In recent years, with the continuous development of big data, cloud computing, and mobile internet, data compliance has attracted more and more attention across all industries and government authorities around the globe. Data compliance includes data security, data supervision, data storage, other physical security issues, and all aspects of personal information processing.
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) will come into force on 1 November 2021, marking a new era in China’s personal information protection legislation system. The introduction of PIPL provides a comprehensive and systematic legal basis for protecting personal information rights and interests, the obligations of information Processors, and the functions and powers of competent authorities. In addition, it builds up a protective network of personal information security.
PIPL applies to the processing of personal information within the territory of the People’s Republic of China and the processing of the personal information outside the territory of China for the purpose of providing products or services to natural persons located in China, or analysis and evaluation of natural persons located in China.
Personal information refers to all types of information on the identified or identifiable natural persons recorded by electronic or other means. Information processed anonymously is not included.
Sensitive personal information refers to the type of personal information that may damage the individual’s dignity, personal safety, or property safety if disclosed or illegally used. Examples of sensitive personal information are biometric identification, religious belief, specific identity, medical health, financial account, traces of whereabouts, and the personal information of minors under the age of 14.
Processing of personal information means the collection, storage, use, processing, transmission, provision, disclosure, and deletion, etc., of personal information.
A Personal Information Processor (“Processor”) refers to an organization or individual that independently determines the purpose and method of the processing of personal information. A personal information Processor must be responsible for the processing of personal information and take necessary measures to ensure the security of the personal information processed.
1) Establishing Principles of Personal Information Protection
- The Processor cannot process personal information through misleading, fraud, coercion, etc.
- The processing of personal information must be for a definite and reasonable purpose. Furthermore, the way of processing personal information must minimize the impact on personal rights and interests. The collection of personal information should be limited to the minimum scope that achieves its purpose.
- The Processor should make known to the public about its rules, purpose, method, and scope of personal information processing.
- The quality of personal information must be ensured. The personal information processed must not infringe personal rights and interests due to its inaccuracy or incompleteness.
2) Establishing Rules for Processing Personal Information PIPL stipulates that under the following circumstances, the processing of personal information is allowed and need not obtain the consent of the individual concerned:
- When it is necessary for the conclusion or performance of a contract or for the implementation of human resources management according to the labor rules and regulations.
- When performing statutory duties or obligations.
- When it is necessary for the response to a public health emergency or for the protection of the life, health, and property safety of a natural person.
- When it is for the purpose of news reporting and supervision by public opinions and the processing of personal information is within the reasonable scope.
- When the personal information is already made known to the public due to self-disclosure or other legal means and the processing is within the reasonable scope.
- Other circumstances prescribed by laws and administrative regulations.
If the processing of personal information is outside of the above scenarios, the Processor MUST obtain the consent of the individual concerned. In addition, the Processor must provide a convenient method for the individual to withdraw his/her consent. If an individual does not agree to process his/her personal information or withdraws his/her consent, the Processor cannot refuse to provide products or services to the individual unless the personal information is necessary for the provision of products/services.
3) Prohibiting Big-Data-Enabled Automated Decision-Making System Based on Individual’s Personal Characteristics
“Automated decision-making” refers to the use of computer programs to automatically analyze or assess individual behaviors and habits, interests and hobbies, or situations relating to finance, health, or credit status, etc., and engage in decision-making activities. The regulators recognized that certain businesses often use big-data analysis to identify individuals’ personal characteristics and use automatic decision-making systems to impose differential treatment on individuals concerning the transaction price and conditions. The PIPL requires that such information processing must ensure transparency of the decision-making process and fairness of the results. The Processor should provide a convenient way for the individuals concerned to reject that his/her personal information be processed using an automatic decision-making system.
4) Establishing Rules for Processing Sensitive Personal Information PIPL stipulates that the processing of sensitive personal information should be for a specific purpose and necessity, and separate consent must be obtained from the individual concerned. In addition, the Processor must inform the individual of the necessity and impact on his/her rights and interests except for certain circumstances where PIPL excepts the disclosure.
5) Establishing Duties, Scope, and Limit of Processing Personal Information by Authorities PIPL also provides special provisions related to circumstances when Government authorities need to process personal information when performing their statutory duties. In this scenario, the principle of transparency should be applied unless the processing should be kept confidential by law, or the informing will hinder the authorities from performing their statutory duties. If it is necessary to provide personal information to an overseas party, a security evaluation will be conducted before transmitting the personal information overseas.
6) Establishing Rules for Cross-border Provision of Personal Information If a Processor needs to provide personal information outside the territory of China due to business or other needs, the Processor should ensure that it meets any of the following conditions:
- Pass the security evaluation by the Cyberspace Administration of China;
- Be certified by a specialized agency for protection of personal information according to the provisions of the Cyberspace Administration of China;
- Enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties; or
- Meet other conditions prescribed by laws, administrative regulations, or the Cyberspace Administration of China
Besides meeting one of the above conditions, the Processor should also:
- inform the individual of the overseas recipient’s name, contact information, purpose and method of processing, type of personal information.
- Provide the method and procedure for the individual to exercise his/her rights against the overseas recipient; and
- Obtain the individual’s separate consent.
Where there are international treaties or agreements in place, the relevant provisions on the conditions for the provision of personal information outside China may prevail. It is worth noting that PIPL also extends its application to overseas organizations or individuals if they are found to be infringing the personal information rights and interests of Chinese citizens or endangering the national security and public interests of China. Under such circumstances, the overseas organization or individual concerned may be added, by the Cyberspace Administration of China, to the list of subjects prohibited or restricted from receiving personal information. Any Processor outside China should designate a representative in China to be responsible for handling matters relating to personal information protection. The representative’s name and contact information should be submitted to the relevant authorities in China.
7) Strengthening Obligations of Personal Information Processors
To protect personal information, PIPL requires Processors to take the following actions:
- Formulate internal management systems and operating procedures
- Categorize personal information
- Implement encryption and de-identification method
- Conduct personal information security education and training
- Devise emergency plans for personal information security incidents
- Conduct compliance audits regularly on its processing of personal information
- Conduct an impact assessment on personal information protection beforehand under certain circumstances listed by PIPL
Following the promulgation of China’s Civil Code, Cyber Security Law, and E-commerce Law, China subsequently rolled out the Data Security Law and Personal Information Protection Law, signifying its commitment to construct a comprehensive legal framework for data compliance in a steadfast manner. We envisage there will be more laws and regulations on data compliance in the near future. The implementation of PIPL will raise a higher level of compliance requirements to be met by foreign companies operating in China. All foreign-invested companies should set up a specialized task force to carry out data compliance work and establish relevant rules and regulations for handling the personal information of employees, customers, suppliers, and other relevant stakeholders. In particular, we have listed a few recommended actions:
- Educate the management and employees about the PIPL
- Improve the company’s internal policy regarding employee’s personal information processing and protection
- Review the current IT infrastructure and apply necessary upgrades to the IT system based on the requirements mandated by PIPL.
- Review the company’s business processes and identify areas where personal information of its business partners (such as suppliers or customers) is processed and make amendments to relevant external documents to ensure the fulfillment of its disclosure obligations
- Carry out an impact assessment on the use of sensitive personal information for automated decision-making, public disclosure, and cross-border transmission
- Formulate emergency response measures on personal information incidents