In 2016, the People’s Republic of China (PRC) announced the Cybersecurity Law (“CSL”) for cybersecurity and to protect the Critical Information Infrastructure (” CII”) of the country. However, it lacked dedicated provisions for people’s personal information. To address this, China introduced two laws in 2020: the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). The PIPL deals with the protection of personal information. Similar to its EU counterpart, the PIPL is all set to transform the data protection and privacy landscape in and outside the territory of the PRC.
On April 29, 2021, China’s top legislature, the National People’s Congress of China (NPC) unveiled the second draft of the PIPL for public comments till May 28, 2021. The law is expected to be passed by the year’s end.
The PIPL is the next big data protection law coming from Asia after India’s Personal Data Protection Bill (PDPB).
We will cover the key highlights from the PIPL.
What is Personal Information Protection Law (PIPL)?
Personal Information Protection Law (PIPL) is a data protection law of the People’s Republic of China (PRC).
The objective of the law is to protect the rights and interests of personal information and regulate the processing and use of personal information. The law will protect personal information and prohibits any infringement upon the personal information of the people in China.
Read the full text of the draft here (available only in Chinese).
Personal information is any information related to identified or identifiable natural persons (we will use ‘individuals’ in this article). Anonymized information is excluded from personal information. The processing of personal information includes the collection, use, storage, transfer, provision, and disclosure of personal information.
Who does the PIPL apply to?
It applies to organizations and individuals handling the processing of personal information of individuals within the borders of the People’s Republic of China.
This law is also applicable to the processing of personal information occurring outside the PRC under the following circumstances:
- To provide products or services to individuals in China,
- to analyze and evaluate individuals in China or
- circumstances specified by laws and administrative regulations.
The PIPL draft refers to organizations and individuals that determine matters related to personal information handling as Personal information handlers.
PIPL principles for data protection
Articles 5 through 10 of the law establish principles for handling personal information, such as:
- The processing should be carried out lawfully and properly, with sincerity. It shall not be processed through misleading, fraudulent, coercive or other illegal methods.
- The processing of personal information must have a clear and reasonable purpose that should have the least impact on an individual’s rights and freedom. You should not process any personal information that is unnecessary for the processing.
- The processing of personal information must follow the principles of openness and transparency. You should disclose the processing rules and clearly indicate the purpose, method and scope of the processing.
- You must ensure the quality of the personal information while processing it. Inaccurate or incomplete personal information should not adversely affect an individual’s rights and freedom.
- Processors shall be responsible for the processing activities and for taking necessary measures for the safety of personal information.
- No organization or individual shall not process personal information in violation of the stipulated law and administrative regulations. They shall not engage in any processing activity that endangers national security and public interests.
Moreover, the state will establish a personal information protection system, to prevent and punish infringements of rights and freedom of personal information; strengthen and educate on personal information protection and promote and encourage a good environment for personal information protection with participation from governments, enterprises, organizations, and the.
The state actively participates in the formulation of international rules, promotes international exchanges and cooperation, and promotes mutual recognition of personal information protection rules and standards with other countries, regions, and international organizations.
Lawful basis for processing personal information
Like the EU GDPR, China’s PIPL also has lawful bases for processing personal information. The processors can only process personal information if:
- they obtain consent from individuals,
- it’s required to fulfill a contract for which the individual is a party,
- it is necessary to fulfill statutory duties or obligations,
- it is necessary to respond to public health emergencies, or to protect the life, health and property security of individuals in emergencies,
- to process already-disclosed personal information and such processing must have a reasonable purpose that complies with PIPL,
- for news reports, public opinion or other activities for public interests, or
- other conditions specified by the law and regulations.
Note: if the processing is based on 2-7, you do not require consent from individuals.
Consent under PIPL
Like the GDPR, China’s PIPL also gives a lot of emphasis on conditions for consent. Consent must be obtained with the full knowledge and free will of the individuals and through explicit methods. In case the law or regulations require separate consent or written consent, organizations must abide by it.
You must ask for re-consent where there is a change in the purpose or method of personal information processing or category of personal information.
For handling the personal information of minors below 14 years, you must seek their guardian’s consent.
And just like most data privacy laws, PIPL gives individuals the right to withdraw their consent to personal information handling.
Unless consent is necessary for providing the products or services, you cannot refuse them if the individuals deny or withdraw their consent.
Information to be provided before handling personal information
Personal information handlers should provide the following information to the individuals before collecting their personal information:
- the identity and contact information of the personal information handler;
- the purpose of personal information processing, the categories of personal information, and how long you will store it;
- how individuals can exercise the rights granted by PIPL;
- other information directed by the laws or regulations; and
- any changes in the above information.
The information must be composed in a clear and easy-to-understand language, and it should be public and easily accessible to read and store.
In case you need to maintain secrecy under any circumstances as per the laws or regulations, you should no notify the individuals about this information.
Under emergency circumstances, where it is impossible to notify in time to protect their life, health or security of their property, you can inform the individuals after you handle the circumstance.
Rules for handling sensitive personal information
Sensitive personal information means personal information that, if leaked or used illegally, may cause discrimination against individuals or harm their personal or property security. It includes information on race, ethnicity, religion, biometric data, health, financial accounts, location tracking, etc.
Here are some rules for processing sensitive personal information:
- Handle sensitive personal information only for specific purposes and when necessary.
- Where the processing is based on consent, you must obtain separate consent for sensitive personal information. Get written consent if it is required by the law.
- You should also notify the individual about the necessity of sensitive personal information handling, as well as the effect of such processing on the individual.
- Obtain relevant licenses or impose stricter restrictions for handling sensitive information if required by the laws.
Cross-border transfer of personal information
Where an organization needs to transfer personal information outside the borders of the PRC, they should meet at least one of the following conditions:
- Pass a security assessment by the Cyberspace Administration of China (CAC)
- Obtain personal information protection certification from a specialized body supervised by the CAC
- Enter an agreement with a foreign recipient, supervise their personal information processing, and ensure they meet the personal information protection standards of the law
- Other conditions provided in laws or administrative regulations or by the CAC
The organizations must obtain separate consent from individuals for the cross-border transfer. Thye should notify the individual about the identity and contact details of the foreign recipient and information about their purpose of handling the personal information, methods, and personal information categories, as well as how individuals can exercise the rights.
Rights of individuals under PIPL
The PIPL gives individuals the following rights:
- Right to know and the right to make decisions related to their personal information
- The Right to limit or refuse the handling of their personal information by others under conditions imposed by the laws or administrative regulations.
- Right to access and copy personal information from personal information handlers, unless the laws or regulations demand secrecy. You should respond to such requests in due time.
- Right to request to correct or complete inaccurate or incomplete personal information. You should respond to such requests in due time.
- Right to request to delete personal information if the personal information handler has not deleted it under the following circumstances:
- The agreed retention period of the personal information has expired, or the handling purpose has been achieved.
- The products or services have been terminated.
- The individual withdraws consent.
- The personal information handlers violate the law.
- Other circumstances stipulated by laws or regulations.
If the retention period provided by the laws has not expired, or the deletion is technically impossible, you must stop processing the personal information.
- Right to request to explain the personal information handling rules from the handlers.
- Right to refuse automated decision-making and require personal information handlers to explain it.
The personal information handlers should maintain a system to accept and handle the individuals’ requests to exercise the rights. Any rejection to exercise them must have a genuine reason and it must be disclosed to the individuals.
Duties of Personal Information Handlers
Personal information handlers are responsible for taking the necessary measures to ensure compliance with the law and prevent personal information from unauthorized access and leaks or theft, distortion, or deletion.
Their responsibilities include:
- Formulating rules and structures;
- Implementing personal information management;
- Taking necessary security measures such as encryption, de-identification, anonymization, etc.
- Defining and maintaining limits for processing and training employees on security measures
- Planning and organizing the personal information security incident response plans;
- Other measures advised in the laws or regulations.
Personal information risk assessment
Personal information handlers should conduct a risk assessment under the following circumstances:
- Sensitive personal information processing
- Automated decision making using personal information
- Sharing personal information with third parties or publishing personal information
- Cross-border transferring of personal information
- Other personal information handling activities that will impact the rights and freedom of individuals
The risk assessment must analyze:
- Whether your personal information processing and its methods are lawful and necessary.
- The impact of the processing on individuals and the risks involved.
- Whether the adopted security measures are lawful, effective, and sufficient for the level of risk.
Risk assessment reports and handling status records must be saved for at least three years.
Personal information leak notification
When personal information handlers become aware of personal information leaks, they should immediately adopt remedial measures and notify the department responsible for personal information protection and the affected individuals. The notification shall include the following items:
- The cause of the leak
- The categories of personal information leaked and the consequences
- Adopted remedial measures
- Measures individuals should adopt to mitigate damage
- Contact details of the personal information handler
If personal information handlers are able to effectively avoid any damage from the leak, they do not have to notify the individuals. However, in case the leak may create harm to individuals, they may require to notify the individuals.
Fines for violating PIPL
In case of illegal income or lack of security measures, the authorities may impose correction, confiscate illegal income, issue warnings and sanction a fine of up to RMB 1 million on the handler and up to RMB 100,000 on the person directly responsible.
In serious cases, the fines can go up to RMB 50 million or 5% of the previous year’s turnover for the handler and up to RMB 1 million for the person directly responsible. The authorities can also suspend the business that refused to correct or cancel their license.
To avoid fines, you must follow the PIPL requirements if your website’s activities fall within the scope of the law. Consent is one of the most important parts of most data protection and privacy laws. PIPL is not an exception either. For a website, data collection and handling happens through various sources like cookies, forms, surveys, and emails. Cookies, in particular, has been the center of many discussion and judgments. Cookie consent is important. A website cannot collect and use the personal information of its visitors via cookie identifiers without consent. Especially for cookies used for advertisements or analytics. Adding a cookie banner is the right way to deal with cookie compliance on a website, and CookieYes is the right solution for it.
CookieYes is a cookie consent management platform (CMP) that provides a comprehensive solution for cookie compliance with major data protection and privacy laws, like GDPR, CCPA and ePrivacy Directive (Regulation). The CookieYes banner is not just a medium to get cookie consent. Its host of features will help you to effortlessly manage the user consent.
Full banner customization, automatic third-party cookie script blocking, cookie scanning, visit consent logging, geo-targeted banners, consent withdrawal, granular opt-in for cookies, and auto-translation to 27 languages are just some of the features.
Sign up for a free 14-day trial and ready your website for PIPL compliance.