China's New Privacy Law and How it Applies to your Business

What is the new Chinese privacy law, and do I need to comply with it?

People’s Republic of China (PRC) has released the Personal Information Protection Law (PIPL), which has become effective on November 1, 2021. This has great consequences for Chinese companies like Didi’s (ride-hailing company listed in the US) data security arrangement.

Even if your business may not be established in China, it may require compliance with this new Chinese privacy and data protection law. Similar to Europe’s General Data Privacy Regulation, PIPL has far-reaching effects and requires compliance by entities that handle the personal information of people residing within the borders of the PRC. Such compliance is required, even if the handling or processing of personal information takes place outside of the borders of the PRC. So if you or your business provides any products or services to people in China, analyze/assesses activities of people in China, or has any operations based out of China, then the PIPL is to be complied with by your organization. Please see this to learn more about European Union’s GDPR.

What is personal information as per the PIPL?

Personal Information includes information recorded by electronic or other means which is related to identified or identifiable natural persons. The PIPL further categorizes certain data as Sensitive Personal Information  (SPI), which is governed in a somewhat different manner.  SPI means personal information which, if leaked or used in an unauthorized manner, can easily cause harm to the dignity of natural persons, and can cause grave harm to their person or property. SPI includes information on biometric characteristics, religious beliefs, medical health of individuals, financial account details, individual location tracking, as well as personal information of minors under the age of 14 years.

When am I permitted to use and process such personal information?

The PIPL permits the collection, storage, use, processing, transmission, disclosure, and deletion of personal information (PI). However, such ‘handling’ of PI is to be done as per the provisions of the PIPL. The Law requires that businesses can handle such PI only if:

1. Individual consent is taken;
2. Such processing is required to conclude or fulfil a contract with the individual;
3. Required to conduct human resource management obligations as laid down by labour rules and regulations.;
4. To comply with obligations laid down by the laws and regulations;
5. An individual has voluntarily disclosed information;
6. In case of an emergency to protect a person’s health and property; or
7. PI is publicly available, but such information is still to be processed as per the PIPL.

What are my duties and obligations while handling such personal information?

1. Purpose - Handling of PI is to have a clear and reasonable purpose, use thereof is to be directly related to the handling purpose, and processing should have the minimum possible effect on individual rights and interests. This implies that businesses handling PI are required to specify the exact purpose for which such PI is being collected and used, and the processing of the PI is to be done only to meet the specified purpose. Further, any processing or use of such PI should not affect the rights and interests of the data subjects. In the case of SPI, businesses can process such information only if there is a specific purpose for which such SPI is required.

2. Consent and notification - In order to obtain consent from data subjects, businesses are required to fully inform them of the purpose of handling such data, the categories of information collected, the method of collection and use of such data, and the period for which such information will be retained by the business. Consent from the parent or guardian of a minor is required to be obtained for handling data of minors under the age of 14 years. If businesses intend to share the data with a third party for processing thereof, then the details of such third party data processor are to be notified to the data subject before obtaining such consent. Similarly, in case personal data is transferred outside the PRC, specific reasons for doing so should be notified, along with the details of the foreigner receiving such information.

3. Accuracy and completeness of PI - Businesses are to ensure that the data stored with them is accurate and complete.

4. Data Security - Businesses are to ensure that the data collected and stored is secure and cannot be accessed by unauthorized persons. This further helps in ensuring the accuracy of the information. Businesses are required to adopt the following measures to ensure compliance with the PIPL and to prevent unauthorised access to PI or PI leaks and distortions:

• Drafting and adopting internal management structures and operating rules;
• Implementing categorized management of personal information;
• Adopting corresponding technical security measures such as encryption, de-identification, etc.;
• Reasonably determining operational limits for personal information handling, and regular training and educating employees to keep PI safe and secure;
• Formulating and organizing the implementation of personal information security incident response plans, which will be used in case there is a breach of security at the business and PI collected by the business has been unauthorisedly accessed.
  
  

5. Joint Handling of PI - Specific consent of the user is required for sharing PI with a third party. Business intending to process data with the help of a third party is to jointly decide on PI handling purpose, method, rights, and obligations. In case any harm to PI's rights and interests results in damages, they are jointly liable as per law. They are required to conclude an agreement specifying the purpose, time limit, handling method, categories of personal information aimed to be collected, as well as the protection measures which would be undertaken to ensure the safety and accuracy of the data. In case of any termination of such joint handling, the data is to be returned to the original collector/handler of the information.

6. Retention of data - PI is to be retained for the shortest period necessary to realize the purpose of the PI handling. PI handlers shall proactively delete PI in the following circumstances:

• The purpose is achieved or is impossible to achieve, or PI is not required to achieve it.
• PI handlers cease the provision of products/services.
• The retention period has expired.
• Individual rescinds consent.
• PI handlers handled PI in violation of laws.
• Other circumstances provided by laws

In China, usually, there is a claim limitation period of 3 years, therefore, any data is to be deleted within three years from the date on which the purpose of the such collection was completed. Please see Article 188 of the Civil Code and Article 27 of the Mediation and Arbitration of Labor Disputes law.

7. Compliance requirements -

• Businesses handling specified quantities of PI (as specified by the Cyberspace Administration of China (CAC)) are to appoint personal information protection officers, to be responsible for supervising the PI handling activities and adopting protection measures. Businesses are required to disclose the names and contact details of these PI protection officers to the CAC.
  Section 11.1(c) of PIS Specification requires an organization to appoint a data protection officer and a data protection department if the organization:
  • has more than 200 employees, and its main business line involves data processing;
  • processes personal information of more than 1,000,000 individuals, or is estimated to process personal information of more than 1,000,000 individuals; or
  • processes sensitive personal information of more than 100,000 individuals.
    
• PI handlers outside PRC are to establish a dedicated entity or appoint a representative within the borders of the PRC and are to report the name of the entity to the CAC.
  
  
• Businesses are to regularly engage in audits of their PI handling and compliance with laws and administrative regulations.
  
  
• PI protection impact assessment is to be carried out in advance and recorded in the following circumstances:
  • Handling sensitive personal information;
  • Using personal information to conduct automated decision-making;
  • Entrusting personal information handling, providing personal information to other personal information handlers, or disclosing personal information;
  • Providing personal information abroad;
  • Other personal information handling activities with a major influence on individuals. 
    
    
• PI protection impact assessment includes:
  • Whether or not the personal information handling purpose, handling method, etc., are lawful, legitimate, and necessary;
  • The influence on individuals' rights and interests, and the security risks;
  • Whether protective measures are undertaken are legal, effective, and suitable to the degree of risk.
  • Impact assessment reports and handling status records shall be preserved for at least three years.

When do I need to procure a separate and specific consent?

“Separate consent" is one which cannot be fulfilled by a way of a "bundled consent" (i.e. an employer obtains one consent for personal information processing for multiple purposes. Specific consent is required in the following circumstances:

• If there is any change in the purpose or method of PI handling
• to handle SPI;
• any Public disclosure of PI;
• sharing PI by your business to another business requires specific and separate consent from the user; 
• any handling of PI which has a major influence on the individual rights and interests are to obtain consent for such handling; and 
• any transfer of collected PI if transferred outside the borders of PRC. 
  
  

Can I transfer personal information collected in PRC, to a location outside of the PRC for processing purposes?

1. If businesses want to transfer PI outside the borders of the PRC then, it is required to:

• Pass a security assessment organized by the Cyberspace Administration of China (CAC) according to Article 40 of this Law;
• Undergo personal information protection certification conducted by a specialized body according to provisions by the CAC; 
• Conclude a contract with the foreign receiving side in accordance with a standard contract formulated by the CAC, agreeing upon the rights and responsibilities of both sides. The regulations provide a standard contract which may be used as a template for such purposes;
• Businesses are to ensure that the foreign receiving parties’ PI handling is at the same standard of PI protection as per this Law.

2. Critical information infrastructure operators or PI handlers handling quantities of PI as specified by CAC (quantities not prescribed till date), are to store PI within borders of the PRC. If they need to provide it abroad, they are to pass the security assessment organized by the CAC. 

A.2 of Critical Information Infrastructure Security Protection Regulations states that Critical information infrastructure, refers to important network infrastructure, information systems, etc., in important industries and sectors such as public telecommunications and information services, energy, transportation, water, finance, public services, e-government, national defence science, technology, and industry, etc., as well as where their destruction, loss of functionality, or data leakage may gravely harm national security, the national economy, and people’s livelihood, or the public interest.

3. Approval of competent authorities of PRC is to be taken for providing PI within the mainland territory of PRC to foreign judicial or law enforcement agencies.

4. Penalties for non-compliance:

• A.66: order correction, confiscate unlawful income, and order the provisional suspension or termination of service provision of the application programs unlawfully handling personal information; where correction is refused, a fine of not more than 1 million Yuan is to be additionally imposed; the directly responsible person in charge and other directly responsible personnel are to be fined between 10,000 and 100,000 Yuan.
• A.66 - if a grave unlawful act - order correction, confiscate unlawful income, and impose a fine of not more than 50 million Yuan, or 5% of annual revenue. They may also order the suspension of related business activities or cessation of business for rectification, and report to the relevant competent department for cancellation of corresponding administrative licenses or cancellation of business licenses. The directly responsible person in charge and other directly responsible personnel are to be fined between 100,000 and 1 million Yuan, and it may also be decided to prohibit them from holding positions of director, supervisor, high-level manager, or personal information protection officer for a certain period.
• A. 67: unlawful activities are entered into the credit files and are publicised.
• A. 69: if the infringement of individual rights and interests, and if PI handlers cannot prove they are not at fault, they shall bear compensation, and others take responsibility for the infringement.
• A. 70: lawsuit can be filed if PI is handled in violation of the law.
• A. 71: if public security management is violated, then criminal investigations can be ordered.

For a sample of the GDPR Privacy Policy:

https://docpro.com/doc107/privacy-policy-with-gdpr-website-mobile-app

For a sample data protection officer appointment letter:

https://docpro.com/doc2133/data-protection-officer-appointment-letter-neutral

For a sample of data processing agreement:

https://docpro.com/doc1979/data-processing-agreement-controller-to-processor

For a sample data sharing agreement:

https://docpro.com/document-form-select/Data%20Sharing%20Agreement