When does PIPL apply?

Article 3: PIPL applies when one of the following circumstances is present in handling activities outside the borders of the People’s Republic of China of personal information of natural persons within the borders of the People’s Republic of China:

1. Where the purpose is to provide products or services to natural persons inside the borders;
2. Where analyzing or assessing activities of natural persons inside the borders;
3. Other circumstances provided in laws or administrative regulations.

What are the legal bases grounds to collect and process personal data?

Normally, according to Art 13, controllers may handle personal information where 1) they obtained individuals’ consent OR 2) where necessary to conclude or fulfill a contract in which the individual is an interested party. Other lawful reasons include:

(3) the processing is necessary for the performance of statutory duties or obligations;

(4) the processing is necessary for the response to public health emergencies, or for the protection of life, health, and property safety of natural persons in emergencies;

(5) the personal information is reasonably processed for news reporting, media supervision, and other activities conducted in the public interest;

(6) the personal information disclosed by the individual himself or other legally disclosed personal information of the individual is reasonably processed in accordance with this Law; and 

(7) other circumstances as provided by laws or administrative regulations.

What are the requirements for valid consent?

Must be “voluntary, explicit, and fully informed.” Art 14.

“an individual shall have the right to withdraw his consent. Personal information processors shall provide convenient ways for individuals to withdraw their consents.” The withdrawal of consent shall not affect the validity of the processing activities conducted based on consent before it is withdrawn. Art 15.

Where personal information is handled based on individual consent, “said consent shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement.”

“A personal information processor shall not refuse to provide products or services for an individual on the grounds that the individual withholds his consent for the processing of his personal information or has withdrawn his consent for the processing of personal information.” Art 16.

A “separate consent” is necessary to transfer personal information to any other processor. Art 23.

Under what circumstances is “separate consent” required?

“Separate consent” is not defined in PIPL. However, PIPL states that “separate consent” is required in the following circumstances:

• When transferring PI to another PI handler. PIPL Art. 23.
• When otherwise disclosing PI. PIPL Art. 25.
• When processing PI collected by public surveillance devices for purposes other than public security. PIPL Art. 26.
• When processing SPI. PIPL Art. 29.
• When transferring PI outside the PRC. PIPL Art. 39.

What is “Sensitive personal information”?

Special rules apply for handling “sensitive personal information” such as:

personal information of minors under the age of 14, and personal information that, “once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc.” Art 28.

What additional rules apply to handling “sensitive personal information”?

Sensitive personal information can be handled “only when there is a specific purpose and when it is of necessity, under the circumstance where strict protective measures are taken.” A processor processing sensitive personal information “shall notify an individual of the necessity of processing his sensitive personal information and the impact it has on his rights and interests.”

To handle sensitive personal information, the individual’s separate consent shall be obtained.

Where personal information handlers handle the personal information of minors under the age of 14, they shall obtain the consent of the parent or other guardian of the minor.

What special rules govern cross-border transfers?

Where personal information handlers “truly need to provide personal information outside the borders of the People’s Republic of China for business or other such requirements,” they shall a handler may transfer PI outside of China, but only after:

• Obtaining separate informed consent from the individuals whose PI is to be transferred (PIPL Art. 39);
• Conducting and documenting a PI protection impact assessment (PIPIA) (PIPL Art. 55); and
• Satisfying one of the following three conditions under PIPL Art. 38:

1. Passing a security assessment organized by the State cybersecurity and informatization department;
2. Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
3. Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;

Art 40 of the PIPL and Section 4 of the Measures for the Security Assessment of Outbound Data provide that a “data handler” MUST file with the CAC through local cyberspace administrations at the provincial level, for security assessment of cross-border data transfer under any of the following scenarios:  

1. Data processors providing “important” data overseas. 
2. “Critical information infrastructure operators” (CIIOs) and data processors that process PI of more than 1 million people providing PI overseas. 

3. Data processors that have transferred the PI of over 100,000 people or the “sensitive” PI of over 10,000 people overseas since January 1 of the previous year. 
4. Other situations required to declare data export security assessment as stipulated by the CAC. 

Companies who are not considered CIIOs or have lower data volumes than the above-mentioned limits may be able to obtain clearance to transfer data or PI overseas by simply establishing a ‘standard contract’ with the overseas receiver. This approach is less complicated than the CAC security review because it does not necessitate an external audit.

If a company meets the criteria for a CIIO or handles data or PI in excess of the volumes outlined above, it must apply for a security assessment by CAC in order to get clearance to transfer the data outside of China. data controllers to carry out a self-assessment of data export risks prior to applying for a security assessment. The security assessment measures provide a detailed description of the procedures and criteria companies must meet to pass a security assessment.  To apply for a security assessment, companies must first conduct a security risk self-assessment of the data it wishes to export.

What is required for an application for security assessment?

When applying for the data export security assessment, companies are required to submit the following materials:  

• A declaration  
• Cross-border data transfer risk self-evaluation report 
• Legal documents to be signed between the data processor and the overseas recipient; 
• Other materials required for security assessment work  

The legal documents signed between the data processor and the overseas recipient must include (but is not limited to) the following duties and obligations:  

1. The purpose and method for the data transfer and the scope of data being transferred; what the overseas recipient needs the data for and the methods they will use to process it.
2. Where and for how long the data will be stored overseas; the processing measures for the exported data after the data storage time limit is up, the stipulated objectives have been achieved, or the legal documents have been terminated.  
3. Binding requirements for the overseas recipient to transfer the data to another organization or individual.  
4. The security measures that will be taken in the event that there is a substantive change in the overseas recipient’s control or operating scope, or if there is a change to the security protection policies and regulations of the region where the data is being transferred to, a change to the network security environment, or other force majeure circumstances that make it difficult to guarantee the security of the data.  
5. Remedial measures, liabilities for breach of contract, and dispute resolution methods for breaching data security protection obligations stipulated in legal documents. 
6. Requirements for proper emergency response and the channels and methods to protect individuals’ rights to safeguard their PI in the event that the outbound data is at risk of being tampered with, destroyed, leaked, lost, transferred, or illegally obtained or used. 
7. After having submitted the requisite materials, the CAC will inform the applicant in writing of their decision to accept the application within seven days.  

How long is the security assessment valid for?

The cybersecurity departments will carry out the security assessment within 45 working days of issuing the notice that the application was accepted. However, this procedure may be extended for complicated cases or where additional documentation or corrections are required.  The security assessment will be valid for a period of two years from the date that the assessment results are issued. The assessment can however be revoked earlier if there is a substantive change to the circumstances under which the approval for cross-border data transfer was granted.  

Who is eligible for the Standard Contract compliance method?

The Standard Contract (similar to the EU standard contractual clauses under the GDPR),

is arguably the simplest route to receiving approval to conduct international data transfer, as it does not require an audit by either the CAC or an accredited third-party agency. However, companies going this route will be required to carry out a Personal Information Protection Impact Assessment (PIPIA), as we will see below. 

Companies that meet all of the following criteria are eligible to use the Standard Contract: 

1. They are not a critical information infrastructure operator (CIIO).
2. They process the PI of less than one million people. 
3. Since January 1 of the previous year, they have transferred less than 100,000 people’s PI out of China. 
4. Since January 1 of the previous year, they have transferred less than 10,000 people’s “sensitive” PI out of China. 

Additionally, where personal information handlers provide personal information outside of the borders of the People’s Republic of China, “they shall notify the individual about the foreign receiving side’s name or personal name, contact method, handling purpose, handling methods, and personal information categories, as well as ways or procedures for individuals to exercise the rights provided in this Law with the foreign receiving side, and other such matters, and obtain individuals’ separate consent.”

Who must appoint a representative in China?

Personal information handlers outside the borders of the People’s Republic of China “shall establish a dedicated entity or appoint a representative within the borders of the People’s Republic of China to be responsible for matters related to the personal information they handle, and are to report the name of the relevant entity or the personal name of the representative and contact method, etc., to the departments fulfilling personal information protection duties and responsibilities.” Art 53.

When is personal information protection impact assessment required?

When one of the following circumstances is present, personal information handlers shall conduct a personal information protection impact assessment:

1. Handling sensitive personal information;
2. Using personal information to conduct automated decision-making;
3. Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
4. Providing personal information abroad;

What must the personal information protection impact assessment include?

1. Whether or not the personal information handling purpose, handling method, etc., are lawful, legitimate, and necessary;
2. The influence on individuals’ rights and interests, and the security risks;
3. Whether protective measures undertaken are legal, effective, and suitable to the degree of risk.

Personal information protection impact assessment reports and handling status records shall be preserved for at least three years.

Security breaches notifications exemption.

Interestingly, according to PIPL, where personal information handlers adopt measures that are able to effectively avoid harm created by information leaks, distortion, or loss, personal information handlers are permitted to not notify individuals.

What are the rights of persons (i.e., data subjects)?

Unless laws or administrative rules provide otherwise, the PIPL gives persons the right to know about, decide on, restrict, or object to the use of their PI. Art. 44 of the PIPL The PIPL also allows persons the right to access and copy their PI, subject to certain conditions, as well as the right to update or augment their PI if it is erroneous or incomplete. PIPL Art. 45; PIPL Art. 46

Handlers must proactively delete—or individuals may request that handlers delete—PI when: (1) the processing is no longer necessary for the stated purpose; (2) the handler is no longer providing a product or service, or the retention period has expired; (3) individuals have revoked consent; (4) the processing would violate specific laws, regulations, or agreements; or (5) other laws or regulations so provide. PIPL Art. 47.

The PIPL also establishes a right to data portability, provided that any transfer to a new handler meets the standards stipulated by the appropriate enforcement agencies. PIPL Art. 45.

What data protection standards must PI handlers adhere to?

Handlers must adhere to all of the following standards while handling PI:

• Lawfulness, fairness, necessity, and good faith. PIPL Art. 5.
• Purpose limitation and data minimization. PIPL Art. 6.
• Openness and transparency. PIPL Art. 7.
• Accuracy and completeness. PIPL Art. 8.
• Security and accountability. PIPL Art. 9.
• Limited data retention. PIPL Art. 19.

Are there any special advertising requirements?

The PIPL requires handlers to offer people with the choice not to target advertisements based on individuals’ characteristics or to provide a tool to reject such advertising to the degree that PI is used to promote through automated decision-making. Art. 24 of the PIPL.

What exactly is automated decision-making?

The use of computer programs to automatically evaluate or assess persons’ behaviors, habits, interests, or hobbies, or individuals’ financial, health, or credit status, etc., is referred to as automated decision-making. Art. 73 of the PIPL.

What are the rules that govern automated decision-making?

Handlers that employ PI in automated decision-making must guarantee that the automated outcomes are transparent, fair, and just. Handlers are not permitted to discriminate unfairly against persons based on automated decision-making. Art. 24 of the PIPL.

If the use of automated decision-making has a substantial impact on a person’s rights and interests, the individual may compel the handler to explain its use of such decision-making and may restrict the handler from making judgments solely on its use. Art. 24 of the PIPL.

What exactly is an entrusted party, and what are their primary responsibilities?

Under the GDPR, a “entrusted party” is analogous to a “data processor.” When a PI handler entrusts the processing of PI to another entity under a contract, the entrusted party must process the PI in accordance with the contract and may not subcontract the processing without the PI handler’s approval. An entrusted party does not select the aims and methods of processing, and it may not use PI for reasons other than those specified in the contract. Art. 21 of the PIPL.

An entrusted party must take the appropriate steps to ensure the security of the PI it processes and to assist PI handlers in meeting their duties. Art. 59 of the PIPL.

Are there any specific criteria for processing kids’ PI?
Yes. The following rules apply to minors:

• SPI is defined as PI of a minor under the age of 14. Art. 28 of the PIPL.
• As a result, a handler handling the PI of people under the age of 14 must prepare a PI protection impact assessment (PIPIA). Art. 55 of the PIPL.
• Handlers processing the PI of kids under the age of 14 must acquire the parent or guardian’s authorization. Art. 31 of the PIPL.
• Handlers who handle the PI of kids under the age of 14 must follow “specific processing requirements.” Art. 31 of the PIPL.

In the event of a violation, what are the penalties?

Authorities may apply the following penalties for a minor infraction:

• An order requiring correction, confiscation of illegal gains, or provisional suspension or termination of improper practices.
• A fine of up to CNY 1 million against wrongdoers who refuse to correct their behaviors.
• A fine of between CNY 10,000 and CNY 100,000 against a directly responsible person. PIPL Art. 66.

In the event of a major infringement, provincial or higher-level authorities may apply the following sanctions:

• An order requiring correction, confiscation of illegal gains, suspension or closure of the relevant business, or revocation of the business license.
• A fine of up to CNY 50 million or 5% of the turnover in the previous year.
• A fine of between CNY 100,000 and CNY 1 million against a directly responsible person.
• A prohibition against directly responsible persons from holding senior management positions and roles for a certain period. PIPL Art. 66.

Whether it’s a major or minor offense, it will be included in credit records and be publicly disclosed. PIPL Art. 67.

What are the remedies available to persons (i.e., data subjects) and those who violate the PIPL?

Any business or person may register a complaint with the appropriate enforcement authorities regarding a PI handler’s illegal conduct. Art. 65 of the PIPL.

Individuals may file a lawsuit in court if PI handlers deny their requests to exercise their rights. Art. 50 of the PIPL.

Where improper processing of PI endangers persons’ rights and interests, the procuratorates, consumer groups mandated by law, and other organizations authorized by the appropriate enforcement authorities may file a lawsuit. Art. 70 of the PIPL.