China passed its first data protection law - Personal Information Protection Law (PIPL) on 20 August 2021, which will take effect from 1 November 2021, allowing companies just over two months to prepare. The PIPL will affect any company with data or conducting business in China.
The new law will reshape the handling of personal data in China, and might require organizations to revisit their existing practices and procedures. While PIPL is said to be “China’s GDPR”, the law differs in legal grounds, rights, obligations and cross-border data transfers to fit China’s own purposes.
PIPL defines “personal information” as all kinds of information relating to identified or identifiable natural persons recorded by electronic or other form, excluding anonymized information. “Processing of personal information” includes activities such as the collection, storage, usage, transmission, provision, public disclosure and deletion of personal information.
1. The processing of personal information within China, of PRC individuals.
2. The processing of personal information outside of China, of PRC individuals, if such processing is:
If a company outside of China conducts processing activities as described in (2) above, the PIPL requires that it establish an entity or designate a representative in China in charge of personal information protection matters, and the name and contact details of such entity or representative must be filed with the relevant Chinese authorities.
This can only be made for "legitimate purposes" such as business needs, and the transferor is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards set forth in the PIPL. In addition, both a proper legal basis and consent by the data subjects will be required in order for such transfer to be lawful.
(1) Legal bases
The legal bases for cross-border transfers of personal information under the PIPL include:
Data subjects must be notified of the following matters and give their separate consent to the cross-border transfer of their personal information:
However, companies are strictly prohibited from providing personal information stored within China to foreign judicial or law enforcement institutions without the approval of Chinese authorities, regardless of legal basis and consent. This will be a difficult issue to navigate for international companies with reporting obligations to regulators in their own jurisdictions.
Violations of the PIPL may lead to an administrative fine of up to RMB 50 million, or 5% of the processor’s turnover in the last year (it is unclear if this is local or global). Other penalties include order for rectification, warning, confiscation of illegal gains, suspension or cessation of service, cessation of operation for rectification, and revocation of operating permits or business licenses. The person-in-charge or other directly liable individuals may also be individually liable and fined or prohibited from acting as directors, supervisors, senior managers or personal information protection officers.
If the processing activity violates the rights or interests of a large number of individuals, a public interest action may be initiated by the authority responsible for criminal prosecution, consumer protection organizations or other organizations designated by the cyberspace administration.