Personal Information Protection Law of the People’s Republic of China 2021 (PIPL)

中华人民共和国个人信息保护法

Highlights

Territorial Scope:

The PIPL applies to activities of handling the personal information of natural persons within the borders of the People’s Republic of China (the “PRC”). It also applies when the handling activities occur outside the borders of the PRC:

• Where the purpose is to provide products or services to natural persons inside the PRC;
• To analyze or assess the activities of natural persons inside the PRC; or
• In other circumstances which may be provided in laws or administrative regulations.

Of note, the PIPL applies to PI handling related to natural persons within the borders of the PRC and, as a result, is not limited to citizens of the PRC. The PIPL also includes a catch-all provision that allows for laws and regulations to supplement the application of the PIPL to cover other PI handling activities not originally listed.

2021 PIPL Applicability:

The PIPL applies to Personal Information (“PI”) Handlers. This term refers to organizations and individuals that, in PI handling activities, autonomously decide handling purposes and handling methods, except for natural persons handling personal information for personal or family affairs. PI handling includes, without limitation, PI collection, storage, use, processing, transmission, provisions, and deletion.

Personal Information is defined as all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.

Lawfulness of Processing:

PI Handlers may only handle PI where:

• The PI Handler has obtained the individual’s consent;
• Necessary to conclude or fulfill a contract in which the individual is an interested part or as necessary to conduct human resources management according to applicable labor laws and regulations and the provisions of the applicable contract;
• Necessary to fulfill statutory duties and obligations;
• Necessary to respond to sudden public health incidents or to, in emergency circumstances, otherwise protect the lives and health of natural persons or the security of their property;
• The PI handling is within a reasonable scope to implement news reporting, public opinion supervision or polling, and other such activities for the public interest;
• The PI handling relates to PI disclosed by the persons themselves or was otherwise already lawfully disclosed and the handling is within a reasonable scope in accordance with PIPL; and
• In other circumstances which may be provided in laws or administrative regulations.

Obligations:

Prior to handling PI and when changes occur—including changes caused by mergers, sales, acquisitions, or other business changes—PI Handlers must explicitly notify individuals of:

• The name or personal name and contact method of the PI Handler;
• The purpose of the PI handling and handling methods, the categories of handled PI, and the retention period;
• The methods and procedures for individuals to exercise their rights provided in the PIPL; and
• Other items that laws and administrative regulations provide shall be notified.

Additionally, PI Handlers have obligations related to:

• Retaining PI for the shortest period necessary to realize the purpose of the PI handling.
• Entering into agreements with entrusted parties that detail, among other things, the purpose of the entrusted handling, the time limit, the handling method, categories of PI, protection measures, and the rights and duties of both sides.
  
  • The PI Handler is responsible for supervising the activities of the entrusted party who is obligated to handle the PI in accordance with the agreement.
• Notifying and obtaining the consent of individuals about the name of the PI recipient, the recipient’s contact information, the handling purpose, and the PI categories.
• Where PI Handlers use PI to conduct automated decision-making, guaranteeing the transparency of the decision-making as well as the fairness and justice of the handling results.
• Where PI Handlers conduct information push delivery or commercial sales to individuals through automated decision-making processed, providing an option to not target an individual’s characteristics, or providing the individual with a convenient means to refuse.
• For handling of PI of minors under the age of 14, obtaining the consent of the minor’s parent or guardian and must also formulate specialized PI hand ling rules.

Obligations for the Cross-Border Provision of PI:

Where PI Handlers truly need to provide PI outside the borders of the PRC for business or other requirements, they must meet one of the following conditions:

• Pass a security assessment organized by the Cyberspace Administration of China;
• Undergo PI protection certification conducted by a body to be identified by the Cyberspace Administration of China or other authorized government ministry;
• Enter into an agreement with the overseas agreement using standard contractual clauses promulgated by the Cyberspace Administration of China; or
• Other conditions prescribed by law, administrative regulation, or the Cyberspace Administration of China.

Moreover, the PI Handler must adopt necessary measures to ensure that the foreign recipient’s handling activities reach the standard for PI protection provided in the PIPL. PI Handlers must obtain the separate consent of and notify individuals about the foreign recipient’s name or personal name, contact method, handling purpose, handling methods, PI categories, and the procedures for the individual to exercise their rights provided in the PIPL with the recipient.

Security Obligations:

PI Handlers must:

• Establish internal policies and procedures;
• Establish practices for the management of PI;
• Adopt technical security measures such as encryption and de-identification;
• Determine the reasonable operational limits for PI handling;
• Conduct regular security education and training for employees;
• Establish PI security incident response plans;
• Adopt other measures as required in other laws and administrative regulations;
• If handling PI reaching quantities as set forth by the Cyberspace Administration of China, appoint PI protection officers responsible for supervising PI handling activities and protection measures;
• If outside the borders of the PRC, establish a dedicated entity or appoint a representative within the borders of the PRC responsible for matters related to the PI they handle;
• Regularly engage in audits of their PI handling and compliance with applicable laws and administrative regulations;
• Conduct a PI Protection Impact Assessment¹ if:
  
  • Handling SPI;
  • Using PI to conduct automated decision-making;
  • Entrusting PI handling, providing PI to other PI Handlers, or disclosing PI;
  • Transferring PI to a foreign jurisdiction; or
  • Otherwise handling PI in a way that will have a major influence on individuals.
• If a PI leak, distortion, or loss occurs or might have occurred, immediately adopt remedial measures, notify the government ministries fulfilling PI protection duties and responsibilities, and notify the individuals affected including about:
  
  • The information categories impacts;
  • The causes and possible harm;
  • The remedial measures taken by the PI Handler as well as measure the individuals can adopt; and
  • The contact method of the PI Handler.
    
    • Notification is not required where the PI Handler has adopted measures that are able to effectively avoid harm created by information leaks, distortion, or loss.

Individuals’ Rights²:

• The Right to Know;
• The Right to Decide;
• The Right to Limit;
• The Right to Refuse;
• Right to Access and Copy;
• Right to Transfer;
• Right to Correct;
• Right to Erasure; and
• Right to an Explanation of Processing.
• Where PI Handler’s use automated decision-making produces that may have a major influence on the rights and interests of an individual, right to require the PI Handler to explain the matter and the right to refuse that the PI Handler make decisions solely through automated decision-making methods.

Potential Penalties:

Government ministries may order the correction of PI handling deficiencies, confiscate unlawful income, and order the provisional suspension or termination of service provision of the programs unlawfully handling PI. Where the PI Handler refuses correction, the government ministries may issue a fine of not more than one (1) million Yuan and the persons responsible for this refusal are to be fined between 10,000 and 100,000 Yuan. Where the above unlawful acts give rise to grave circumstances, the government ministries may also impose a fine of not more than fifty (50) million Yuan or 5% of annual revenue. The government ministries may also order the suspension of related business activities or the cessation of business for recertification and cause the cancellation of corresponding administrative or business licenses. In such grave circumstances, the persons responsible are to be fined between 100,000 and one (1) million Yuan and such persons may be prohibited from holding positions as a director, supervisor, high-level manager, or PI protection officer for a particular period of time.

Where unlawful acts occur under the PIPL, the record of such acts shall be entered into credit files and be publicized. If the handling of PI infringes on an individual’s PI rights and interests resulting in harm, the PI Handler may be required to provide compensation, as determined by the resulting loss, and otherwise take responsibility for the infringement. Violations of the PIPL may also be investigated and sued by the relevant government ministries, statutorily designated consumer organizations, and organizations designated by the Cyberspace Administration of China. Where a violation constitutes a violation of public security management and, if such violation constitutes a crime, may give rise to criminal liability.

Effective Date:

November 1, 2021

¹ The PI Protection Impact Assessment must include (i) whether or not the PI handling purpose, method, and other factors are lawful, legitimate, and necessary; (ii) the influence on individuals’ rights and interests as well as the security risks; and (iii) whether protective measures undertaken are legal, effective, and suitable to the degree of risk.

²  If the PI subject is deceased, their next of kin may exercise these rights.