Protecting Your Personal Information in the Age of the PersonalInformation Protection Law (PIPL) by the People's Republic of China

What is the Personal Information Protection Law (PIPL) by the People's Republic of China?

The Personal Information Protection Law (PIPL) is a comprehensive data privacy law in China that aims to protect the personal information of individuals located in China, regardless of the location of the processor. The law applies to organizations and individuals that collect, use, store, transfer, or disclose the personal information of individuals located in China. It is one of the many data protection laws now in effect in Asia, for instance, Japan's APPI.

The PIPL establishes a framework for the collection, use, storage, transfer, and disclosure of personal information, and it emphasizes the principles of transparency, purpose limitation, data minimization, accuracy, security, and accountability. It also grants individuals a number of rights regarding their personal information, including the right to access, correct, delete, and object to the processing of their personal information.

The PIPL was enacted on August 20, 2021, and went into effect on November 1, 2021.

Who must comply with PIPL?

The PIPL of China - like Japan's APPI - applies to any organization or individual that collects, uses, stores, transfers, or discloses the personal information of individuals located in China, regardless of the location of the processor. This means that both domestic and foreign entities that handle the personal data of Chinese citizens are subject to the PIPL's requirements.

Here are some specific examples of entities that are subject to the PIPL:

• E-commerce companies: E-commerce companies that collect personal information from customers, such as their names, addresses, phone numbers, and email addresses, must comply with the PIPL.
• Social media companies: Social media companies that collect personal information from users, such as their profiles, posts, and location data, must comply with the PIPL.
• Financial institutions: Financial institutions that collect personal information from customers, such as their names, addresses, financial information, and social security numbers, must comply with the PIPL.
• Employers: Employers that collect personal information from employees, such as their names, addresses, dates of birth, and medical information, must comply with the PIPL.
• Individuals: Individuals who collect personal information from others, such as their names, addresses, and phone numbers, must comply with the PIPL if they intend to use this information for commercial or other purposes.

In addition to these specific examples, the PIPL applies to any organization or individual that processes personal information of individuals located in China, regardless of the nature of the processing activity or the size of the organization. 

The PIPL's extraterritorial scope means that foreign entities that handle the personal data of Chinese citizens are subject to the law, even if they are not located in China. This can pose challenges for foreign companies, as they may need to adapt their data handling practices to comply with Chinese law. Personal information processors must also take necessary measures to ensure that the personal information processing activities undertaken by the overseas recipients meet the personal information protection standard prescribed by the PIPL.

How does the PIPL define personal information and sensitive personal information?

Personal Information

The PIPL defines "personal information" as any information related to an identified or identifiable natural person. This means that the law applies to a wide range of information, including:

• Name
• Address
• Phone number
• Email address
• Date of birth
• Social security number
• Financial information
• Medical information
• Location data
• Biometric data
• Internet browsing history
• Social media posts

The PIPL excludes anonymized information from its definition of personal information. Anonymized information is information that cannot be used to identify an individual. For example, if a company collects data on the average age of its website visitors, this data would be considered anonymized information because it cannot be used to identify any specific individual. (Compare Japan's APPI)

Sensitive Personal Information

The PIPL defines "sensitive personal information" as personal information that may easily lead to the infringement of an individual's personal dignity or cause harm to their person or property. This includes information about:

• Race
• Ethnicity
• Religion
• Politics
• Health
• Biometrics
• Genetics
• Sexual orientation
• Criminal records
• Trade union membership
• Financial accounts
• Individual location tracking
• Personal information of minors under the age of 14

The PIPL imposes additional requirements on the handling of sensitive personal information. For example, handlers must obtain explicit consent from individuals before collecting or using their sensitive personal information, and they must implement stricter security measures to protect this type of information.

How does the PIPL handle consent?

The PIPL in China places a strong emphasis on obtaining clear, informed, and voluntary consent from individuals before collecting or using their personal information. This consent requirement applies to both general personal information and sensitive personal information, which includes information about an individual's race, ethnicity, religion, politics, health, biometrics, genetics, sexual orientation, criminal records, and other sensitive information that may be designated by the Cyberspace Administration of China.

Consent Requirements for General Personal Information

For the collection or use of general personal information, the PIPL requires that consent be obtained in a way that is clear, informed, and voluntary. This means that individuals must be provided with clear and concise information about the purpose for which their personal information is being collected or used, and they must be given a genuine choice to consent or not consent.

Consent Requirements for Sensitive Personal Information

For the collection or use of sensitive personal information, the PIPL requires that consent be obtained in a way that is explicit and separate from consent for the collection or use of general personal information. This means that individuals must be provided with even more detailed information about the purpose for which their sensitive personal information is being collected or used, and they must be given a clear and unambiguous opportunity to consent or not consent.

Additional Considerations for Consent

In addition to the general requirements for consent, the PIPL also sets out a number of additional considerations that handlers must take into account when obtaining consent. These considerations include:

• Consent must be given freely: Handlers cannot use coercion or deception to obtain consent.
• Consent must be given by the individual concerned: Individuals must provide their own consent, and handlers cannot rely on consent obtained from a third party.
• Consent must be revocable: Individuals have the right to withdraw their consent at any time.
• Consent must be recorded: Handlers must keep a record of the consent obtained for the collection or use of personal information.

Who are the individuals and handlers under the PIPL?

In the context of China's PIPL, the terms "individuals" and "handlers" refer to distinct roles with specific rights and responsibilities in the handling and protection of personal information.

Individuals

The PIPL defines "individuals" as natural persons located within the borders of China. This means that the law applies to all personal information collected, used, stored, transferred, or disclosed about individuals who are physically present in China, regardless of their nationality or citizenship. The law's protections extend to both Chinese citizens and foreign nationals residing in China.

Handlers

The PIPL defines "handlers" as organizations and individuals that collect, use, store, transfer, or disclose personal information of individuals located in China. This means that the law applies to any entity that handles the personal data of Chinese residents, regardless of whether the entity is located in China or elsewhere.

The PIPL distinguishes between two types of handlers:

• Personal information processors (PIPs): These are entities that process personal information on behalf of another entity, such as data outsourcing companies.
• Personal information controllers (PICs): These are entities that determine the purposes and means of processing personal information. PICs are ultimately responsible for ensuring that the processing of personal information complies with the PIPL's requirements.

Relationship between Individuals and Handlers

Under the PIPL, individuals have a number of rights regarding their personal information, including the right to access, correct, delete, and object to the processing of their personal information. Handlers are responsible for respecting these rights and complying with the PIPL's requirements to protect individuals' privacy.

The PIPL also establishes a number of obligations for handlers, such as the requirement to obtain clear and informed consent from individuals before collecting or using their sensitive personal information, to implement appropriate security measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction, and to notify individuals and relevant authorities in case of a data breach.

By establishing a clear framework for the relationship between individuals and handlers, the PIPL aims to protect the privacy of individuals and ensure that their personal information is handled responsibly.

What processing activity is exempt from the PIPL?

The PIPL provides some exemptions from its general requirements. For example, the processing of personal information for the purpose of national security, public security, criminal investigation, judicial prosecution, or public health emergencies is exempt from the PIPL's requirements. Additionally, the processing of personal information for the purpose of scientific research, statistical purposes, or journalistic purposes may be exempt from the PIPL's requirements, provided that certain conditions are met.

How to process international data transfers under PIPL?

The PIPL in China imposes restrictions on the transfer of personal information outside of China, to ensure that the protection of individuals' personal information travels with the data. This is similar to the General Data Protection Regulation (GDPR) in the European Union (EU).

Requirements for International Data Transfers

Under the PIPL, organizations that transfer personal information outside of China must comply with the following requirements:

• Obtain clear and informed consent from individuals before transferring their personal information.
• Transfer personal information only to organizations or individuals in foreign countries that provide an adequate level of protection for personal information.
• Implement appropriate security measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction during the transfer.
• Notify the Cyberspace Administration of China of the transfer of personal information outside of China.

Adequate Level of Protection

In order to determine whether a foreign country provides an adequate level of protection for personal information, the CAC will consider the following factors:

• The legal framework for the protection of personal information in the foreign country.
• The practices of organizations and individuals in the foreign country with regard to the collection, use, storage, transfer, and disclosure of personal information.
• The technical and organizational measures implemented by organizations and individuals in the foreign country to protect personal information.

If the CAC determines that a foreign country does not provide an adequate level of protection for personal information, organizations will not be able to transfer personal information to that country unless they obtain additional safeguards, such as binding corporate rules (BCRs) or standard contractual clauses (SCCs).

Under what circumstances is a personal information protection impact assessment (PIPIA) required?

A personal information protection impact assessment (PIPIA) is required for organizations that process sensitive personal information, process personal information for purposes that may have a significant impact on the rights or interests of individuals, or process personal information in a manner that may pose risks to the security of personal information.

PIPIAs must be conducted by personal information processors under the following circumstances: (1) processing sensitive personal information; (2) using personal information to conduct automated decision-making; (3) entrusting other parties to process personal information, providing personal information to other personal information processors, or disclosing personal information; (4) transferring personal information out of the Mainland; or (5) carrying out processing activities which have significant impacts on the rights and interests of individuals.

Who enforces the PIPL?

The Cyberspace Administration of China (CAC) is responsible for enforcing the PIPL. The CAC has the authority to investigate and punish violations of the PIPL, and it can impose fines of up to RMB 1 million (approximately USD 155,000) for serious violations.

What are the consequences for PIPL non-compliance?

The consequences for PIPL non-compliance can be severe, including:

• Administrative penalties: The Cyberspace Administration of China (CAC) can impose administrative penalties on organizations that violate the PIPL. These penalties can include fines of up to RMB 50 million (approximately $7.7 million) or 5% of the organization's annual revenue, whichever is greater. The CAC can also order organizations to rectify their violations and suspend their business operations. 
• Criminal penalties: Individuals who are directly responsible for violating the PIPL can be sentenced to up to 7 years in prison. 

In addition to these consequences, organizations that do not comply with the PIPL may also be subject to private lawsuits from individuals whose personal information has been misused.

What are the key requirements for businesses under the PIPL?

Here's a comprehensive overview of the key requirements for businesses under the PIPL:

• Transparency: Organizations must be transparent about their data collection and processing practices. This means providing individuals with clear and easily accessible information about how their personal information is being collected, used, stored, transferred, and disclosed.
• Purpose Limitation: Personal information can only be collected and used for specified purposes. Organizations must clearly define the purposes for which they are collecting personal information and they must not use the information for any other purpose without obtaining the individual's consent.
• Data Minimization: Organizations should only collect and use the minimum amount of personal information necessary for the specified purpose. They should not collect unnecessary or irrelevant personal information.
• Accuracy: Personal information must be accurate and kept up to date. Organizations must take steps to ensure that the personal information they hold is accurate and they must correct any errors that are brought to their attention.
• Security: Organizations must implement appropriate security measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. This includes physical, technical, and administrative safeguards.
• Accountability: Organizations are accountable for their compliance with the PIPL. This means that they must be able to demonstrate that they are taking all reasonable steps to comply with the law.

How to comply with China PIPL?

Here are some tips for avoiding PIPL non-compliance:

• Conduct a data inventory: Identify all of the personal information that you collect, use, and store.
• Establish clear and comprehensive policies for data collection, use, storage, transfer, and disclosure.
• Obtain clear and informed consent from individuals before collecting or using their personal information.
• Implement robust security measures to protect personal information from unauthorized access, use, disclosure, alteration, or destruction.
• Establish data breach notification procedures to notify individuals and relevant authorities in case of a data breach.
• Provide training to employees on the PIPL's requirements and data handling practices.
• Conduct regular audits to ensure compliance with the PIPL.

By following these tips, organizations can help to ensure that they are complying with the PIPL and protecting the personal information of individuals located in China.

What is the Data Security Law of the People's Republic of China (DSL)?

The DSL came into effect on September 1, 2021, and focuses on data security across a broad category of data (not just personal information). It applies to all organizations and individuals that collect, use, store, transmit, process, provide, or disclose data within the PRC, regardless of their nationality or location. It also applies to foreign organizations and individuals that collect, use, store, transmit, process, provide, or disclose data of individuals or organizations located within the PRC.

The DSL establishes a framework for the collection, use, storage, transmission, processing, provision, and disclosure of data, and it emphasizes the principles of data sovereignty, data security, data protection, and data utilization. It also grants individuals a number of rights regarding their data, including the right to access, correct, delete, and object to the processing of their data.

Comparison of DSL and PIPL

The DSL and PIPL are two complementary pieces of legislation that work together to protect data in China. The DSL focuses on the overall security of data, while the PIPL focuses specifically on the protection of personal information.

Does GDPR apply in China?

The General Data Protection Regulation (GDPR) is a data privacy law in the European Union. The GDPR does not apply in China, but the PIPL is similar to the GDPR in many ways. Both laws aim to protect the personal information of individuals and grant individuals a number of rights regarding their personal information. To know more about data protection, check out our blog posts on the topic.