the behaviors of natural persons in China ” is still unclear.
In light of the fact that Article 3 of EU’s General Data Protection Regulation (“GDPR”)[4] was used as a reference for this Article 3, Paragraph 2 of the PIPL, the “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)” issued by EU (hereinafter referred to as “EU Guide”)[5] should be of considerable reference value for PIPL’s future enforcement and definitions regarding Foreign Information-Processors.
According to the EU Guide, whether a foreign information –processor is processing data “aimed to provide goods or services to natural persons within the EU (regardless of their nationality or place of residence)” or to “monitor the behaviors of natural persons within the EU” shall be determined on a case-by-case basis and by taking into consideration the following factors:
| Determining Factors for what constitutes “data processing aimed to provide goods or services to natural persons within the EU” | Determining Factors for what constitutes “activities monitoring the behaviors of natural persons within the EU” |
|
|
(3) Summary
In consideration of the lack of more detailed guidance regarding the scope of Article 3, Paragraph 2 of the PIPL from the regulatory agency, we recommend using the factors in the aforementioned EU Guide as references for determining whether an activity is within the confines of the PIPL before further detailed regulations are issued; and beware of any future legislative trend from the regulatory agency to make adjustments at any time.
2. Obligations and Responsibilities of Foreign Information-Processors
(1) General Obligations and Responsibilities of Information-Processors
Article 51 of the PIPL stipulates that information processors shall take into account the purpose and methods of processing personal information; the type of personal information to be processed and its impact on the rights of the information subject; and potential safety risks when taking the following measures to ensure that the information processing is in line with the law and administrative regulation, and implementing measures to prevent unauthorized access, tampering, loss, or leakage of personal information: (1) establish internal management system and operating procedures; (2) implement classified management of personal information; (3) adopt proportionate security technology measures such as encryption and de-identification; (4) reasonably determine the operating privileges of personal information, and regularly conduct safety education and training for employees; (5) formulate and organize the implementation of emergency plans for personal information security incidents; and (6) other measures as stipulated by the law and administrative regulations.
For other laws and regulations to be followed by personal information processors, please refer to the article: “Feature Articles on China’s Personal Information Protection Law (1) – Personal Information Protection Law Summary (Mainland China)”.
(2) Foreign Information-Processors’ Special Obligations
Pursuant to Article 53 of the PIPL, Foreign Information -Processors shall also establish a special institution or designate a representative responsible for matters related to personal information protection and report such institution or representative’s name, contact information to the department responsible for personal information protection. According to the EU practices, the main obligation of such designated representative is to preserve the relevant records of information processing and cooperate with the domestic supervisory authority responsible for information protection.
The PIPL has no qualification requirements for the above-mentioned special institution or representative, nor does it stipulate the legal responsibilities that Foreign Information-Processors shall bear if they do not establish such institution or representative. Thus, how the requirements under this regulation may be met in practice will be clear only after the issuance of more detailed rules.
(3) Legal Responsibilities of Foreign Information-Processors Violating the PIPL
Those who violate the provisions of the PIPL, including Foreign Information-Processors, may be subject to the liabilities stated under Article 66 to 71 of the PIPL, which includes, but is not limited to:
- Having the illegal acts in the credit files and make them public;
- Being ordered to suspend or terminate the provision of services for applications that illegally process personal information;
- Being ordered to rectify the violation and having illegal gains confiscated; those that fail to rectify shall be imposed a fine less than 1 million RMB; those directly responsible and liable shall be fined at least RMB 10,000 and up to RMB 100,000. In addition, those in severe violations may be imposed a fine of less than RMB 50 million or less than 5% of the previous year’s turnover, its related business operations may be suspended or paused for rectification, and appropriate authorities may revoke its relevant business permits or licenses; and
- Where the personal information processing infringes individuals’ information rights and interests and causes damages, being liable for the damages and other tort liabilities.
Further, the directly responsible person in charge and other directly responsible personnel are to be fined at least RMB 100,000 and up to RMB 1 million, and may be prohibited from serving as related businesses’ directors, supervisors, senior managers, or person in charge of personal information protection for a period of time.
With the increased fines and liabilities for violating the PIPL, Foreign Information-Processors should continue to monitor the legal developments for additional guidance on compliance and requirements of the PIPL and heighten their compliance oversight in the handling personal information to limit the potential exposure under the PIPL.
[1] The authors are lawyers and of-counsel at Shanghai Lee, Tsai & Partners. However, the contents of this article merely reflect personal opinions and do not represent the position of this law firm.
[2] Personal information is defined under Article 4 of the PIPL as information regarding an identified or identifiable natural persons recorded electronically or by any other means, excluding any anonymized information.
[3] Explanation Regarding People’s Republic of China’s PIPL (Draft)_The National People’s Congress of the People’s Republic of China (npc.gov.cn), website: http://www.npc.gov.cn/npc/c30834/202108/fbc9ba044c2449c9bc6b6317b94694be.shtml (the last viewed date: October 21, 2021).
[4] Art. 3 of General Data Protection Regulation (GDPR):
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
[5] Guidelines 3/2018 on the territorial scope of the GDPR (Article 3),website: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en (the last viewed date: October 21, 2021).