Personal Information Protection Law: finally a reference text for handling PI in China – but how comprehensive is it?

28 October 2020

Following the general update on cybersecurity compliance started in 2017, the PRC regulator focuses now on Personal Information in a draft version of the Personal Information Protection Law (“PIPL”) released on October 21st, 2020 for public comments and representing the first milestone law aggregating provisions on data privacy – previously scattered across various texts.

With data privacy crystallised in the recently issued Civil Code, the PRC regulation reaches a higher level of maturity regarding the protection of data subject rights and further frames how organisations can collect, store, process and share Personal Information.

Although a concise text, the PIPL covers a wide array of topics. For clarity’s sake we have articulated thematically our analysis and included comparison points with other legal framework – such as the EU GDPR – as reference points for our audience outside China.

Scope

Data subjects protected by the PIPL are any natural person located within the People’s Republic of China (‘PRC’). There is no distinction on employees, consumers or patients as we have seen in other jurisdictions (e.g. US California Privacy Act Policy).

The PIPL applies to “PI handler” defined as organisations or individuals autonomously deciding on handling purposes and processes – unless an individual handles PI for personal affairs. This scope greatly varies with the GDPR: according to the PIPL definition, only organisation understood as “data controller” (under GDPR) are subject to the law, not “data processor”.
The term “data handler” is used in this article as per the unofficial translation from NewAmerica.org as a reference term to distinguish it from “data controller”, “data processor” (from the EU) or “network operator” (from the PRC).
So what happens when several entities work together on handling PI? The key factor is to determine if they decide jointly on the purpose and handling methods of PI. If so, they shall then agree on their respective responsibilities. This particular point translates for organisations into including warranties and operational responsibilities provisions regarding PI protection in their contractual documentation. It is worth noting all handlers working together bear jointly any legal liabilities arising from violations to the PIPL – disregarding any contractual agreement.

Where material and territorial scopes have always been a great concern for companies to understand the applicability of the law, the PIPL provides a clear guidance: the law applies to Personal Information of data subjects located in China – whatever their nationality. The law applies as well to activities located outside of the PRC, if those activities handle PI from the PRC. This appears particularly important for foreign organisations with services deployed in China collecting PI, now subject to the PIPL – regardless of if they are incorporated in China or not (more on localization in a dedicated section below).
This extraterritorial reach mirrors the GDPR. However, there is no provision regarding the applicability of the law to domestic organisations handling PI originating from outside the PRC (as the GDPR does).

Underlying principles

For an organisation (or an individual) to handle – i.e. collect, store, use, process, share, publish – PI from the PRC, it shall integrate the following key principles as part of its data protection and privacy compliance programme.

  • Information: inform the data subject of the purpose and the process of PI handling (principle of transparency under GDPR). Clear and understandable language must be used to communicate with the users (as stated in GDPR). This trend appears globally to steer away from long and confusing terms most users tend to ignore. The notification displayed by PI handlers shall include the identity and contact of the handler, the purpose of PI handling and methods, the retention period, and the process for data subjects to exercise their rights. Exceptions to inform data subjects prior PI handling exist in case of secrecy authorised by the law or under emergency circumstances to protect an individual’s life, health or property’s security.
  • Minimisation: minimise its processing activities solely for such purpose (minimisation principle under GDPR), and the retention to the shortest period necessary for the realisation of the purpose agreed upon by the data subject.
  • Accuracy: keep accurate and up to date the PI (similar to the accuracy principle under GDPR),
  • Lawful basis: base its handling on one of the following lawful grounds (close to lawful basis under GDPR although not identical):
    • consent from the data subject. Consent shall be informed, voluntary and explicit. For data subjects under 14 years old, the organisation shall seek parental / guardian consent. Consent cannot be a condition for provision of services unless PI are strictly necessary for such services.
    • execution of a contract with the data subject,
    • fulfilment of statutory duties,
    • protection natural person’s lives or response to a public health incident – in recent light of Covid-19 pandemic,
    • news reporting useful to public interest – in reasonable scope.

Sub-processing

In case of a data handler entrusting a third-party for “further handling” – understood as sub-processing under GDPR definition and general industry definition – consent of the data subject shall be obtained. This means the notice on PI handling methods should include the sub-processing information, including its identity, its contacts, the purpose and methods of PI handling.

M&A and restructuring of data handlers

After the operations of a data handler have been restructured, legal obligations from the PIPL shall be borne by the handler receiving the PI.
We can extrapolate that in case of share deal in China, the buyer bears the duties and responsibilities regarding PI protection. Practically this aspect emphasises once more the critical importance of including data protection and privacy compliance in a M&A due diligence process.

Automated decision making

As seen with GDPR, any process including an automated (i.e. without any human intervention) process for the data handler to take a decision appears here again under the regulator’s scrutiny. The general rule follows the principles of transparency and fairness, i.e. notification to the users and fair results of the process. Furthermore, a user shall have the option not to be targeted based on their characteristics by automated process for commercial purposes.

Facial recognition

With a dedicated article in the PIPL, facial recognition stands as a hot topic for the regulator. Again, the principle of transparency applies to data handler operating PI recognition equipment, i.e. the obligation to indicate such collection when used in public venues.
The only acceptable lawful basis for facial recognition is safeguarding public security. Implicitly no commercial purposes are allowed for facial or PI recognition processes.

Public PI

Interestingly the PIPL introduce a creative nuance compared to the GDPR when protecting already published PI. Such PI is available for data handlers to process but only with a similar purpose as originally agreed by the data subject.
The technical implementation of such requirement seems rather impractical, knowing consent and purposes are not attributes materially attached to PI.

Cross-border PI transfer

To transfer PI outside the PRC, a data handler must either:

  • pass a security assessment run by the “State cybersecurity and informatization department”,
  • obtain a PI protection certification,
  • form a contractual agreement with the receiving party defining each party’s responsibilities, or
  • meet other legal provisions from relevant regulation.

Those conditions are more stringent than the previously available option to rely simply on user’s consent and are now setting a higher compliance bar for handlers to send PI overseas.

The contractual option appears close the Standard Contractual Clause – highly popular with data controller between the EU and the US after the Schrems II decision from the Court of Justice of the European Union – although it lacks the quality of having been approved by Supervisory Authority. Without such prior administrative approval, we can already predict this will be the most popular choice for data handlers to legally transfer PI outside the PRC.

User rights

Under the PIPL data subjects can exercise the following rights to the data handler regarding their PI. Requests shall be answered “in a timely manner” without clear indication of turnaround period or fees – unlike 30 days and for free under GDPR. In case a request is rejected, the data handler shall provide explanations to the user. User rights are listed under the PIPL as follows:

  • Right to be informed
  • Right to access and obtain copy of their PI (no mention of portability)
  • Right to withdraw consent
  • Right to correct or complete PI in case of inaccurate or incomplete PI
  • Right to delete PI in case of:
    • expired retention period,
    • end of provision of service or product,
    • consent withdrawal,
    • violation of laws by the data handler.
  • Right to obtain explanation of automated decision process
  • Right not to be subject to automated decision process

It is worth noting the PIPL is lacking implementation details regarding the accountability of the data handler on dealing with requests from data subjects. A cautious approach would therefore be to carefully document the request from reception to resolution in anticipation of either an inspection from the authorities or a litigation with a data subject. Furthermore, an industry good practice would be to revert on request under 30 days and for free.

Data protection

As the trusted recipients of PI, data handlers have the duty to protect such data. They shall formulate and implement a corpus of policies on a wide array of topics such as:

  • encryption,
  • anonymisation,
  • data inventory with legal qualification,
  • employee training and awareness raising,
  • security self-audit,
  • risk assessment (similar to a Privacy Impact Assessment),
  • incident response and notification.

When manipulating large volume of PI (exact size to be defined by the State cybersecurity and informatization department), data handlers shall appoint a staff member responsible for PI protection. Without clear details on responsibilities and liabilities, it is unclear how close this position is to the Data Protection Officer under GDPR. Furthermore, as China displays a consistent stance on sanctioning personally responsible staff member in case of a violation by an organisation, the PIPL is no exception with the person appointed for PI protection to be potentially subject to person fines up to RMB 1M. We believe this type of personal sanction excludes de facto the rise of a “DPO-as-a-service” offer (i.e. outsourcing the DPO position to specialized firms). Organisations will need to carefully reflect the weight of the position into the candidate selection and their employment contract.

Localisation

Data localisation has been a strong focus of the PRC legal framework. The PIPL goes a step further with the requirement for a data handler to establish a legal presence within the PRC territory – either as an entity or a representative.
Similar to the 2019 Vietnam Cybersecurity Law, this requirement ensures an efficient enforcement by the administration in case of a violation, and further reflects the strengthening of Internet sovereignty in the PRC.

National safety

As commonly found thorough PRC regulation on data protection, national safety and public order are primordial interests to safeguard. The PIPL shows no exception and includes both as matters for organisations to protect when handling PI.

Data Protection Authority

A “PI protection structure” will be established by the State to promote good practices, provide guidance, conduct investigations, issue corrective recommendations and sanctions illegal behaviours. This “structure” appears close to a “Data Protection Authority” (or “Supervisory Authority”) in the EU. Details are yet to be provided about its exact responsibilities, composition and articulation with other authorities – namely the Cybersecurity Administration of China. We certainly can hope a unique authority dealing with PI protection will bring clarity in an environment prone to competition between various administrations – such as Ministry of Industry and Information Technology, Ministry of Commerce or Ministry of Public Security.

Sanctions

When determining the level of corporate fines, the PIPL follows the GDPR with dual options of either RMB 50M or 5% of annual revenue. It is however unclear if the revenue is defined as PRC-territory only or worldwide.
Additionally sanctions include confiscation of illegal gains, cessation of business, revocation of business license and permits – generally ringing the death knell of a business in the PRC.
The PIPL follows the PRC legal tradition of fining personally the staff member responsible for PI protection up to RMB 1M.

Furthermore, the corporate social credit score of an organisation will be impacted by violation of the PIPL and publication of said violation will ensue – adding reputational damages to the above-stated sanctions.

A data handler violating PI rights of data subjects shall compensate them accordingly – either based on the loss caused to the users, the gain generated for the handler or an estimation by the authorities.

Finally, foreign organisations or individuals violating the provisions of the PIPL shall be put on a blacklist limiting or prohibiting their access to PI from the PRC.

It is also worth noting countries adopting “discriminatory prohibitions, limitations or other similar measures” against the PRC regarding PI shall be subject to “retaliatory measures”.
The PIPL appears rather unique in the global regulatory landscape regarding such retaliatory provisions, but does integrate in the current state of trade and tech tensions between the PRC and the US.


In conclusion, the gap between PRC regulation and the EU (with GDPR) is closing on Personal Information – although PRC regulation aims at covering the entire cybersecurity area. GDPR appears still more comprehensive especially regarding accountability, distinction between data controller and data processor, inclusion of the latter in its scope, data breach notification, relationship with the Data Protection Authority, role and responsibilities of the Data Protection Officer, to name a few.

Organisations already handling PI in the EU or with data subjects from the EU – either as data controller or data processor – should be able to leverage their compliance processes to reach rapidly a satisfactory level in the PRC.
However successful organisations keep in mind data protection and privacy compliance in the PRC is not only dictated by a single text, but rather a rich corpus of laws, measures, guidelines and standards.

It is worth noting the PIPL is the perfect example of the iterative regulatory production process of the PRC: a legal framework built firstly with a trail-blazing and direction-setting abstract text (the Cybersecurity Law in 2017) completed by topic-specific laws, lower level measures and non-binding standards over a period of usually 5 years.

Although the PIPL brings clarity to data protection on PI, several other areas remain scattered through the regulation, namely on non-personal information. Without any clear timeline for entry into force, we can expect an adoption of the PIPL by NPC around March next year, leaving time for organizations to prepare – namely by assessing their data inventory and flows, identifying internal data owners and external vendors, and reviewing their existing process.


Technical details

Personal Information Protection Law
Status: draft published for public comment
Publication date: 21 October 2020
Reviewed by the National People’s Congress (22nd meeting go the 13th NPC Standing Committee)
Original announcement in Chinese:
http://www.npc.gov.cn/flcaw/userIndex.html?lid=ff80808175265dd401754405c03f154c
Source in Chinese:
http://www.npc.gov.cn/flcaw/flca/ff80808175265dd401754405c03f154c/attachment.pdf
Unofficial translation in English:
https://www.newamerica.org/cybersecurity-initiative/digichina/blog/chinas-draft-personal-information-protection-law-full-translation/


To know more, please contact

Gregory Louvel g.louvel@leaf-legal.com

Nicolas Bahmanyar n.bahmanyar@leaf-legal.com

The TL Group is a team providing tech and legal services.

The alliance between Leaf, a law firm, and TekID, a Data intelligence firm, is providing a comprehensive cyber security and data management offering which will help you enhance your security with a holistic approach. This team of cyber / data experts and lawyers can offer services to companies and managers such as compliance audits and programs in cybersecurity, structuring deals involving data assets, understanding and managing the life cycle of data and the associated risks, forensic investigations, among others.