China's PIPL

The Personal Information Protection Law of the People's Republic of China (PIPL) comes into force on November 1, 2021. Its goal is to protect personal data belonging to the people of China, and to empower individuals to take charge of their own data privacy.

There's a translation of the text available through Stanford's DigiChina Project, which is committed to translating Chinese primary sources to make them more accessible.

If you're a business with any clients or customers in China, or you plan on targeting a Chinese audience, here's how the Law works and how you can ensure compliance.

How China's PIPL Defines "Personal Information"

As set out in Article 4, personal data is any information of any sort which relates to an identifiable person, but it doesn't include anonymized data:

This is a broad definition, so it's best to assume any data could be personal information unless proven otherwise.

Sensitive information is defined in Article 28 as data which could harm the individual if it falls into the wrong hands e.g. location tracking data, medical status, or financial information:

You can't handle sensitive data unless there's a clearly indicated purpose. You should also be very cautious if you process data belonging to minors e.g. if you run an app or website aimed at teenagers.

What "Processing of Personal Information" Means Under PIPL

You are "processing" or "handling" personal data under the PIPL if you do any of the following when it comes to data:

• Collecting
• Using
• Sharing
• Storing
• Transmitting or transferring

When it comes to personal data processing, a few rules apply.

• You can't handle personal data in a misleading or fraudulent manner (Article 5).
• It's only permissible to collect data for a specified purpose, and you should minimize the amount of data you need to capture (Article 6).
• You must clearly disclose why you need personal data, how you process it, and who you share it with (Article 7).
• Businesses must implement safeguards to protect data which falls under their responsibility (Article 9).

In many ways, these rules are similar to those found in the GDPR.

When Does PIPL Apply?

The PIPL applies if you process any personal data belonging to residents of China. So, even if you're not physically based in China, any Chinese individuals you target for the sale of goods and services are protected by the Law.

This is all set out in more detail in Article 3 of the PIPL.

Rights of the Individual Under China's PIPL

The Personal Information Protection Law gives individuals a whole host of rights over their personal data and how it's used by organizations. If you're handling personal or sensitive data, you must comply with these rights at all times.

Article 15: Right to Withdraw Consent

If someone consents to a business capturing their personal data, they have the right to withdraw that consent at any time.

You can help people exercise their right to withdraw consent by setting out a clear procedure in your marketing emails and Privacy Policy.

Here's an example from the "What Choices Do I Have Regarding My Personal Information" section of Billabong's Privacy Policy:

Article 16: Right to Non-Discrimination

Businesses can't discriminate against a customer for exercising their right to withdraw consent.

Meaning, unless you need the data to perform a contract e.g. a contract of sale, you can't withhold services from someone just because they're preventing you from capturing their data.

Article 17: Right to Be Informed

Before someone gives you their data, they have the right to know:

• Why you collect the data
• How long you retain the data
• How people can exercise their data privacy rights
• How they can contact you

Tim Hortons, for example, uses its Privacy Policy to set out in simple, short bullet points what kind of data it collects and how it's used:

Use similar strategies when drafting your own Privacy Policy clauses.

Article 24: Right to Refuse Automatic Decision Making

People have the right to opt out of automated decision making based on personal data.

If you use personal data or automated decision making in your marketing, then you must give people the choice to reject being part of this.

Article 44: Right to Make Decisions Regarding Personal Information

People should know they have control over their personal data. They are able to decide who accesses and/or handles their data.

Article 45: Right to Data Portability

People can request a copy of their personal data in a portable format e.g. by email, PDF, or another method which suits them. You should provide the data in a timely manner, but what's "timely" isn't specifically defined.

Article 46: Right to Amend

You must let people amend their personal data if they discover it's inaccurate or incomplete in some way. If someone asks you to correct their data, again, you should do this in a timely manner so you're not acting on outdated information.

Article 47: Right to Request Deletion

Finally, people have the right to request that you delete their data. You should comply unless there's a justifiable reason why you can't e.g. you need the data to comply with other legal obligations:

How to Present User Rights

The easiest way to inform people of these rights is to draft a Privacy Policy. We cover these policies in detail in other articles, but in short, a Privacy Policy sets out your stance on privacy matters, and it should be clear, user-friendly, and easy to understand.

You need a Privacy Policy to comply with laws such as the GDPR, so it's in your interests to draft one as soon as possible. Just be sure to make sure that your policy complies with the PIPL because it's slightly different from the EU Regulation.

The PIPL and Lawful Basis for Processing

Under the PIPL, a company must have a lawful basis for processing personal data. The grounds are set out in Article 13. In short, a company can't process personal data unless one of the following grounds apply:

• The individual consents
• A contract can't be performed without the data e.g. a contract of sale
• The company needs the data to perform a statutory obligation
• It's essential for protecting life
• The data is necessary for reporting news, within reasonable grounds
• The company is processing data which the individual has already disclosed lawfully to them

If you plan on relying on individual consent, you must ensure that consent is clear and freely given as set out in Article 14:

You must also get separate consent if you want to process sensitive data, or share personal data with other companies.

Finally, if you know or should reasonably know that you're handling data belonging to under-14s, you must get parental or guardian consent to processing.

Article 55 Impact Assessments

Under Article 55, companies must perform "personal information protection impact assessments" if they:

• Process sensitive data
• Transfer any personal data overseas
• Share personal data with other companies or entities, or
• Perform any other act which may significantly affect an individual's privacy rights

So, if for example you're processing religious or political data, or you're transferring data to a processor based in another country, you must perform an impact assessment.

Article 56 covers what must be considered as part of your assessment. You should consider:

• The impact of your activities on individual privacy rights
• What steps you can take to protect the data. Steps must be proportionate to the level of risk involved.
• Whether it's reasonable and proportionate to process data in this way

In other words, if you can't justify the need for processing personal data in a certain way, or if you can't safeguard the information effectively, you shouldn't perform the action. You must also keep a record of the impact assessment for three or more years:

Transferring Personal Data Overseas Under the PIPL

While it's fine to send personal data overseas, you must comply with certain rules to do so.

Most importantly, you can't transfer personal data outside China unless you have a lawful basis for sharing the data and you get an individual's specific, informed consent to the transfer.

• There should be sufficient security measures in place to protect any data before, during, and after the transfer
• You must keep a clear record of any overseas data transfers you make
• Before you make the transfer, you should conduct an impact assessment to consider any risks involved in sharing the data

You should check for additional guidance from the Cyberspace Administration of China (CAC) before making any overseas transfers.

Reporting Data Breaches

The rules for data breach reporting can be found in Article 57.

In summary, you must inform the department performing data protection duties if you know or suspect that personal data has been lost, leaked, or compromised in some way. You should set out:

• What information was (or may) have been compromised
• Any steps you took to limit the damage or remedy the situation e.g. fixing a security malfunction
• How the department can contact you to discuss the breach further

You don't need to inform individuals unless actual harm has been caused, or the relevant department believes that harm will be caused.

Obligations for Personal Data Processors

As a company processing personal data, you have certain obligations under PIPL which can be summarised as follows:

• You must implement a secure system for processing and managing personal information
• You can't process personal data without appropriate security safeguards in place e.g. encryption and de-identification
• It's crucial that you provide regular training and cybersecurity guidance to staff
• Compliance audits must be completed at regular intervals
• You must abide by any other security requirements introduced by the PIPL

And, finally, you must remember that you need a lawful basis for processing personal data. Your responsibilities are set out in more detail in Article 51 of the Law:

Penalties for Breaching the PIPL

The financial penalties for breaching the PIPL can be steep, and they apply if you break the law or fail to take sufficient steps to protect personal data in your possession. You might also face a court action from affected individuals if you fail to let them exercise their privacy rights under the PIPL.

• You will normally be contacted by a regulatory body and given the chance to fix the problem before fines apply
• If you fail to fix the problem, you could be fined up to RMB 1 million (approx. $154,000)
• Individuals can also be held personally liable, depending on the nature of the breach

If the breach is sufficiently serious, then you might face additional sanctions, such as:

• Seizure of income
• Business closure
• Fines of up to 5% of your annual revenue

Given how severe these penalties can be, you should get legal advice if you're worried about meeting your PIPL compliance obligations.

Conclusion

China's Personal Information Protection Law (PIPL) is a huge step forward for Chinese privacy law. The law is designed to help people protect their personal and sensitive data, and to ensure companies take appropriate steps to safeguard any data provided to them.

• Companies need a lawful basis for processing any personal data.
• Individuals can sue companies who refuse to let them exercise their privacy rights.
• You need additional consent for processing sensitive data or sharing it with external entities.
• It's a breach of the law to send data overseas without performing an impact assessment.
• Data breaches must be reported to the appropriate authorities and, where appropriate, affected individuals.
• Failing to fix any data breaches flagged by regulatory bodies could result in steep financial penalties.

Ensure compliance by:

• Obtaining clear, free, and informed consent wherever necessary
• Drafting a Privacy Policy to explain what rights users have, and how they may exercise them
• Report data breaches as soon as you're aware of them, and take steps to mitigate damage
• Comply with any orders set out by the regulatory bodies
• Keep an eye on the law for any changes or updates. It's relatively new, so further guidance will likely appear as time goes on.