China has joined the list of countries that have a comprehensive privacy law. On November 1st 2021, the Personal Information Privacy Law, or PIPL was enacted, protecting the personal information of people living in the People’s Republic of China. We have summarised the main aspects of the regulation and what it could mean for businesses offering their services and products to people living in China.

The privacy law follows many of the principles we know from other well-known privacy regulations such as the GDPR, including its extra territorial reach.

In case you would like to read about the regulation in detail, Digi China has done a great job in translating the whole legal text from Mandarin to English.

Any natural person within the borders of the People’s Republic of China is protected by the PIPL and any business or organisation that:

• provides products or services to natural persons inside the borders

• analyses or assesses activities of natural persons inside the borders

needs to comply with the regulation.

Similar to other regulations, the scope of personal information is broad and includes “all kinds of information", recorded by electronic or other means, connected to identified or identifiable natural persons and used for collection, storage, processing, transmission, disclosure, etc.

According to Article 4 anonymised data does not fall into the scope of the PIPL.

Sensitive personal information is any information that could easily cause harm to the dignity of a natural person, including biometric characteristics, religious beliefs, specially-designated status, medical health, financial accounts and location tracking as well as information of minors under the age of 14.

For data handling activities of this type, additional provisions and precautions need to be made by the personal information handler.

Personal information handlers follow largely the same concept of Data Controllers in other privacy regulations. These are organisations or people that collect and process, or handle, an individuals’ personal data and define what the information handling activities are going to be. They carry the main responsibility to ensure the personal information is processed in line with the PIPL.

Similarly, the ‘entrusted person’ is close to the definition of Data Processors, where the entrusted person handles personal information on behalf of the PIH.

Yes. If a PIH entrusts the handling of personal information to an ‘entrusted person’ they need to haven an agreement in place that defines the purpose for entrusted handling, the time limit, the handling method, categories of personal information, protection measures, as well as the rights and duties of both sides. Entrusted persons cannot handle the personal information outside of what has been agreed with the PIH.

Note: An ‘entrusted person’ doesn’t mean that the person or organisation are generally an ‘entrusted person’. Rather it defines the person’s or organisations’ role when they’ve been tasked to handle personal information on behalf of another entity or the PIH. This means people and organisation can be both a PIH and an ‘entrusted person’.

While worded differently, in Article 5–9 the PIPL outlines data handling principles similar to the GDPR or LGPD that are at the heart of the regulation and define how companies must treat the use of personal data. Analogous and for purpose of reference to other regulations, these principles are:

• Principles of legality, propriety, necessity and sincerity

• Principles of handling purpose and data minimisation

• Principles of openness and transparency

• Principles of data quality and accuracy

• Principle of data security

Along with these principles the PIPL clearly states that any handling of personal data in a misleading, swindling, coercive, excessive, inaccurate or unsecured fashion is prohibited.

Yes. Personal information handlers need to conform with one of the following:

1. Obtaining individuals’ consent;

2. Where necessary to conclude or fulfil a contract in which the individual is an interested party, or where necessary to conduct human resources management according to lawfully formulated labour rules and structures and lawfully concluded collective contracts;

3. Where necessary to fulfil statutory duties and responsibilities or statutory obligations;

4. Where necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions;

5. Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;

6. When handling personal information disclosed by persons themselves or otherwise already lawfully disclosed, within a reasonable scope in accordance with the provisions of this Law;

7. Other circumstances provided in laws and administrative regulations.

Directly copied from translated legal text on Digi China.

The PIPL does not have a ‘legitimate interest’ provision.

Individual consent needs to be given with full knowledge, in an explicit statement and voluntary.

Further individuals have the right to withdraw their consent any time without being negatively affected by that choice, such as refusal of providing products or services, except where handling personal information is necessary for the provision of those products or services.

Yes. In Article 17 the PIPL states that individuals need to be fully informed about the data handling, along with the purpose, methods, categories of data used, contact details and privacy rights using clear and easy to follow language.

Automated decision-making methods for information push delivery or commercial sales to individuals need to provide the option for individuals to not be targeted based on their personal characteristics and have a convenient method for them to refuse.

PIH that use automated decision-making which can have a major influence on the rights and interests of an individual, need to give the individual the right to refuse that the decision is solely made through automated decision-making methods.

Any business that needs to transfer data outside of the People’s Republic of China needs to comply with one of the following conditions:

1. Passing a security assessment organized by the State cybersecurity and informatization department according to Article 40 of this Law;

2. Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;

3. Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;

4. Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.

Individuals also need to be notified about the international data transfer incl. information about the foreign receiving side’s name, contact method, handling purpose, handling methods, personal information categories and ways to exercise the rights provided in the PIPL.

Article 44–50 in the PIPL provides individuals with the following rights:

• Right to know about their personal information being handled by PIH;

• Right to limit or refuse the handling of their personal information;

• Right to consult, copy and transfer their personal information from a PIH;

• Right to correct inaccurate or supplement incomplete personal information;

• Right to delete personal information; and

• Right to be explained personal information handling rules by PIHs.

Where PIHs reject individuals’ requests to exercise their rights, they can file a lawsuit with a People’s Court.

Under certain circumstances, yes. If a PIH handles personal information reaching quantities provided by the State cybersecurity and informatization department the PIH needs to appoint a Personal Information Protection Officer who is responsible for supervising all personal information handling activities.

Yes. If you are based outside of China but you offer your products or services to people within the borders of China you will need to have an appointed representative within the borders who is responsible for matters related to the personal information you handle.

Yes. In the PIPL this is called a Personal Information Protection Impact Assessment and you need to conduct one if you:

• handle sensitive personal information;

• have automated decision-making processes based on individuals’ data;

• entrust other parties with personal information handling;

• want to transfer personal information abroad;

• have other personal information handling activities that can have a major influence on individuals.

Further the PIPL also defines that every PIPIA needs to be kept for at least three (3) years.

China takes a very strict approach and penalties come in different layers. For grave unlawful acts authorities can fine up to 50 million Yuan or 5% of annual revenue.

On top of that they can also order correction, confiscate unlawful income and order the suspension of related business activities as well as cancellation of business licenses.

But that’s not all. The PIPL gives authorities also the means to fine the person who is directly responsible and other directly responsible personnel for the misconduct. They can be fined between 100,000 and 1 million Yuan and they may also be prohibited from holding positions of director, supervisor, high-level manager or personal information protection officer for a certain period.

Foreign organisations or individuals that handle personal information of people in China and violate their personal information rights and interests — or harming the national security or public interest of the People’s Republic of China — the State cybersecurity and informatization department can put these organisations on a list limiting or prohibiting personal information provision, issue a warning and adopt measures such as limiting or prohibiting the provision of personal information to them.

Unlike other regulations, the PIPL has explicit rules that apply only to large Internet platform services. Among other things, Article 58 states that these organisations must establish and complete personal information protection compliance systems and structures according to state regulations as well as having an independent body staffed mainly with outside members to supervise personal information protection handling. They’re also required to regularly release personal information protection social responsibility reports and accept society’s supervision. What “society’s supervision” exactly means, is unclear.

On September 1st, 2021, China also enacted the Data Security Law of the People’s Republic of China a comprehensive law specifying data security requirements and measures for businesses. The Data Security Law sits alongside the PIPL.