On 20 August 2021, China passed the Personal Information Protection Law (PIPL), which lays out for the first time a comprehensive set of rules covering data processing. The release of the PIPL, which will take effect on 1 November 2021, completes the trifecta of China’s foundational data governance regime – together with the Cybersecurity Law and the Data Security Law. This will usher in a new age of data compliance.
Scope
The PIPL applies to all the data processing activities in China, including collection, storage, use, transfer, offering, disclosure, and deletion. In addition, data processors based abroad who need to deal with personal information from China in order to provide Chinese customers with products and services, or analyse and assess their behaviors, also fall under the governance of PIPL. These overseas data processors shall establish a special agency or appoint a representative within the territory of China, to manage personal information protection-related affairs.
Principles
According to the PIPL, personal consent is the key prerequisite for the processing of personal information. The exemption of personal consent occurs when data processing is necessary to perform statutory responsibilities, to handle public health emergencies, or when the personal data is already disclosed.
Sensitive information
The PIPL gives a clear definition of ‘sensitive personal information’. Sensitive personal information refers to personal information that, if leaked or used illegally, will easily lead to infringement of the human dignity or harm the personal or property safety of an individual. Generally, such information includes biometric recognition, religious belief, specific identity, medical and health, financial account, personal whereabouts, as well as any personal information of a minor under the age of 14.
Personal information processors may process sensitive personal information only when there is a specified purpose and justifiable necessity; in any case, they must inform the individual of the impact on the data processing on the individual’s rights and interests.
Cross-border data transfer
Personal information processors in China may transfer the collected personal information to overseas information recipients, only if they (i) pass the security assessment organized by the national cyberspace authority, (ii) obtain a certification of personal information protection from a professional institution, or (iii) sign a standard contract provided by the national cyberspace authority with the overseas information recipient.
Conclusions
According to the PIPL, there are two relevant circumstances for overseas enterprises involved in data processing. If the China-based subsidiary of a foreign company needs to transfer the personal information collected in China to its overseas headquarters for business purposes, it must meet one of the three conditions specified in the previous section. However, there are still no specific measures and details on the security assessment and on the certification process.
Foreign companies that do not have branches in China, but provide products or services to Chinese customers, are equally required to comply with the PIPL even though all their data processing activities are conducted outside China. They also need to set up a special office or representative in China to deal with personal information protection.
This means that, all companies dealing with Chinese consumers have to be compliant with the PIPL. Foreign companies should first understand the provisions in the PIPL and Data Security Law, and monitor new related regulations and implementation rules.
The English version of the Personal Information Protection Law is available here.
Related information
China Introduces the Data Security Law, to Be Implemented in September 2021 – sesec.eu
