China’s Personal Information Protection Law (PIPL): Key Questions Answered

After two rounds of public consultation, China’s new omnibus data privacy law – the Personal Information Protection Law (个人信息保护法, PIPL) – was officially promulgated by the Standing Committee of the National People’s Congress on August 20, 2021 and will take effect on November 1, 2021.  

The drafting of PIPL was heavily influenced by the EU General Data Protection Regulation (GDPR) and PIPL follows GDPR closely in many areas. Nonetheless, PIPL has a number of distinct features and global companies need to understand these in particular.

In this alert, we address a number of questions often asked about China’s PIPL, including what companies ought to do to get ready for it.

1. What is personal information (PI), and what is sensitive PI?

• PI refers broadly to information related to an identified or identifiable natural person that is recorded electronically or by other means, excluding anonymized information.
• Sensitive PI refers to PI where the disclosure or illegal use of the information may easily lead to the infringement of an individual’s personal dignity or harm to personal or property safety. PIPL offers as examples information about biometrics, religious beliefs, “specific identity” (a term that is understood to cover personal attributes such as gender identity and sexual preferences), medical health, financial accounts, whereabouts, and any PI relating to minors under the age of fourteen.

2. Who must comply?

The principal provisions of PIPL apply to the “handling” of PI (个人信息处理) and to “PI handlers” (个人信息处理者).

The term “PI handling” includes, without limitation, the collection, storage, use, processing, transmission, provisions, public disclosure, and deletion of PI. 

A “PI handler” under PIPL is similar to the concept of “data controller” under GDPR and refers to an organization or individual that, when handling PI, independently determines the purpose and method of handling.

As a jurisdictional matter, PIPL applies primarily to PI handling undertaken within China. However, similar to GDPR, PIPL seeks to have extraterritorial reach. PIPL also applies to the PI of natural persons in China undertaken from outside China that is handled:

• For the purpose of providing products or services to natural persons in China;
• To analyze and evaluate the behavior of natural persons in China; or
• Under any other circumstances stipulated by laws or regulations.

PIPL requires overseas parties engaged in data-handling activities that fall within the ambit of PIPL to set up an institution or designate a representative within China that is responsible for handling matters relating to PI protection, and report their name and contact information to the competent authority.

PIPL also includes broadly-drafted language extending its reach to organizations and individuals outside China that harm PI-related rights or interests of PRC citizens or undertake PI handling activities that harm national security or the public interest, and contemplates that the Cyberspace Administration of China (CAC) may add them to a public list and take measures such as restricting or prohibiting the provision of PI to them.

3. What information should be provided before handling any PI?

PIPL includes robust disclosure requirements. A PI handler must disclose the policies it follows in handling PI and the specific purpose, method, and scope of its PI-handling activities.

Before handling an individual’s PI, a PI handler must disclose to the individual in a conspicuous manner and in clear and understandable language:

• The name and contact details of the PI handler;
• The purpose of handling the PI, the handling method, the types of PI handled, and the retention period;
• The methods and procedures for the individual to exercise his or her rights under the law; and
• Any other information required to be disclosed under laws or regulations.

Additional notice requirements are applicable to handling of sensitive PI, cross-border PI transfers, and provision of PI. See below for details.

4. What are the lawful bases for handling PI?

The lawful bases for handling PI provided for under the PIPL include:

• Consent: Where the individual has consented to the PI handling. If PI of a minor under the age of fourteen is involved, consent of the minor’s parent or other guardian must be obtained;
• Contract/HR management: Where the handling is necessary for the conclusion or performance of a contract to which the individual is a party or necessary for the implementation of human resources management in accordance with lawfully formulated employment policies and rules and a lawfully concluded collective agreement;
• Statutory duties or obligations: Where the handling is necessary to perform a statutory duty or obligation;
• Public health emergencies or vital interests: Where the handling is necessary to respond to a public health emergency, or to protect the life, health, and property safety of a natural person in an emergency situation;
• Public interests: Where the handling is for public interests such as news reporting or “public opinion supervision” and is within a reasonable scope;
• Public information: Where the PI being handled has been lawfully disclosed to the public and the handling is within a reasonable scope; and
• Any other circumstances stipulated by laws or regulations.

Pre-PIPL, consent was virtually the only lawful basis to handle PI. PIPL adopts some but not all legal bases provided for under GDPR. Most notably absent from PIPL is the broadest basis under GDPR, namely “legitimate interest.” For the time being, therefore, consent appears to be more pivotal under PIPL than under GDPR, although we also note that the drafters of PIPL have left flexibility for additional bases to be added later on via implementing regulations.

5. Who is subject to data localization?

PIPL broadens a data localization requirement first introduced in the Cyber Security Law (CSL), which came into effect on June 1, 2017. The CSL requires operators of critical information infrastructure (CII) to store in China PI and important data collected and generated during business operations in China.

In respect of PI, PIPL expands this requirement beyond CII operators, to include all PI handlers handling PI in volumes exceeding a certain threshold to be prescribed by the CAC. At the time of writing of this alert, the threshold has still not been established.    

6. What restrictions apply to cross-border PI transfers?

A PI handler with a genuine business need to provide PI outside the China may do so if they satisfy one of the following conditions:

• Pass a security assessment organized by the CAC, if the export is made by a CII operator or a PI handler handling PI in volumes exceeding a to‑be‑stipulated threshold – i.e., if the export is made by a party subject to the data localization obligation discussed in Question 5;
• Undergo PI protection certification by a specialized agency;
• Conclude a contract with the overseas recipient in the standard form promulgated by the CAC; or
• Other conditions prescribed by laws, regulations, or the CAC.

Implementing measures for each of these cross-border transfer mechanisms have yet to be issued.

The PI handler must take necessary measures to ensure the overseas recipient’s PI handling meets the PI protection standards specified in PIPL.

The PI handler must also inform the individual of the name and contact information of the overseas recipient, the purpose and method of handling, the types of PI, and how an individual can exercise his or her rights with the foreign recipient, as well as obtain the individual’s separate consent (unless a lawful basis other than consent is applicable).

As discussed in response to Question 10, cross-border PI transfers will trigger a protection impact assessment (PIA) requirement.

Similar to the Data Security Law, PIPL makes the provision to foreign judicial or law enforcement institutions of PI stored in China subject to regulatory approval.

7. What individual rights does PIPL provide?

PIPL provides individuals with various rights concerning their PI, including:

• The right to be informed, restrict handling and object to handling;
• The right to access their PI and request copies;
• The right to portability;
• The right to rectify;
• The right to delete;
• The right to require explanations; and
• Rights related to automated decision-making.

8. How should we handle sensitive PI?

When handling sensitive PI, a PI handler must, in addition to complying with the notice requirements that apply generally to PI handling, also inform the individual of the necessity of the handling of the PI and its impact on his/her personal rights and interests.

The PI handler must have a specific purpose and sufficient necessity and take strict protective measures before handling sensitive PI.

Where the handling of sensitive PI is based on consent, the PI handler must obtain the individual’s “separate consent” (单独同意), unless laws or regulations require that written consent be obtained.  In using the term “separate consent” in a number of provisions, the final version of PIPL moved away from the terms “explicit consent” (明示同意) and “express consent” (明确同意) used in previous laws and standards.  PIPL offers no guidance on the meaning of the term, although we anticipate that a separate check box or a separate pop-up window/page will be needed to meet separate consent requirements under PIPL.

9. How should we share PI with others?

Where a PI handler provides any PI to another PI handler, it must inform the individual of the recipient’s name and contact information, the purpose and method of handling, and the types of PI, and obtain the individual’s separate consent.

When entrusting the handling of PI to another person, a PI handler must agree with the entrusted person (similar to the concept of “data processor” under GDPR) on the purpose, term, and handling methods of the PI, the types of PI involved, the protective measures to be implemented, and the respective rights and obligations of the PI handler and the entrusted person. The entrusted person must not handle PI beyond the agreed scope. Without consent of the PI handler, the entrusted person cannot further entrust the handling of the PI to other persons. 

Data sharing will trigger a PIA requirement, as discussed in our response to Question 10.

10. Is there a requirement to conduct a PIA?

Yes. A PI handler must conduct a PIA before carrying out any handling activities that could have a major impact on individuals’ rights and interests, including:

• Handling of sensitive PI;
• Using PI for automated decision-making;
• Entrusting handling to other parties, providing PI to other handlers, and disclosing PI publicly; and
• Transferring PI outside China.

Relevant records must be retained for at least three years.

11. How should we handle PI breaches?

Where a data breach occurs or may occur, a PI handler must immediately take remedial measures and notify the competent authority and the relevant individuals. However, PIPL does not impose a specific 72-hour notification obligation as GDPR does.

According to PIPL, a data handler does not have to provide notification to affected individuals if the breach does not cause any harm. However, notification to the relevant authority is not exempted and the authority has the power to mandate a notice to relevant individuals if it takes the view that any harm may be caused by the breach.

12. Should we appoint a DPO?

A PI handler handling PI in volumes exceeding the threshold prescribed by the CAC must designate a person in charge of PI protection (similar to the DPO requirement under GDPR) to supervise PI handling activities and the implementation of protective measures. The PI handler must publicly disclose the contact information of its DPO and report the DPO’s name and contact information to relevant authorities.

At the time of the writing of this alert, the threshold has not been established.

13. What are penalties?

Penalties under PIPL include an order to rectify, a warning, confiscation of illegal gains, and, in the case of an application that illegally handles PI, an order to suspend or terminate the provision of services. A fine of up to RMB1 million (approx. USD150,000) will be imposed concurrently for a refusal to make rectification; and a fine ranging from RMB10,000–100,000 (approx. USD1,500–15,000) will be imposed on the person directly in charge and other directly liable persons.

Where circumstances are deemed serious, a violation could result in, among other penalties, a fine of up to RMB50 million (approx. USD7.5 million) or 5% of the previous year’s turnover. A fine ranging from RMB100,000–1 million (approx. USD15,000–150,000) on the person directly in charge and other directly liable persons can be imposed.

14. How should we prepare for the new law?

In many respects, the promulgation of PIPL does not represent a radical departure from either pre-PIPL privacy rules in China or the overall approach taken in GDPR. Companies that have already taken account of Chinese rules in their personal data practices, and that follow GDPR standards in their Chinese operations, may already be in reasonably good shape regarding many of the requirements of the new law.

However, a key challenge for global companies is to comply with PIPL rules governing cross-border transfers of personal information. These rules are more stringent than the provisions under either GDPR or pre-PIPL privacy rules in China and so focusing on them ought to be a priority. Implementing technical and operational measures to address the new rules may require extensive lead time. We therefore strongly recommend that companies review their current arrangements with specialist counsel as soon as possible in order to maximize the time available for implementation before the November 1, 2021 date when PIPL comes into force.

The implementation schedule for PIPL is unusually brisk. The approximate 10-week gap between the date of promulgation of PIPL and the date it comes into force contrasts with the close to
30-week gap when the CSL was first introduced. We expect implementing measures to be issued soon to specify the mechanics needed to implement certain PIPL provisions, such as those applicable to cross-border transfers of PI, but certain aspects of PIPL will most likely remain unclear for some time after the law comes into force. We will monitor developments leading up to November 1, 2021 and thereafter.

As further explained in the Terms / Notices linked below, the information provided herein is not legal advice. Any information concerning the People’s Republic of China (“PRC”) is not an opinion on, determination on, or certification of the application of PRC law. We are not licensed to practice PRC law.