This article is written by Gayathri, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).
Privacy of an individual or of the companies is important today as personal data passes through borderless networks due to the use and sharing of personal information to third parties without notice or consent of consumers. As of January 2021, with 130 jurisdictions – 128 out of 194 countries have adopted the legislation to secure the protection of data and privacy in which some countries have adopted sectorial or omnibus coverage having inconsistent regulation (UNCTAD, 2021) and (i-Sight, 2021). Figure 1 depicts the world map which has adopted the data protection and privacy legislation.
On August 20, 2021, The National People’s Congress (NPC), adopted the ﬁrst Chinese comprehensive data protection law called Personal Information Protection Law (PIPL) both in China and Hongkong. The law will be effective from November 1, 2021, and works together with existing laws – the Cybersecurity Law (“CSL”) and the Data Security Law (“DSL”). Many companies in China are already coordinating with relevant enforcement agencies for complying as the law enhances the scrutiny over the Tech sector by the government. (Hunter Dorwart; Gabriela Zanfir Fortuna; Clarisse Girot, 2021).
According to China’s official news agency, scrutiny increases on Tech giants like Alibaba, Tencent, the taxi-hailing company – Didi and Foreign companies in China, etc., by prohibiting the illegal collection, usage, processing, transmission, disclosing and trading of people’s personal data with others. The consent of the individual should be obtained before processing of their sensitive personal information e.g., biometrics, medical and health, financial accounts, their whereabouts etc., “pushing, publication, data transferring or business marketing with the information of individuals through automated decision-making, personal information processing should provide the option of not targeting the personal characteristics or offering ways to reject the same.
|Figure 1: Countries adopting the Data Protection and Privacy Legislation as of January 2021|
With the adoption of the new Protection Law in China, why do some companies feel that it has an impact on the global effect? This can be understood from the provisions in PIPL regarding; Scope of -Personal Information- Sensitive Personal Information and Processor, Processing, Special Processing, Territory and cross border transfer provisions, The rights, obligations and Enforcements, and understanding the Pros and Cons of law.
Scope of personal information : sensitive personal information and processor
For the ﬁrst time, the PIPL introduces the concept of “personal information processor”, which refers to the organizations and individuals who decide independently on the processing methods and the purpose of the personal information. “Personal information processing” is deﬁned as inclusion, but not limited to, the collection, storing, using, processing, transmitting, provisioning, disclosing, and deleting personal information. In addition to ‘personal information’ that is as deﬁned in the CSL, the PIPL deﬁnes “sensitive personal information” – the leakage or illegal use of which could easily lead to the violation of the personal dignity of a natural person or harm to person or property safety. This is the ﬁrst national law in the PRC that deﬁnes sensitive personal information and sets out relevant obligations on processors handling information.
Now as per the PIPL, (a) “Personal Information” is all information that identifies or is identifiable of persons either electronically or otherwise recorded (such as videos, voice or image data), and excluding anonymised information. The “anonymisation” is different from “de-identification”, as it is still Personal Information. (b) “Processing” is the collecting, storing, using, processing, transmitting, provisioning, disclosing or leaking and or deleting Personal Information. and (c) the “Personal Information Processor” (PIP) means the organisation or person processing Personal Information or who can determine the purpose and the method of processing.
Processing legal aspects in PIPL
Prior to the adoption of PIPL, CSL’s – “notiﬁcation and consent” was only the legal basis for processing personal information. The PIPL widens its ground based on data minimisation principles where,
In addition to the above, the Processor has to understand – where to,
PIPL also sets the additional requirements for the processor to notify and take the consent of the individual involved regarding where and when the,
PIPL also sets the Obligations and Responsibilities on all the processors that include:
Special processing : legal aspects in PIPL
|PIPL defines the responsibilities and the obligations for the special processing activities, which are classified as:|
The law does not specify whether joint and several liabilities would arise in the event of violation by either party.
Territory and cross border transfer provisions
The PIPL applies within the territory of the PRC. In addition to this, it is applicable outside the territory of the PRC provided the:
|In addition, one of the following conditions is to be satisfied:|
The overall Requirements for Cross-Border transfer of information are depicted in Table-1 below
|Table 1 – Requirements for Cross-Border Transfer of information|
The rights, obligations and enforcements as per Personal Information Protection Law (PIPL)
The rights of individuals
Various individual rights recognised by PIPL in relation to their personal information are listed below. The individuals have the right to:
The obligations of processors
The major obligations of processors are:
The obligations and penalties enforced when the Personal Information processing is in violation or noncompliance with the PIPL are:
If the breach is particularly egregious, in addition to the penalties listed above, the PIP and DPO or other directly liable individuals may be subject to additional penalties, including:
Understanding the pros and the cons of PPIL
(https://www.easyllama.com/blog/pros-and-cons-of-privacy-laws) (EasylLama, 2021)
China focuses on Personal Information Protection with the new law PIPL which will be in force from November 2021. This law strengthens the individual’s autonomy and rights by keeping regulators’ eagle’s eyes on PIP’s.
As of date the social media and internet service providers are holding and using a lot of personal data. The use of it will be affected due to the PIPLs implementation.
Convergence of international data privacy regulations and adoption of some favoured international principles are seen in PIPL. Hence the processors need to be cautious in the data mining and the distribution process due to the restrictions in the new law.
On one hand, the act protects the individual’s rights from predatory online behaviours, on the other side, the potential of high exploitation and abuse due to loose and unstreamed clauses in law can be seen along with the requirement of heavy investments for data-mining companies.
|Abbreviations used in this Article|
|ADM||–||Automated Decision Making|
|CAC||–||Cyberspace Administration of China|
|DSL||–||Data Security Law|
|NPC||–||National People’s Congress|
|PIP||–||Personal Information Processor|
|PIPL||–||Personal Information Protection Law|
|PRC||–||People’s Republic of China|
|RMB||–||Ren Min Bi – Chinese Currency|
- Bingna; Guo Christopher; Kelly Paul; Tang Bob Li. (2021). China Personal Information Protection Law Will Become Effective Soon. White and Case. https://www.whitecase.com/publications/alert/china-personal-information-protection-law-will-become-effective-soon#
- EasylLama. (2021). The Pros And Cons Of Privacy Laws For Consumers And Corporations. EasylLama. https://www.easyllama.com/blog/pros-and-cons-of-privacy-laws
- Hindustan Times. (2021). China passes robust legislation on data protection. Hindustan Times. https://www.hindustantimes.com/india-news/china-passes-robust-legislation-on-data-protection-101629483724870.html
- Hunter Dorwart; Gabriela Zanfir Fortuna; Clarisse Girot. (2021). China Enters a New Era of Personal Information Protection Law: Context, Stated Objectives, Key Provisions. Future of Privacy Forum https://fpf.org/blog/chinas-new-comprehensive-data-protection-law-context-stated-objectives-key-provisions/
- i-Sight. (2021). A Practical Guide to Data Privacy Laws by Country . i-Sight. https://www.i-sight.com/resources/a-practical-guide-to-data-privacy-laws-by-country/#China
- Rajah and Tann Asia. (2021, September 24 2021). China Enters a New Era of Personal Information Protection. Lexology. https://www.lexology.com/library/detail.aspx?g=1dc1bc10-a06e-49ff-9a09-b8ffead18e21
- UNCTAD. (2021). Data Protection and Privacy Legislation Worldwide. United Nations Conference on Trade and Development. https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
- Watkins, L. (2021). China Introduces First Comprehensive Legislation on Personal Information Protection. Latham and Watkins. https://www.lw.com/thoughtLeadership/china-introduces-first-comprehensive-legislation-on-personal-information-protection
- (https://www.hindustantimes.com/india-news/china-passes-robust-legislation-on-data-protection-101629483724870.html) (Hindustan Times, 2021)
- (https://www.lexology.com/library/detail.aspx?g=1dc1bc10-a06e-49ff-9a09-b8ffead18e21) (Rajah and Tann Asia, 2021).
- (https://www.whitecase.com/publications/alert/china-personal-information-protection-law-will-become-effective-soon#) (Bingna; Guo Christopher; Kelly Paul; Tang Bob Li, 2021)
- (https://www.lw.com/thoughtLeadership/china-introduces-first-comprehensive-legislation-on-personal-information-protection) (Watkins, 2021)
- (https://www.lexology.com/library/detail.aspx?g=1dc1bc10-a06e-49ff-9a09-b8ffead18e21) (Rajah and Tann Asia, 2021)
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: