Towards the end of 2020, China’s National People’s Congress published the much-anticipated draft Personal Information Protection Law (PIPL). A comprehensive national data protection law represents a significant milestone, in no small part because of the exponential growth of data-driven industries in China.

Aiming to protect the rights of Chinese citizens, the PIPL introduces protocols for the collection and use of personal information. In so doing it introduces some concepts familiar to European companies, including principles of transparency, data minimisation, fairness, purpose limitation, retention, accuracy and accountability.

In this article we consider some of the notable provisions, focusing on those most likely to be relevant to US and European organisations with a presence in China, or who offer goods and services to the Chinese market. We also set out some initial measures that organisations should consider ahead of the law’s formal enaction. (An unofficial English-language translation of the draft PIPL can be found here.)

Key PIPL provisions

Extra-territorial scope

The PIPL applies to the processing of personal information of individuals within the territory of the People’s Republic of China, where goods or services are offered to individuals in China, and through the analysis and evaluation activities of individuals in China (or in circumstances stipulated by other laws). Organisations outside China that fall within the PIPL’s scope are required to appoint representatives or establish entities within China responsible for the protection of personal information.

Responsibilities of Personal Information Processors

The PIPL does not differentiate between ‘data controller’ and ‘data processor’. Instead, it places responsibility on organisations and individuals that process personal information of individuals in China. The responsibilities of ‘Personal Information Processors’ are similar to that of the ‘Data Controller’ under the EU’s General Data Protection Regulation (‘GDPR’). They are obliged to establish policies and procedures, conduct regular training and awareness, implement technical security measures and conduct regular audits of information processing activities.

Personal Information Processors are required to perform and maintain a record of risk assessments where processing activity may have a significant impact on individuals, including international transfers of personal information, processing of sensitive personal information, automated decision-making, and disclosure of personal information to third parties. This appears to align with (and expand on) the concept of privacy and data protection impact assessments, with which organisations doing business in the EU may already be familiar.

In some circumstances, Personal Information Processors are required to designate an individual responsible for the protection of personal information, which includes supervising the organisation’s processing activities and implementing mandated safeguards.

Legal bases for processing

For the processing of personal information to be lawful it must have a legal basis. The primary legal basis for processing remains consent, but PIPL introduces further legal bases including:

• Contractual necessity;
• Performance of legal duties or obligations;
• Protection of individuals in a public health or emergency or for security purposes;
• To report on news or in conducting a public opinion survey;
•  And other situations stipulated in other laws.

For those familiar with the GDPR, there is no equivalent to the legitimate interest legal basis. 

Personal information

Similar to the GDPR’s definition, personal information is defined as “information that identifies or can identify individuals recorded electronically or by other means” However, this does not include anonymised information.

Sensitive personal information

PIPL describes sensitive personal information as information that could cause reputational damage or serious personal or proprietary endangerment and the definition includes race, ethnicity, religion, personal biological characteristics and health information, as well as financial and location information. Political views or opinions are not explicitly included in the definition.

For sensitive personal information to be processed lawfully, two conditions must be met. First, there must be a specified purpose and sufficient need for the processing; secondly, Personal Information Processors must obtain the data subject’s consent in each case.

Where the Personal Information Processor knows or should know that the personal information processed relates to minors under 14 years old, legal guardian consent must be obtained.

International transfers and data localisation

PIPL sets out strict requirements for international transfers of personal information, permitting them only where they meet one of the following:

• A certification assessment has been conducted by a professional body;
• A contract has been put in place with the overseas recipient defining rights and personal information handling obligations; or
• Adherence with laws, administrative regulations, or provisions of State Internet information departments.    

As well as obtaining consent from individuals, Personal Information Processors must also notify relevant individuals of the identity and contact details of any overseas recipients, the purposes and means of processing, the types of personal information processed, and how to exercise individual rights against the overseas recipient.

Critical information infrastructure operators and Personal Information Processors that process a volume of personal information that exceeds levels specified by the Cyberspace Administration of China (CAC) must store this information within the country. Data exports must be subject to a security assessment by the CAC (which may include review of transfers contracts/agreements subject to CAC clarification), unless otherwise provisioned as not necessary by other laws, administrative regulations or by another state department. Further clarification is required as to how security assessments should be undertaken, as well as whether new assessments would be required for each individual information transfer.

Individuals’ rights

Under PIPL, individuals have the right to be informed that processing is happening, to restrict or object to the processing of their data, and to obtain a copy of, update, or delete their information. Personal Information Processors should outline the means by which individuals can exercise these rights.

PIPL may also require organisations to delete personal information under certain circumstances, such as where the individual has withdrawn their consent, or the organisation has ceased provision of related goods or services to the individual.

Transparency in automated decision-making

Decision-making must be transparent and the outcome of data processing must be reasonable and fair. Individuals who believe that automated decision-making has a significant impact on their rights and interests can request an explanation and can refuse to accept automated decision-making.

Penalties and liability

Authorities responsible for regulating personal information processing include the CAC, the applicable function of the State Council and the related department of local county-level government.

While specific enforcement mechanisms are yet to be determined, powers under the draft law include on-site and in-person investigations and auditing powers, and confiscation of illegal gains. Further sanctions can include suspension of business activities and revocation of business permits or licences – arguably the most significant sanction for organisations who do not follow the new requirements.

The draft law stipulates significant penalties for infringements, including fines of up to RMB 50 million ($7.4 million) or up to 5% of the organisation’s turnover for the last financial year. Accountable individuals and other directly responsible persons can now be fined up to 1 million RMB ($150,000), although further clarification is needed as to possible mitigating factors around these penalties.

The draft law also introduces provisions for ‘blacklisting’ companies. If processing activities harm the rights of Chinese individuals or endanger national interests or security, organisations could be added to a ‘blacklist’ prohibiting them from further processing.

How could this impact organisations?

The draft law represents a new era for data protection and related individual rights in China, and any organisation that is established, or is looking to establish themselves, in the Chinese market should monitor the law’s passage and implementation. It remains to be seen exactly how the process will unfold but early indications suggest the legislation could be finalised and officially promulgated by this spring or summer. It is unclear whether there will be a transition period for organisations to adapt to the law.

While PIPL’s new approach will allow more flexibility in the handling of personal information, it will also have significant implications for foreign entities processing Chinese citizens’ personal information. Organisations that have aligned with the EU’s data protection regulations will be off to a fairly strong start when it comes to adapting to PIPL. Taking proactive steps, such as implementing or updating existing organisational policies, operational controls or information transfer agreements, will help manage and mitigate risks ahead of time. 

Before PIPL enters into force, organisations should evaluate the extent of their potential exposure, establish their risk appetite, assess controls and consider resource and budget allocations, proportionate to the volume and nature of personal information processing activities in the Chinese market.

Practical Response

Below we cover some key considerations for organisations wishing to evaluate the extent of their exposure to PIPL. Practical measures to mitigate risk and manage relevant processing include:

Reviewing and updating existing data protection policies and procedures

• Update existing data protection policies to include provisions contained in the PIPL or adopt local policy aligned to China-based operations; and
• Assess whether relevant systems and business processes contain functionality or flexibility to be able to meet individual rights requests.

Reviewing and updating privacy impact assessments (PIA) methodology to include due consideration of personal information handling activities in China and assessing the scope and nature of international transfers from China

• Review and update data inventories/records of processing activities and map information processing activities to understand processing operations, including those involving international transfers to/from China;
• Identify and prioritise international transfers according to the volume and type of information processed, the sensitivity of the information involved and the frequency of transfers (e.g. cloud computing and infrastructure storage solutions); and
• Determine whether personal information handling operations would be caught by data localisation provisions.

Analysing international information transfer mechanisms and safeguards including information transfer agreements

• Determine existing transfer mechanisms for key processing operations both on an intra-group basis and amongst third party service providers and vendors;
• Record potential risks involved in the transfers for relevant processing operations; and
• Initiate remediation and mitigation actions where practicable, e.g. review and updating of high-risk vendor contracts.

Establishing governance policies and structures

• Determine whether a representative or established entity can act as the responsible representative for information protection affairs in China.
• Evaluate the effectiveness of existing privacy procedures and consider developing local operating guidance and training to support staff, if necessary.

Monitoring regulatory updates and guidance

• With significant enforcement prospects from Chinese authorities (with potential fines higher than the GDPR), it is important that continued monitoring for clarifications and modifications to the draft law takes place;
• Monitor guidance from Chinese authorities on approaches to compliance with the new PIPL law and update policies and procedures as and when necessary; and
• Communicate to senior management on the implications of the future law and potential impact on relevant systems and business operations.  

A&M: Leadership. Action. Results.

A&M’s privacy and data protection professionals have extensive operations and advisory experience together with a proven track record in leading businesses through tough, complex situations. To learn more about our expertise and to understand the full scope of our services, please get in touch with one of our authors.