China passed a major data protection law on Friday, August 20th. The Personal Information Protection Law (PIPL) unifies and strengthens piecemeal legislation around data privacy into a set of rules regulating data collection, processing, and protection. Many companies that were exempt from the GDPR and CCPA may need to comply with PIPL. So what is China’s new privacy law and how will it affect your business? Read on to learn about the basics of PIPL, who the law applies to, and how to comply.

Scope

PIPL applies to organizations that meet any of the following criteria:

  • Handling the Personal Information of natural persons inside of China’s borders
  • Handling the Personal Information of persons inside of China’s borders while outside of China if (at least one of) the following:
    • Purpose is to provide goods/services to persons in China
    • Analyzing or assessing activities of persons in China
    • Other circumstances provided in laws or administrative regulations

What is “Personal Information?”

All kinds of information, recorded by electronic or other means related to identified or identifiable natural persons, not including information after anonymization. Personal Information Handling includes PI collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.

Under PIPL it is prohibited to handle PI in ways that are:

    • Misleading
    • Swindling
    • Coercive

Penalties and fines

Regulators in China will aggressively enforce PIPL, and violations will result in the following penalties:

  • Confiscation of unlawful income
  • Suspension of service
  • Compensation in the amount of loss to the individual or gain to the company
  • Possible criminal liability
  • Uncorrected Violations may result in a fine of up to 1 million Yuan for the organization and a fine of 10,000-100,000 Yuan for responsible personnel.
  • Grave Violations will incur fines up to 50 million Yuan or 5% of the offending organization’s annual revenue and fines of 100,000-1 million Yuan for responsible personnel, as well as prohibition on holding high positions.

Data Minimization

Something that PIPL has in common with the GDPR European privacy law is the concept of data minimization.  Under PIPL, Personal Information Handling Must Have a clear & reasonable purpose, be directly related to handling purpose, and collection must be limited to smallest scope for realizing its purpose to the organization collecting it. Excessive Personal Information collection is prohibited, and organizations must use methods with the smallest influence on individual rights & interests.

Additionally, organizations collecting Personal information must have a legal basis for handling it. This means that the Personal Information must be collected with the individual’s consent, and should only be collected for these reasons:

  • If it’s necessary to fulfill a contract where individual is an interested party
  • Necessary for human resources management
  • Fulfill statutory duties/obligations
  • Respond to public health incidents or protect person’s lives, health, or property in emergencies
  • News reporting, public opinion supervision, & other public interest activities
  • Already disclosed by the individual or otherwise lawfully & reasonable in scope
  • Other circumstances as provided by law

 

Consent

Since consent is a key factor in an organization’s legal basis for handling personal information, let’s cover how PIPL defines it.

  • Given knowingly with full information
  • Voluntary
  • Explicit
  • Must be re-obtained if the purpose, method, or categories of Personal Information change
  • Individuals have the right to rescind
  • Companies must provide convenient process for rescission
  • Can’t refuse services if individual refuses consent unless handling of Personal Information is necessary to providing the service

Notice

  • Name & contact of the PI Handler
  • Purpose of handling
  • Handling methods
  • Categories of PI
  • Retention period
  • Procedures for exercising PIPL rights
  • Other notifications required by law
  • Changes in previous notice
  • Disclosures shall be public & convenient to read & store

Entrusted Persons (EPs)

  • Processors & Subprocessors
  • Notice to data subjects
  • Must have contracts that include:
  • Purpose of Handling
  • Retention limit
  • Handling method
  • Categories of PI
  • Protection measures
  • Rights & duties of both parties
  • Supervision of EP
  • EP cannot handle in ways/for purposes not specifically allowed in the agreement
  • EP must get consent to further entrust (i.e. get a subprocessor)

Automated Decision-making (ADM)

  • Guarantee transparency, fairness, & justice
  • No unreasonable differential treatment in things like price
  • If conducting push delivery or commercial sales, must simultaneously give option
  • Not to target an individual’s characteristics or
  • Give a convenient method to refuse
  • If ADM has significant impact on rights & interests:
  • Right to require handler to explain
  • Right to refuse decisions made by solely automated means

Identity Recognition

Image collection/recognition equipment in public venues may be used for public safety, with clear signage.

  • Images used only for public security
  • Must obtain individual consent to use for any other purpose

Publicly Disclosed Information

  • May handle PI already disclosed by the individual
  • May handle PI otherwise lawfully disclosed
  • If there is a major influence on rights/interests, handlers should still get consent
  • Even if no major influence, handlers must stop handling if individual clearly refuses

Sensitive Information

  • PI that if leaked/used illegally could easily cause harm to dignity  of persons or to the  security of their person or property.
  • Can only handle for a specific purpose with strict  protection measures
  • Biometric Characteristics
  • Religious Beliefs
  • Specially-designated status
  • Medical Health
  • Financial Accounts
  • Individual Location Tracking
  • PI of Minors under the age of 14

Cross-Border Handling

Must meet 1 of the following:

  • Pass a security assessment by the Cyberspace Administration of China (CAC)
  • Undergo a PI protection certification from a specialized body (under provisions of CAC)
  • Enter a contract with the foreign receiving side in accordance with a standard contract formulated by CAC
  • In accordance with other laws or regs of the CAC

Individual Rights

Individuals have the right to:

  • Know & Decide
  • Limit or Refuse
  • Consult & Copy Their PI
  • Transfer Their PI
  • Correction/Completion
  • Explanation of PI Handling Rules
  • Right to Deletion if:
  • Purpose achieved or impossible,
  • No longer necessary for purpose,
  • Products/services no longer provided,
  • Retention period over,
  • Consent rescinded, or
  • Handlers processed PI in violation of law or agreements
  • Next of Kin May Claim Rights for Deceased

Handlers’ Duties

PI Handlers Shall:

  • Formulate internal structures and operating procedures to comply
  • Implement categorized PI management
  • Adopt technical security measures
  • Encryption
  • De-identification
  • Conduct security education & training for employees
  • Create & implement a PI security incident response plan
  • Engage in regular audits
  • If PI is outside of China:
  • Appoint an entity or representative inside China
  • Representative responsible for matter related to PI handling
  • Report Rep identity and contact info to CAC/relevant departments
  • Need a PI Protection Officer if handling PI in quantities identified by CAC
  • PO responsible for supervising PI handling activities
  • PO responsible for adopting data protection measures

Protection Impact Assessment

Required if:

  • Handling sensitive PI
  • Using PI to conduct automated decision-making
  • Entrusting PI handling to other PI Handlers
  • Providing PI abroad
  • Engaging in other PI handling activities with a major influence on individuals
  • Shall Include:
  • Whether the handling purpose, method etc. are lawful, legitimate & necessary
  • Influence on individuals’ rights & interests
  • Security risks
  • Whether protective measures are legal, effective, & suitable to the degree of risk

Security Breaches

  • Immediately adopt remedial measures
  • Notify relevant departments & the individuals
  • Info categories, causes, & possible harms
  • Remedial measure taken
  • Remedial measures the individual can adopt to mitigate harm
  • Contact method for the handler
  • Need not notify individuals if handler can effectively avoid harms

Platform Providers

If providing internet platform services and have a large number of users with complex business models:

  • Establish & complete PI protection compliance systems/structures that follow State regulations
  • Establish an independent body of outside members to supervise PI protection
  • Abide by principles of openness, fairness, & justice
  • Create platform rules & clarify standards for intra-platform product/service providers handling or PI
  • Stop providing products/services on the platform that seriously violate PI handling laws
  • Regularly release PI protection social responsibility reports
  • Accept supervision

CONCLUSION:

China’s new privacy law applies to a broad variety of organizations, will require new policies and documents to be created to show compliance, and takes effect very soon after being passed. SixFifty’s recent webinar answered some frequently asked questions, and offers more insight into the new law. Watch our webinar below.

Sixfifty Presenters:

Marie Kulbeth
General Counsel, VP of Legal Product @SixFifty

Marie Kulbeth is the General Counsel of SixFifty and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. Before SixFifty, Marie served as an assistant dean at BYU Law School, where she built a diversity recruiting program. Her work with SixFifty and LawX shows that law can be less complicated, and it can be more equitable for both companies and individuals. On the Legal Products side of our business, Marie concentrates her focus on Privacy and Diversity, Equity, and Inclusion.

Ryan Parker
Chief Legal Officer @ SixFifty

Ryan Parker is a proud graduate of the University of Utah and the University of Michigan Law School. Ryan worked as Senior Trial Counsel at the Department of Justice and served as the Chief of Litigation at the Office of the Director of National Intelligence before joining SixFifty as the Chief Legal Product Officer.

SixFifty Can Help

PIPL has many aspects that are similar to other privacy laws so that businesses already in compliance or aware of other laws will be familiar with many of these new requirements. However, there are enough differences, in exemptions and compliance, that consulting a data privacy expert is highly recommended if you conduct any business in China. SixFifty will be releasing a data privacy tool soon to help businesses assess if the law applies to them and if so to what extent. In addition, SixFifty will give companies the tools they need to follow the law, well before the enforcement date of November 1, 2021. Please feel free to reach out to our data privacy experts for any questions you may have.

Ransom Wydner

By Ransom Wydner

Related Topics

  • China PIPL