China’s new Personal Information Protection Law: Yet another piece in a complex puzzle

Another piece is added to the jigsaw of China’s privacy and security laws. The Personal Information Protection Law (PIPL) was passed in August 2021, according to state media.  Supplementing the recently passed Data Security Law (DSL), the PIPL highlights the importance the Chinese government is putting on data, data security and data protection and how it is positioning itself as an important player on the international stage.

The final version of the law just been published  (Chinese version) but it was proceeded by several drafts.  The following is based on commentary mostly based on previous drafts.

China’s Data Security Law

The PIPL follows the DSL, which itself built on the Cybersecurity Law2 (CSL) passed in 2016.  Like the CSL and most principles-based regulation, the DSL relies on further implementing rules, guidance and national standards, as well as regulatory action to help clarify how it will be interpreted and applied. There are important provisions around securing certain types of data, data breach notification and restrictions on international transfers.

As with the CSL, the fleshing out of the DSL in this way will be an evolving process, with certain key measures expected to be introduced in the coming months but full implementation of all aspects o  We’ve covered the DSL here.  In comparison, the PIPL itself is more comprehensive, though it also adopts the principle-based approach that we are familiar with from other data protection regulatory systems like the GDPR and Australia’s own Privacy Act 1988 (Cth).

China’s Personal Information Protection Law

The PIPL will go into effect on November 1, 2021, but many companies within China are already coordinating with relevant enforcement agencies to ensure they will comply.

Although a piece of a web of related laws (including the DSL and the CSL), the PIPL will serve as China’s comprehensive data protection law.  In some ways it follows the approach of the EU in the GDPR which protects the rights of individuals with regard to the processing of their personal information (“data protection”) by way of an omnibus law (as opposed to the US fragmented sector driven approach). With the passing of the PIPL, China joins those countries with a single comprehensive privacy law, leaving the U.S. as one of the few top developed nations without one. The PIPL is evidence of China’s determination to be a major player in the world of data transfers. The PIPL states China’s aim to actively contribute to the setting of global data protection standards ‘with other countries, regions, and international organizations’ (Art. 12)

Other officially declared aims of the PIPL, more aligned to those of the GDPR and similar human-rights based data protections laws, are:

  1. to protect the rights and interests of individuals (为了保护个人信息权益),
  2. to regulate personal information processing activities (规范个人信息处理活动),
  3. to safeguard the lawful and “orderly flow” of data (保障个人信息依法有序自由流),
  4. to facilitate reasonable use of personal information (促进个人信息合理利用) (Art.1).

However, unlike the GDPR (which does not cover national security which is outside the regulatory jurisdiction of the EU), China’s PIPL has other objectives, not least of which is the distinct ‘national security’ flavour, particularly around localization of data and restrictions on cross-border transfers.

The law includes provisions that affirm China’s intention to defend its digital sovereignty: overseas entities which infringe on the rights of Chinese citizens or jeopardize the national security or public interests of China will be placed on a blacklist and any transfers of personal information of Chinese citizens to these entities will be restricted or even barred. China will also reciprocate against countries or regions that take “discriminatory, prohibitive or restrictive measures against China in respect of the protection of personal information” (Art. 43)..

Personal Information Protection Law Overview

The PIPL applies in the public sector, as well as in the private sector, and has data localization requirements with regard to PI processed by state organs, critical infrastructure operators, and other handlers reaching a specific volume of PI processed. Importantly however the PIPL will not prevent China’s central government from accessing data. It has been reported that there is little to indicate “anything resembling legal limits on government surveillance. … Chinese civil society still has very limited means of ‘watching the watchmen.'”

The PIPL applies to very broadly defined “personal information” (PI) – which includes the “identifiable” element from the GDPR.

The PIPL provides rules for the processing of personal and sensitive information including legal basis and disclosure requirements. These rules are similar to lawful grounds for processing after the GDPR model, but with “legitimate interests” notably missing.

It applies to “handling” (rather than processing) of PI which includes “collection” of PI, meaning that a lawful ground is needed even before touching the data. A previous draft of the law said that data collectors must get user consent to collect data and users can withdraw that consent at any time.

Companies that process data cannot refuse to provide services to users who don’t agree to having their data collected — unless that data is necessary for the provision of that product or service

Additionally, the PIPL has rules for “handlers”, “joint handling” and “entrusted parties” with handling on behalf of the handlers (similar to the GDPR concepts of controllers, joint controllership, processors), including agreements to be put in place similar to Art. 26 (joint controller) and Art. 28 (data processing agreements) in the GDPR.

The law regulates personal information transfers outside of China by imposing obligations on handlers before transferring data abroad such as complying with a security assessment by relevant authorities. It also mandates risk assessments (similar to a Data Protection Impact Assessment) for specific processing including automated decision-making and handling that could have “a major influence on individuals.”

Data handlers must also appoint Data Protection Officers (DPOs) in specific situations, depending on the volume of PI processed, and conduct regular compliance training.

Individuals are granted an extensive number of “rights in personal information handling activities”. The PIPL provides for individual rights very similar to GDPR’s “rights of the data subject”, such as erasure and access, and it specifically includes a right to obtain explanation and a right to data portability, the latter being introduced late in the third version of the draft law.

Finally, the PIPL has a complex system of enforcement, including fines (that can go up to 5% of a company’s turnover) and administrative action (including orders to stop processing, or confiscation of unlawfully obtained profit), individual rights to obtain compensation, and civil public interest litigation cases through a public prosecutor.

What to do next?

The PIPL has major impacts for any organisation doing business in China.

Although not effective until November 2021, we recommend that any organisation affected should start working on its compliance program right now.

Further resources

Future of Privacy Forum Blog:

https://fpf.org/blog/chinas-new-comprehensive-data-protection-law-context-stated-objectives-key-provisions/

iapp: https://iapp.org/news/a/china-adopts-national-privacy-law/?mkt_tok=MTM4LUVaTS0wNDIAAAF_A3wyMMzrfYNybfSK9VKvUbwSPogQu3MrWSr5hM6UZ_F5t0tFl9lJGMaNQ4lElK_Kq3igeUWu8G3B2X7FDC5VqnNarTtD1R9s9rb5tWsnK3jp