This article has been written by Anwesha Borah, pursuing a Diploma in International Data Protection and Privacy Laws from LawSikho. It has been edited by Zigishu Singh (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
On 20th August 2021, China’s National People’s Congress Standing Committee passed a Data Protection Law known as The Personal Information Protection Law (PIPL). As per the news agency Xinhua report, this law will take effect from November 1, 2021. This new law was proposed last year as there was an increased number of unscrupulous data collection in the commercial sphere.
According to the Xinhua report, the PIPL will set tougher rules and will impose strict obligations on information handlers. This law lays out a comprehensive set of rules around data collection which could impact China’s technological giants and the foreign companies doing business in China that involves processing Chinese citizens’ personal information.
The new law requires companies or data controllers to obtain consent from individuals to process their personal details which includes sensitive data such as medical and health data, financial information, biometrics, and many more. The data controllers are required to give users options on how their information is going to be used. In cases where the companies illegally process users, data will have to give heavy fines and their services will be suspended and terminated.
The key highlights of China’s Data Security Law
- The meaning of Personal Information and Sensitive Personal Information
The meaning of personal information and sensitive personal information has been broadly defined under the PIPL. Further, the law makes a distinction between anonymized information and de-identified information. In the anonymization process, personal information cannot be identified or connected to the natural person or user. Once this process is done, it cannot be reversed. Whereas, in de-identification, the processing of personal information is done in such a way that it makes it impossible to identify a certain natural person without the use of additional information. The de-identification process is similar to the concept of pseudonymization under the European Union’s General Data Protection Regulation (GDPR).
- Rights of the Personal Information Subjects
The PIPL provides a number of rights for personal information subjects, such as
● the right to know
● the right to decide on
● the right to limit or refuse the usage of their personal information.
● the right to access and copy their data or personal information
● the right to request correction or completion
● the right to withdraw consent
● the right to request to explain the handling rules
● the right to delete
● the right of access
● the right to rectification
● the right to be forgotten
● the right to object
The PIPL has imposed higher obligations on the data handlers regarding the individual’s rights. For instance, when transferring personal information to other parties, the PIPL requires personal information handlers to notify individuals about the name/personal name and contact method of the receiving party. Whereas in GDPR, the data controller only needs to notify the data subjects about the third parties.
Under Art. 45 of PIPL states that where individuals request that their personal information be transferred to a personal information handler they designate if such request meets conditions set up by State cyberspace administrations, then in such case the personal information handlers shall provide a channel to transfer it. This explains that the State Cyberspace Administration shall set conditions by which the right to portability shall be exercised.
- China-specific Provisions
The government considers personal information protection to be an important issue of national security, therefore the PIPL provides some provisions with strong national security attributes . Under Art. 41 of the PIPL, it doesn’t allow personal information handlers to provide any personal information stored within China to any foreign judicial or law enforcement agencies without the approval or consent of the competent authorities of China. Additionally, Arts. 42-43 further provide regulations for extraterritorial and constituting protection systems, denoting that the government may put the foreign entities on a list limiting or prohibiting personal information,provided if they engage in any personal information handling activity harming the national security or public interests of China, and adopt retaliatory measures against any country or region adopting discriminatory prohibitions, limitations, or other similar measures against China in the area of personal information protection.
- Significant Penalties for Violations of the PIPL
The PIPL provides heavy penalties for any violations. The fines can be up to RMB 50 million (approximately US$ 7.7 million) or up to 5% of the Personal information handlers’ revenue of the previous year. The authorities can also suspend an entity’s operations or business license in any violation. Additionally, individuals are granted both a number of rights under the PIPL and a private cause of action under the PIPL to sue Personal information Handlers who infringe their rights. The authorities can also initiate a civil prosecution against the Personal information Handlers who damage the interests of many people.
Cross-Border Transfer of Personal Information
According to Article 3, the law regulates how personal information is handled within the territory of China, regardless of whether the entity that conducts handling activities has an establishment within China. In addition to this, it shall also apply to processing activities outside the territory of China regarding the personal information of natural persons inside the territory of China under certain circumstances.
Due to globalization, cross-border data transfers are essential and entities outside of China from time to time may come into the possession or control of personal information relating to the people of China. Due to this, personal information is at risk of infringement. Therefore, clauses for extraterritoriality are required in the data protection legislation to protect the interest of individuals as well as the national security of China.
Under Art. 38 of the PIPL, there are three mechanisms for transferring personal information outside of the country and this depends on the type of personal information handlers who need to provide personal information outside the country for business or other such purposes.
The Personal information handlers processing personal information shall store personal information collected and produced within China domestically. In cases when personal information must be provided across borders, then a security assessment is administered by the State cyberspace administration of China, mentioned in PIPL. However, currently, guidance on assessment procedures and standards is not explained properly t.
In addition to those three mechanisms discussed above, there are two more additional mechanisms for the cross border personal information by the personal information handlers. Namely:
1. Obtaining personal information protection certification.
2. Making a standard contract formulated by the State cyberspace Administrations with the foreign receiving party.
There are exemptions under the PIPL for the above mechanisms. The process of personal information can be conducted abroad through treaties or international agreements concluded or acceded to by the Chinese government. However, the authority of domestic regulators supersedes that of international treaties.
Under the PIPL, the Personal information Handlers must seek approval from competent Chinese authorities in connection with providing personal information stored in China to any foreign judicial or law enforcement authority.
The Cross border regulations have more strict restrictions than the GDPR. There are fewer provisions under PIPL for the export of personal information. Prior to providing the personal information, transfer the personal information handler has to do many steps such as conducting a personal information protection impact assessment, notifying and obtaining the consent of each individual and taking necessary measures to ensure that foreign entities have standard protection to protect the personal information which is provided under the PIPL.
Implications for Foreign Investors and Businesses
Recently, China has tightened and developed more stringent regulations in various sectors including the FinTech sector. The government has made strict policies regarding foreign investments as well. All these policies and regulations have impacted large businesses and markets. The recent Data Security law in China is no longer a minor compliance matter. Likewise, for many countries, China also considers data security as a important national security for the country.
It is expected that foreign investors of China would carefully need to do due diligence on the data protection and security of those targets. Before closing a deal with a target they have to check whether the data security is complying with the PIPL or not. These investors can also ask the targets to rectify data compliance issues before closing a deal. .
Businesses in many parts of the world have already adapted the data protection laws and regulations. They have become cautious and seek to manage compliance risks at an early stage rather than giving heavy fines later on. Businesses are consulting and hiring experts in the field of data protection law. They are conducting holistic reviews and doing data protection assessments. They are conducting training programs to educate their employees about data protection and security. The businesses have to comply with the PIPL. Businesses will need to take precautions and avoid doing anything which prohibits the provision of PIPL in China to foreign agencies.
The Personal Information Protection Law (PIPL) applies to all data processing activities involving personal information within China, and as well as to the activities outside China that affect individuals within China. The PIPL imposes strict regulations, more than the European Union’s General Data Protection Regulation (GDPR) , to the companies who are handling the personal information of the natural persons of China. It also imposes significant strict provisions for companies that wish to engage in the cross-border transfer of personal information. The foreign companies or the foreign investors have to do due diligence and comply with the PIPL.
In the view that the PIPL will be effective from November 1, the companies engaging in personal information of natural persons of China should immediately start reviewing and assessing their data processing activities.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: