The new Personal Information Protection Law in China (2022 update)

Cybersecurity has become a top priority for companies seeking to protect the rights and privacy of their clients and customers.

Understanding how to comply with foreign regulations, however, can be difficult. This is particularly true in China, where the legal framework related to cybersecurity and data protection has been rapidly evolving in the last few years to urgently cover the many gaps created by a lack of specific regulations within the frame of the Cybersecurity Law (2017). The new Data Security Law and the Personal Information Protection Law in China (effective from 2021) will serve as the pillar of the data security and information protection, shaping a set of legal obligations to be considered in carrying out business activities online in China.

Here’s what you should know about.

Personal Protection Information Law (PIPL)

China’s newest piece of regulation, the Personal Information Protection Law (PIPL) went into effect on November 1st, 2021. It collaborates with pre-existing legal frameworks, such as the aforementioned Cybersecurity Law (CSL) and Data Security Law (DSL) to implement a more expansive network for cybersecurity and data privacy protection in China. 

Specifically, the law sets out to accomplish the following:

• Define key information, such as providing the definitions of “Personal Information” (PI) and “Sensitive Personal Information”;
• Clarify the legal bases for cross-border processing of personal information;
• Prescribe the legal obligations and responsibilities of data processors;
• Prescribe the rights of Personal Information Subjects;

More broadly, the law seeks to “protect the rights and interests of personal information, regulate personal information processing activities, strengthen the requirements on data localization and promote the rational use of personal information”. It also puts a particular emphasis on the cross-border processing of personal information handled by large multinational companies and other entities that plan to transfer personal information to entities outside of China.

Definition of “Personal Information” and “Sensitive Personal Information”

“Personal Information” (PI), in this context, refers to “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously”. This includes any information that can be used to identify someone, including their name, phone number, and IP address.

‘Sensitive’ Personal Information, on the other hand, refers to any of the following: Biometric data, medical histories, financial accounts, location or whereabouts, and any PI regarding individuals under 14. Given their ‘sensitive’ nature, the PIPL requires stricter protection for the transference and use of this kind of information. 

Data exempt from these requirements include anonymized data, such as aggregated information, which therefore cannot be traced to any individual.

Data “processing”, refers to the “collection, storage, use, processing, transmission, provision, publication, and erasure of personal information”.

Legal Bases for Personal Information Processing in China

The basic principle for data processing as stated in the PIPL is the Data Subject’s consent. This includes the rights of the subjects to be kept informed about the use of their data and the data processing process. Such consent “must be informed, freely given, demonstrated by a clear action of the individual, and may later be revoked.”

The PIPL also adopted the “Principle of Least Privilege”, which means that a company accessing PI is only to access the least amount of information necessary to reach their goals. In other words, “the collection of personal information shall be limited to the minimum scope to achieve the purpose of processing, and excessive collection of personal information shall be prohibited”.

That being said, the law also provides for circumstances under which the necessity to obtain consent is waived, where processing is necessary:

• for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with labor rules and regulations;
• for the performance of statutory duties or statutory obligations;
• for the response to a public health emergency or for the protection of the life, health and property safety of a natural person;
• where such acts as news reporting and supervision are carried out for the public interest and the processing of personal information is within a reasonable scope;
• other cases provided by the laws.

Cross-Broder Transfer of Personal Information

The technical specifications of the PIPL further clarify in which instances companies may transfer PI overseas and when the aid of the Cyberspace Administration of China (CAC) or other Certification Agencies (recognized by the CAC) becomes necessary (for example the oversee transfer of large amount of data requires a security evaluation by CAC).

Companies must meet at least one of two requirements to transfer PI overseas. They must either transfer PI within a cross-borders MNC or related entity OR process the PI of Chinese citizens to provide products/services, analyze/evaluate activities, or other instances as delineated by laws and regulations. They must also provide individuals with certain specific information about the transfers obtaining separate consent.

Moreover, the PI processor shall take necessary measures to ensure that the activities of processing by the overseas recipient meet the standards for protection of PI as prescribed by the PIPL in China.

The new specifications also outline the rules for cross-border processing of PI. They can be summarized below as the following:

• Why the processing is taking place, what kind of information is included, the sensitivity level of the information, and the amount of information being processed;
• The purpose and scope of information processing;  
• The duration and expiration of storage overseas;
• Where the information will be transferred to;
• What measures have been established to protect the rights and interests of personal information subjects;
• And the compensation and disposal practices in the eventuality of personal information incidents.

Legal Obligations and Responsibilities for Personal Information Processors

The PI processor shall truthfully, accurately and completely inform the individual in a conspicuous way and in clear language regarding:

• the title or name and contact information of the personal information processor
• the purpose and method of processing personal information, and the type and retention period of the processed personal information
• the method and procedure for the individual to exercise the rights provided by the law

No organization or individual may illegally collect, use, process or transmit PI of others illegally buy or sell, provide or make public the same or engage in the processing of PI that endangers national security or public interests.

As for the cross-border transfer, the PIPL’s new specifications require that all parties involved in cross-border PI transferring should designate a person to be in charge. 

This person must designate the objectives, requirements, work tasks, and protection measures of PIP. They must also provide resources for the company’s PIP work. They should also be in charge of guiding and supporting personnel involved in PIP and report their work to the main person in charge of the company. 

The new specifications clarify what activities this person should be conducting.

These include developing an activity plan for cross-border processing, conducting data protection impact assessments (DPIAs), supervising the company’s cross-border PI processing as determined by the processing rules, and dealing with requests and complaints by personal information subjects. 

A DPIA refers to an assessment that determines whether cross-border PI transference is legal, legitimate, and necessary (in accordance with the general principles explored above). It also determines whether the necessary protection measures have been enacted and whether they are effective and appropriate.

Rights of Personal Information Subjects 

Personal Information Subjects are entitled to certain rights protecting their information.

These rights grant users the ability to make decisions regarding the use of their information, grant them the ability to access their information, allow them to be made aware of any changes in the processing of their PI in a timely manner, and grant them the ability to take legal action in instances where cross-border processing security incidents take place. 

The parties involved in cross-border processing also bear legal responsibility for safeguarding the rights of personal information subjects. This includes making them aware of the purpose of processing, the duration, and the type of processing taking place. 

To engage in cross-border processing, companies must obtain users’ consent. 

Overall, it is the domestic party’s responsibility to ensure that the personal information subject’s rights are protected. They are also responsible for any legal liability.

Key Actions to ensure compliance

China has only recently begun to implement regulations concerning cybersecurity protections. Therefore, this legislation is still in its initial phase. While questions are likely to persist, Chinese Cybersecurity Authorities are likely to continue clarifying issues of concern in the future.

Companies are advised to proactively collaborate with local cybersecurity authorities to ensure compliance when possible, despite foggy regulations.

In the meantime, there are key actions that companies might evaluate in order to be prepared and understand which changes could be implemented:

• Classify the type of data and amount of data handled by the company containing personal information
• Track data flow and storage of data containing personal Information
• Conduct an audit on company’s current practices in data processing, handling and collection of personal information and sensitive personal information as well as on security measures currently implemented
• Draft and/or revise the related company’s policies, internal documents and general terms and conditions
• Designate a responsible person and provide relevant employee training
• Adopt measures to monitor and minimize the risk of cybersecurity incident, set periodic risk assessments and design an emergency plan and remedial measures in case of incident