LawFlash

Personal Information Protection Law: China’s GDPR Is Coming

24. August 2021

China’s long-awaited Personal Information Protection Law (PIPL), after two rounds of draft versions, was finally passed by the Standing Committee of the National People's Congress on August 20, 2021, with the law effective beginning November 1, 2021. The PIPL, regarded as China’s version of the EU General Data Protection Regulation (GDPR), lays out a comprehensive set of rules for how business operators should collect, use, process, share, and transfer personal information in China. The PIPL further supplements the existing data protection regime previously established by the Cybersecurity Law (CSL) and national guidelines, and it provides another pillar in China’s efforts to regulate how companies use data and to further protect the personal data of its citizens.

This LawFlash highlights the key provisions in the PIPL and their implication for business operators in China. Among others, the PIPL requires companies as data controllers to obtain informed and separate consents from the data subjects for the collection, processing, and cross-border transfer of their personal data (limited exceptions apply), and to store personal data on servers physically located in China if the company is certified as a critical information infrastructure operator (CIIO), or processing personal data exceeding a certain volume threshold, which the regulator has yet to publish. The law grants statutory rights to data subjects, such as the right to withdraw and modify consents, the right of data portability, and the right to refuse automated decision-making. The PIPL also imposes a number of new administrative requirements on the data controllers, including, among others, designating a data protection officer, signing data processing agreements with data processors, preparing data breach notices, conducting a personal information impact assessment  (PIIA) or in some cases obtaining regulatory approval for certain data processing transfer activities. Employers qualify as data controllers, so every company will need to ensure that they understand the new requirements that cover the collection and processing of their employees’ personal data, in addition to other types of personal data, as part of their routine employee management functions. Companies in violation of the PIPL may be subject to severe penalties, including a fine of up to 5% of the last year's turnover of the company, revocation of the company’s license to do business in China, and personal liabilities for company executives. In light of the US-China trade tensions and the Chinese government’s heightened focus on national security risks related to the cross-border transfer of sensitive data, the new law is another regulatory tool that the Chinese government can use in addressing corporate behavior it deems at odds with national interests.

Exterritorial Jurisdiction

In addition to activities within China, the PIPL exerts certain exterritorial jurisdiction over data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviors of individuals located in China. Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities. Foreign organizations or individuals may be put on a "blacklist" that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens, or harm the national security or public interest of China.

Previously, exterritorial jurisdiction was only provided in draft regulations and national guidelines did not have a binding effect. For the first time, the PIPL explicitly specifies the broad reach of its purported exterritorial jurisdiction. The impact on foreign companies and overseas parent companies of Chinese subsidiaries that process personal information collected from the Chinese market will be significant, as the data collected in China will now be subject to the various personal information protection requirements under the PIPL.

Additional Lawful Bases for Data Processing

In the past, consent was the only requisite for the processing of personal information, and other lawful bases were provided in national guidelines, which were not legally binding. The PIPL for the first time specifies additional lawful bases as binding law and provides that consent is not required for

  • performing a contract where the data subject is a party to that contract, or where necessary for the implementation of human resources management in accordance with the lawfully formulated companies’ employment policies and lawfully concluded collective labor contracts;
  • fulfilling statutory duties or obligations;
  • responding to sudden public health incidents or protecting individuals’ lives, health, or properties under emergency conditions;
  • acting in the public interest for news reporting and media supervision within a reasonable scope; or
  • processing personal information disclosed by data subjects or other legally disclosed personal information within a reasonable scope.

Notably, business operators should pay particular attention to the following key changes:

  • Lawful basis of HR management: Compared to the second draft of the PIPL, the final version adds the scenario of HR management as a lawful basis. It seems that consent is no longer required for the employer to process employees’ personal information for HR management purposes. However, considering that the processing is limited to the necessary scope with data minimization as a general principle, if employers may collect and use personal information for purposes other than HR management (such as for businesses and commercial purposes like marketing and website exhibitions, etc.) or if they will transfer the data outside of China, it would be prudent for business operators to obtain sufficient consent for such collection, use, and transfer of employees’ personal information.
  • Scenarios that require separate consent: If consent is the lawful basis for processing, the data controller should obtain a separate consent of data subjects before:
    • providing personal information to third parties, which for employers includes any entity outside the employing entity,
    • publicly disclosing the personal information,
    • processing sensitive personal information,
    • using personal information that was collected for public security for other purposes, or
    • transferring personal information outside China.
  • Notification and consent requirements in case of an M&A scenario: Article 22 of the PIPL stipulates that, if a data controller needs to transfer personal information due to a merger, division, dissolution, or bankruptcy etc., it shall inform the data subjects of the name and contact information of the receiving party. The receiving party shall continue to perform the obligations of the original data controller. If the receiving party changes the original processing purpose or processing method, it shall reobtain consent from data subjects in accordance with the PIPL.

With this provision in place, in case of any change of control in merger and acquisition (M&A) deals, data compliance due diligence may become a prerequisite for closing the deal to avoid any data compliance risks. Sellers should inform the data subjects before the transfer of personal information, and buyers should obtain consent if the original processing purpose is changed.

Data Localization, Cross-Border Data Transfer, and China’s SCC

The CSL, which took effect in 2017, provides that only CIIOs should store personal information in China and undergo security assessments approved by the Cyberspace Administration of China (CAC) for cross-border data transfers. However, the PIPL extends the application scope beyond just CIIOs to those companies that process personal information that exceeds an amount threshold designated by the CAC, but the specific amount threshold has not been published yet.

For other general companies that do not fall under the categories above, they can transfer the personal information outside China by doing one of the following:

  • Obtaining personal information protection certification conducted by a professional institution
  • Signing the standard contract formulated by the CAC with the overseas recipients

This provision allows general companies to be exempted from the more onerous procedure of conducting government security assessments. This exemption represents a substantial change from the previous requirements under the draft cross-border data transfer regulations, which imposed data localization on all network operators in China. The standard contract is similar to the Standard Contractual Clauses (SCC) under the GDPR, but the CAC has not yet published the full text of the standard contract. Once the standard contract is published, business operators that have a need to transfer personal information outside China should review and revise their existing data transfer agreement to make it consistent with the official template.

In addition, the PIPL enhances the informed consent requirements for cross-border data transfers. Specifically, Article 39 requires that when a personal information processor (a term under the PIPL that is similar to “data controller” under the GDPR, hereinafter referred as “Data Controller” to avoid any doubts) provides personal information outside China, it shall inform the data subjects of the name of the overseas recipient, contact information, processing purpose, processing method, and types of personal information, as well as ways and procedures for data subjects to exercise the rights provided under the PIPL with the overseas recipients, and it shall obtain the data subjects’ separate consent.

Adding the Right to Portability and Other Rights of Data Subjects

Similar to the GDPR, the PIPL grants data subjects with various rights to their personal information, including the rights to access, copy, correct, modify, and delete their personal information. In addition, the PIPL emphasizes the right of data subjects to withdraw their consent and the right to restrict or refuse the processing of their personal information, and the relevant rights to refuse automated decisionmaking. The PIPL also clearly requires the Data Controller to provide a convenient mechanism for data subjects to exercise their rights.

Notably, on the basis of the second draft of the PIPL, the finalized version adds a new right—the right to portability—which resembles that under the GDPR. Specifically, Article 45 stipulates that when data subjects request a transfer of their personal information to other Data Controllers that they designate, and such requests conform with the conditions set by the CAC, the Data Controller shall provide the methods for the transfer. This data portability right may break the monopoly in the data field from the perspective of industry development. For business operators, however, this may require improved technical capabilities and increased costs for data compliance.

Personal Information Impact Assessment

Previously, the PIIA requirement was scattered across various draft regulations and national guidelines with no binding effect. The PIPL for the first time provides the PIIA requirements as binding law. Under the PIPL, companies should conduct a PIIA before the following data processing activities:

  • Processing sensitive personal information
  • Using personal information to conduct automated decisionmaking
  • Entrusting third parties to process personal information, providing personal information to third parties, or publishing personal information
  • Providing personal information abroad
  • Other personal information processing activities that will impose a major influence on individuals

Designation of Data Protection Officer

The PIPL affirms the previous approach under the nonbinding national guideline and requires certain companies to designate a person who will be responsible for personal information protection matters, which is similar to the requirements under the GDPR to designate a Data Protection Officer (DPO). In contrast to the DPO requirement under the GDPR, the PIPL restricts the application scope only to certain companies—i.e., those that will process personal information exceeding a yet-to-be-announced amount threshold designated by the CAC.

Stricter Requirements for Certain Types of Businesses

Given the technology innovation and significant growth of tech giants in China, the PIPL imposes the following additional requirements for certain types of internet-related businesses/technology:

  • Internet platform: Article 58 provides that critical internet platform service providers that have a large number of users and operate complex types of business shall perform the following obligations:
    • Establish and improve the personal information protection compliance system, and set up an independent organization mainly composed of external members to supervise the protection of personal information.
    • Following the principles of openness, fairness, and justice, formulate platform rules to specify the standards for handling personal information by product/service providers on the platform and their obligations to protect personal information.
    • Stop providing services to product/service providers on platforms that seriously violate laws or administrative regulations in processing personal information.
    • Regularly publish reports on social responsibility for personal information protection and accept society’s supervision.
  • Automated decisionmaking and forbidding differential treatment: The PIPL provides that when using automated decisionmaking, Data Controllers should ensure the transparency of decisionmaking and the fairness and impartiality of the results, and should not impose unreasonable differential treatment on individuals in terms of transaction prices and other transaction terms. In addition, the PIPL allows the data subjects to refuse the automated decisionmaking method.

Additional Obligation on the Entrusted Data Processor

The PIPL creates an additional obligation on the entrusted data processor. Article 59 provides that an entrusted data processor that accepts an entrustment to process personal information shall, in accordance with the provisions of the PIPL and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist the Data Controller in performing the obligations under the PIPL.

Enhancing the Protection of Children Under Age 14

The PIPL categorizes the personal information of children under the age of 14 as sensitive personal information and requires the Data Controller to formulate specific personal information protection rules for children. This is not a new requirement because the CAC has already stipulated similar requirements in the Regulation on the Cyber Protection of Children's Personal Information in 2019. However, this CAC regulation is only a low-level ministry regulation while the PIPL lifts the importance of these requirements to the highest level of law.

Increased Burden of Proof on the Data Controller

Article 69 creates a presumption of liability on the Data Controller. If the processing of personal information infringes the rights and interests of personal information and causes damages and the Data Controller cannot prove that it is not at fault, the Data Controller shall be liable for damages and compensation. This requires business operators to keep proper records and evidence to prove that they have taken proper measures with respect to data compliance, which further reflects the importance of business operators’ implementation of the PIIA in advance to ensure that personal information processing activities by business operators are legally compliant.

Data Breach Notice

Article 57 of the PIPL provides the notification obligations of the Data Controller after a data breach. On such an occasion, the Data Controller should “immediately” take remedial measures and notify the personal information protection authority and data subjects. This notification should include the following details: (1) types, reasons, and possible harms from the personal information leakage, tampering, or loss that occurred or may occur; (2) remedial measures taken by the Data Controller and measures that data subjects can take to reduce harm; and (3) contact information of the Data Controller.

However, while notifying the authority is required, notification to data subjects is not mandatory if the Data Controller is able to take measures to effectively avoid damage caused by the data leakage, tampering, or loss. If the authority believes that it may cause harm, it still can request the Data Controller to notify the data subjects.

Other than the general requirement of “immediate” notification, the PIPL does not provide specific timing for notifying the authority or data subjects.

Increase of Penalties for Noncompliance

The PIPL increases the penalties from the capped amount of RMB 1 million (approx. $149,000) under the CSL to RMB 50 million (approx. $7,456,000) or 5% of the last year's turnover of the company. The company’s business license may also be revoked. For the directly responsible persons of the company, the government authority could impose a fine of up to RMB 1 million and may prohibit them from serving as directors, supervisors, senior managers, or DPOs of related companies within a certain period of time.

In conclusion, as the PIPL provides a grace period of less than three months before it takes effect, business operators in China should, as soon as possible, fully understand the legal requirements therein, conduct compliance reviews for their existing data processing practices, and upgrade and implement robust privacy protection mechanisms for data compliance, including establishing, reviewing and/or updating their data consent form to be signed by their employees to meet the requirements under the PIPL.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Beijing/Shanghai
K Lesli Ligorner
Todd Liao
Sylvia Hu

Hong Kong
Charles Mo

Philadelphia
Gregory T. Parks

Tokyo
Mitsuyoshi Saito