13 Jan 2023
20 Mar 2022
People’s Republic of China (PRC) has released the Personal Information Protection Law (PIPL), which has become effective on November 1, 2021. This has great consequences for Chinese companies like Didi’s (ride-hailing company listed in the US) data security arrangement.
Even if your business may not be established in China, it may require compliance with this new Chinese privacy and data protection law. Similar to Europe’s General Data Privacy Regulation, PIPL has far-reaching effects and requires compliance by entities that handle the personal information of people residing within the borders of the PRC. Such compliance is required, even if the handling or processing of personal information takes place outside of the borders of the PRC. So if you or your business provides any products or services to people in China, analyze/assesses activities of people in China, or has any operations based out of China, then the PIPL is to be complied with by your organization. Please see this to learn more about European Union’s GDPR.
Personal Information includes information recorded by electronic or other means which is related to identified or identifiable natural persons. The PIPL further categorizes certain data as Sensitive Personal Information (SPI), which is governed in a somewhat different manner. SPI means personal information which, if leaked or used in an unauthorized manner, can easily cause harm to the dignity of natural persons, and can cause grave harm to their person or property. SPI includes information on biometric characteristics, religious beliefs, medical health of individuals, financial account details, individual location tracking, as well as personal information of minors under the age of 14 years.
The PIPL permits the collection, storage, use, processing, transmission, disclosure, and deletion of personal information (PI). However, such ‘handling’ of PI is to be done as per the provisions of the PIPL. The Law requires that businesses can handle such PI only if:
1. Purpose - Handling of PI is to have a clear and reasonable purpose, use thereof is to be directly related to the handling purpose, and processing should have the minimum possible effect on individual rights and interests. This implies that businesses handling PI are required to specify the exact purpose for which such PI is being collected and used, and the processing of the PI is to be done only to meet the specified purpose. Further, any processing or use of such PI should not affect the rights and interests of the data subjects. In the case of SPI, businesses can process such information only if there is a specific purpose for which such SPI is required.
2. Consent and notification - In order to obtain consent from data subjects, businesses are required to fully inform them of the purpose of handling such data, the categories of information collected, the method of collection and use of such data, and the period for which such information will be retained by the business. Consent from the parent or guardian of a minor is required to be obtained for handling data of minors under the age of 14 years. If businesses intend to share the data with a third party for processing thereof, then the details of such third party data processor are to be notified to the data subject before obtaining such consent. Similarly, in case personal data is transferred outside the PRC, specific reasons for doing so should be notified, along with the details of the foreigner receiving such information.
3. Accuracy and completeness of PI - Businesses are to ensure that the data stored with them is accurate and complete.
4. Data Security - Businesses are to ensure that the data collected and stored is secure and cannot be accessed by unauthorized persons. This further helps in ensuring the accuracy of the information. Businesses are required to adopt the following measures to ensure compliance with the PIPL and to prevent unauthorised access to PI or PI leaks and distortions:
5. Joint Handling of PI - Specific consent of the user is required for sharing PI with a third party. Business intending to process data with the help of a third party is to jointly decide on PI handling purpose, method, rights, and obligations. In case any harm to PI's rights and interests results in damages, they are jointly liable as per law. They are required to conclude an agreement specifying the purpose, time limit, handling method, categories of personal information aimed to be collected, as well as the protection measures which would be undertaken to ensure the safety and accuracy of the data. In case of any termination of such joint handling, the data is to be returned to the original collector/handler of the information.
6. Retention of data - PI is to be retained for the shortest period necessary to realize the purpose of the PI handling. PI handlers shall proactively delete PI in the following circumstances:
In China, usually, there is a claim limitation period of 3 years, therefore, any data is to be deleted within three years from the date on which the purpose of the such collection was completed. Please see Article 188 of the Civil Code and Article 27 of the Mediation and Arbitration of Labor Disputes law.
7. Compliance requirements -
“Separate consent" is one which cannot be fulfilled by a way of a "bundled consent" (i.e. an employer obtains one consent for personal information processing for multiple purposes. Specific consent is required in the following circumstances:
1. If businesses want to transfer PI outside the borders of the PRC then, it is required to:
2. Critical information infrastructure operators or PI handlers handling quantities of PI as specified by CAC (quantities not prescribed till date), are to store PI within borders of the PRC. If they need to provide it abroad, they are to pass the security assessment organized by the CAC.
A.2 of Critical Information Infrastructure Security Protection Regulations states that Critical information infrastructure, refers to important network infrastructure, information systems, etc., in important industries and sectors such as public telecommunications and information services, energy, transportation, water, finance, public services, e-government, national defence science, technology, and industry, etc., as well as where their destruction, loss of functionality, or data leakage may gravely harm national security, the national economy, and people’s livelihood, or the public interest.
3. Approval of competent authorities of PRC is to be taken for providing PI within the mainland territory of PRC to foreign judicial or law enforcement agencies.
4. Penalties for non-compliance:
For a sample data protection officer appointment letter:
For a sample of data processing agreement:
For a sample data sharing agreement:
Not the right document?
Don’t worry, we have thousands of documents for you to choose from: