China’s Personal Information Protection Law – An Overview of PIPL

The Personal Information Protection Law of the People’s Republic of China (we will use the shorter Personal Information Protection Law or PIPL) is a federal data privacy law that was passed on August 20th, 2021, and went into effect November 1st, 2021. The PIPL complements the Data Security Law (DSL) passed in June 2021. The PIPL is designed to protect the privacy and personal information of Chinese citizens, and will require compliance initiatives on the part of Chinese organizations and foreign companies operating in China.

Companies that already comply with other international privacy laws, such as the General Data Protection Regulation (GDPR) in the European Union, have already done much of the work necessary for PIPL compliance.

The Personal Information Protection Law provides legal protection to “natural persons”, who, throughout the law’s text, are commonly referred to as “individuals”. This is the same as in Canada’s proposed privacy law, the Canada Consumer Protection Act (CPPA). The term has the same meaning here as “data subjects”, which is used in a number of other international privacy laws. It simply means those natural persons whose data may be collected and used by organizations, and whose consent for that collection and use must be obtained in many cases.

In the PIPL, the collection, processing, sharing, storage, etc. of personal information are referred to as “handling”. In the same vein, entities carrying out handling are referred to as “personal information handlers” or PIH. Article 73 defines PIH as: “organizations and individuals that, in personal information handling activities, autonomously decide handling purposes.” So while it is reasonable to expect most data handling to be done by companies, the PIPL does also apply to other entities. Per Article 72, the PIPL does not apply to natural persons who are handling personal information for family or personal reasons.

“Personal information handler” is a comparable definition to “data controller” in other international privacy laws like the GDPR. I.e. it refers to the entities initiating collection of data, obtaining consent where needed, arranging data processing, contracting with third parties to process data, etc.

Another similarity to the GDPR is that there are several legal bases for handling individuals’ personal information. Obtaining consent from the data subjects is one of these, but the other six do not require the subject’s consent.

Under Section 1, Article 13, personal information may only be handled if the personal information handler conforms to at least one of the following:

1. Obtaining individuals’ consent;
2. Where necessary to conclude or fulfill a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded collective contracts;
3. Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
4. Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;
5. Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
6. When handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of this Law.
7. Other circumstances provided in laws and administrative regulations.

Unlike the GDPR, the PIPL does not have a provision comparable to “legitimate interest”, which enables entities to process personal information without obtaining the data subjects’ consent first, as long as the information is collected legally and there is a justifiable reason for its use.

For individuals’ consent to be considered valid, per Section 1, Article 14, it must be given with full knowledge as well as voluntarily and explicitly. Separate consent or written consent are to be obtained in legal or administrative circumstances where this is required. Per Article 15, Individuals’ consent must also be revocable at any time.

If the purposes for the collection of personal information, the handling method, or the categories of handled personal information change, new consent must be obtained from individuals to reflect these changes.

Chapter 4 (Articles 44-50) outline individuals’ rights under the PIPL, unless other legal or administrative regulation takes precedence:

• Right to know what personal information a handler has on them
• Right to object to processing of personal information
• Right to access and copy personal information
• Right to data portability
• Right to correct inaccurate information
• Right to supplement incomplete information
• Right to deletion
• Right to have personal information handlers explain personal information handling rules
• Private right of action

Interestingly, individuals have the right to sue for multiple reasons. They can file suit if their rights are infringed upon, e.g. if they make a legitimate request that is denied, or if the handler violates their rights another way. Chinese authorities may get involved if a handler violates the rights or causes damages to a large group of people (this has not been defined in detail in the PIPL), and may initiate the equivalent of civil prosecution on the public’s behalf against the handler.

Companies cannot refuse to do business with individuals who do not consent to handling of their personal information.

Chapter 1, Article 3, outlines that the PIPL applies to “the activities of handling the personal information of natural persons within the borders of the People’s Republic of China”. However, like the GDPR and some other laws, it is also extra territorial in scope, applying to handling of Chinese individuals’ personal information outside China’s borders if:

• the purpose is to provide products or services to natural persons inside the borders
• when “analyzing or assessing activities of natural persons inside the borders”, or
• other circumstances provided in laws or administrative regulations

It won’t be known how broadly Chinese regulators apply these provisions until the PIPL has been in effect for a while, however.

The Personal Information Protection Law does not have thresholds for compliance, like the California Consumer Protection Act (CCPA). So handlers are required to comply regardless of the company’s revenue or how many individuals’ data they process in a given year.

Article 4 defines personal information as “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons. It does not include information that has been anonymized. (Learn more: Data Anonymization: The What, Why, and How of Data Anonymization.)

This differs from many other laws by not explicitly providing examples like name, email address, driver’s licence number, health records, etc. But with this wording it provides broad enough coverage that it won’t require frequent updating, e.g. as technologies change.

Further, the PIPL defines personal information handling as “collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.”

Like many current privacy laws, the PIPL directly addresses the issue of personal information of a more sensitive nature, or belonging to children. Article 28 states:

“…personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.”

Separate explicit consent must be obtained from individuals – or a child’s parent/guardian – before handling sensitive personal information. There must also be a clear “specific purpose and need to fulfill” in place with “strict protection measures” as well as additional disclosures to individuals whose sensitive personal information would be handled, as noted in Articles 28 and 30.

Per Article 17, personal information handlers must notify individuals prior to handling their personal information “truthfully, accurately, and fully… using clear and easily understood language” . This includes provision of:

• Personal information handler’s name
• Contact method for the PIH
• The categories of personal information to be handled
• The purpose(s) of handling
• The retention period
• Methods for individuals to exercise their data privacy rights (Article 17)
• Any other requirements per legal or administrative regulations

Data retention periods should be “the shortest period necessary” to complete the purpose for personal information handling, per Article 19. Though other relevant legal or administrative regulations may affect the length of the retention period.

Per Article 25, personal information handlers cannot disclose the data they handle, except in cases where separate explicit consent is obtained.

Handlers must implement security measures to protect information from breaches or other unauthorized exposure, as well as conducting data protection impact assessments for certain processing activities. In a number of circumstances they must appoint a data protection officer. If the information handling entity is located outside of China, similar to the GDPR, they must appoint a representative in China, and regular audits of practices relating to data handling must be conducted.

Handlers must also seek approval from Chinese authorities regarding providing any personal information they handle, that is stored in China, to any foreign judicial or law enforcement authority. The law does not specify further details on the scope of this requirement or how approvals would be dealt with, however.

Interestingly, Article 58 directly explicitly addresses personal information handlers that provide “important Internet platform services” with large user bases, and that have complex business models. Their obligations:

1. Establish and complete personal information protection compliance systems and structures according to State regulations, and establish an independent body composed mainly of outside members to supervise personal information protection circumstances;
2. Abide by the principles of openness, fairness, and justice; formulate platform rules; and clarify the standards for intra-platform product or service providers’ handling of personal information and their personal information protection duties;
3. Stop providing services to product or service providers on the platform that seriously violate laws or administrative regulations in handling personal information;
4. Regularly release personal information protection social responsibility reports, and accept society’s supervision.

However, sites like Facebook, YouTube, and Instagram, which have large presences and massive user bases elsewhere in the world, are blocked in China

Handlers can be exempt from providing clear and timely notification to individuals in some cases, like under emergency circumstances to protect natural persons’ lives, health, or security and that of their property. However, once the emergency has concluded, handlers must then provide the required notification and information.

As noted, anonymized information is not classified the same way or subject to the same legal bases and other requirements, in many cases, as personal information that remains identifiable.

If personal information handlers transfer individuals’ personal information to third parties, or “entrusted persons”, Article 21 outlines that “they should conclude an agreement” for:

• The purpose for “entrusted handling”
• The time limit
• The handling method
• Categories of personal information to be included
• Protection measures
• Rights and duties of both sides

The handler should also supervise the personal information handling activities of any entrusted persons. The entrusted persons are also legally required to adhere to the contractual terms, to return the personal information at the conclusion of the relationship, and cannot transfer any personal information to additional parties without consent of the original handler.

International transfer of personal information is extensively covered in Chapter 3 (Articles 38-43), similarly to the GDPR. Handlers must meet at least one of the following conditions:

• Passing a security assessment organized by the State cybersecurity and informatization department according to Article 40;
• Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
• Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;
• Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.

Other agreements or treaties can also include coverage to enable international data transfer as well.

Handlers providing personal information outside of China must notify individuals of:

• The receiving entity or entity contact’s name
• Contact method
• Categories of personal information
• Handling purpose
• Handling methods
• Procedures for individuals to exercise their rights with the foreign entity

In the event that a “leak, distortion, or loss occurs or might have occurred”, handlers must immediately take action and notify the personnel and departments responsible for personal information protection, as well as affected individuals. The notification must include:

1. The information categories, causes, and possible harm caused by the leak, distortion, or loss that occurred or might have occurred;
2. The remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm;
3. Contact method of the personal information handler.

Where violations of personal information handling occur, or when there are violations or failures of the protection duties for handling, and if correction is refused, departments responsible can be fined up to RMB 1 million, and directly responsible personnel can be fined between RMB 10,000 and 100,000 (a bit more than US $1,500 to $15,000). Additionally, the responsible entities must:

• Order correction
• Confiscate unlawful income
• Order provisional suspension or termination programs unlawfully handling the information

For “grave circumstances” of unlawful handling, Chinese regulators can issue fines of up to RMB 50 million (approx. US $7.7 million) or up to 5 percent of the handler’s previous year’s gross revenue. (It is not specified if this is Chinese-only or global revenue.) Handlers found to have committed violations may have their operations or business licence suspended or terminated. Apps can also be ordered removed from app stores.

Personnel found to be directly responsible are to be fined between RMB 100,000 and 1 millon (approx. US $15,000 and $150,000). They can also be prohibited from holding “director, supervisor, high-level manager, or personal information protection officer” positions for a

With both the Data Security Law and the Personal Information Protection Law passed this year, China has instituted a strong framework to direct the activities of domestic and foreign companies with regards to data protection, and to protect the rights of Chinese individuals. While the PIPL contains many similarities to the GDPR, on several fronts it is more strict, and it will surely continue to develop over time with evolving technology, consumer expectations, and legal thought. Companies wanting to enter the large Chinese market should definitely consult with qualified legal counsel.

Do you have questions about how China’s privacy law could affect your business? Contact one of our experts!