The Personal Information Protection Law (PIPL) is a comprehensive data protection regulation in China. It governs the collection, use, and processing of personal data of Chinese citizens. This article provides a complete overview of China’s data protection regulation.
The People’s Republic of China has implemented the Personal Information Protection Law to protect the rights and interests of Chinese residents in protecting their personal information. This law will govern the data protection activities that process the personal information of people living in the Chinese territory.
If you are doing business in China or processing the personal data of Chinese residents, you should be well informed about the Personal Information Protection Law. We will also provide you with guidelines on how to comply with the law.
So, let’s get started.
The Personal Information Protection Law is the principal data protection law in the People’s Republic of China that governs the processing of personal data of Chinese citizens. The law was enacted on 20 August 2021 and came into force on 01 November 2021.
PIPL establishes a framework for the lawful processing of personal data. It grants several rights to individuals to protect their personal data. The law also mentions about the key obligations of organizations involved in processing the personal data of individuals.
Here are some of the key definitions mentioned in the Personal Information Protection Law.
- Personal information: Personal information means any information related to an identified or identifiable natural person, collected or stored electronically or by other means. This excludes anonymized information.
- Sensitive personal information: Sensitive personal information means any information that can potentially cause harm to the personal dignity and safety of an individual. It includes biometrics, religious beliefs, specific identities, medical health, financial accounts, etc. The personal information of children under the age of fourteen is also considered sensitive personal information under PIPL.
- Personal information processors: Personal information processors include organizations and individuals that independently decide the purpose and methods of processing personal information.
- Automated decision-making: Automated decision-making refers to the process of automatically analyzing and evaluating an individual’s behavioral habits, interests, or social, economic, or health status through computer programs and making decisions based on that.
- De-identification: De-identification is the process of making identifiable information non-identifiable so that it cannot be used to identify a specific individual.
- Anonymization: Anonymization refers to the process of hiding the unique identifier from personal information so that it cannot be used to identify a specific natural person.
The Personal Information Protection Law applies to the processing of personal information of natural persons within the territory of the People’s Republic of China. It also extends the applicability outside China if the data processing happens under any of the following circumstances:
- To provide products or services to citizens in China
- To analyze and evaluate the behavior of citizens of China
- Other situations mentioned in laws and regulations
This law does not apply to individuals handling personal data for personal or family affairs.
Also Read: Understanding India’s Digital Personal Data Protection (DPDP) Act for Businesses
The PIPL grants the following rights to individuals regarding the processing of their personal data.
Right to know: Individuals have the right to know about the processing of their personal data. They also have the right to restrict the processing of personal data unless required by laws and regulations.
Right to access or copy: Individuals have the right to request access or copy their personal information shared with the organization. Upon receiving the request organizations should provide the information at the earliest possible.
Right to request correction: Individuals have the right to request the correction of their personal information shared with the organization. Organizations should verify the personal information and ensure the accuracy of the information.
Right to request deletion: Individuals have the right to request the deletion of personal data under the following circumstances:
- The purpose of the data processing is achieved, cannot be achieved, or the data is no longer necessary for the purpose
- The organization stopped delivering the products or services, or the retention period is over
- If an Individual withdraws the consent
- When the processing is unlawful or violates any law or agreement
- Other circumstances mentioned in laws and regulations
Right to be explained: Individuals have the right to ask for explanations about the personal information processing rules by organizations.
Right to access and control data of deceased: Individuals have the right to access, copy, correct, or delete, the personal information of a deceased person who is closely related, unless the deceased has made other arrangements before death.
Organizations should establish an effective mechanism for individuals to assert their rights. If an individual’s right is denied, a valid reason must be provided and communicated to the person.
Any unjustified restriction on data rights may lead to legal action, allowing individuals to file a lawsuit against the information processor in the People’s Court as per the law.
Following are the key obligations of personal information processors under PIPL.
1- Implement Proper Data Protection Measures
Personal information processors should implement proper measures to ensure that personal information is protected from data breaches. Below are some guidelines to follow:
- Create rules and ways to manage things inside the organization;
- Keep personal information organized in different groups
- Use special ways to protect information, like encryption or making it anonymous;
- Control the access to the personal information and teach employees how to keep it safe;
- Should have proper data breach response action plans if anything goes wrong with the security of personal information;
- Follow any other rules set by laws and regulations
2- Appoint Personal Information Officer
Organizations that handle personal information should appoint a person who will be responsible for supervising personal information processing activities. The person will also be responsible for ensuring proper security measures are in place to protect the personal information. Organizations should share the contact details of the person in charge of data protection with the individuals.
Also Read: Who is a DPO in GDPR?
3- Appoint a Chinese Representative for Cross-Border Data Transfer
Organizations outside the territory of the People’s Republic of China are required to appoint a Chinese representative if they are processing the personal data of Chinese residents. This representative should handle personal data protection matters and manage cross-border data transfer.
4- Conduct Regular Audits for Compliance
Organizations that handle personal information must regularly conduct audits to ensure compliance with laws and administrative regulations.
5- Conduct Impact Assessments
Organizations should conduct an impact assessment on personal information protection for the following cases:
- Handling sensitive personal information
- Using personal information for automated decision-making
- Outsourcing the processing of personal information, sharing it with other processors, or disclosing it
- Transmitting personal information internationally
- Other personal information processing activities significantly affect personal rights and interests.
The impact assessment should consider the legality, legitimacy, and necessity of processing methods. It should also evaluate the impact on personal rights, security risks, and the effectiveness and legality of protective measures in relation to the risk level. Additionally, reports and records from these assessments should be maintained for a minimum of three years to ensure accountability and compliance.
6- Data Breach Reporting
In case of data breaches, an organization should take immediate action and inform the concerned authorities.
The data breach notification should include the following details:
- The nature and origins of potential or actual leaks of personal information, along with the associated risks.
- The actions undertaken by the organization to address the situation and the measures individuals can take to mitigate potential harm.
- Contact details of the personal information processor.
If the implemented measures effectively prevent the potential harm, notifying individuals is not mandatory. However, if the department overseeing personal information protection suspects potential harm, they retain the authority to insist on notifying the individuals of the organization.
7- Obligations for Large-Scale Data Processors
Organizations that handle large amounts of personal data of individuals should follow the below obligations:
- Create and develop a system to protect personal information, following the rules of the country. They also have to set up an independent agency of external people to watch over how personal information is protected.
- Ensure openness, fairness, and impartiality. Make clear rules for their online platform and explain how they handle personal information. They should also make it clear what the responsibilities are for others, like companies or services, using their platform to protect personal information.
- If companies or services on their platform violate the law, they should stop providing services to them.
- Regularly publish reports on how they’re taking care of personal information and accept social supervision.
8- Obligations for Trusted Parties
The person who agrees to handle someone else’s personal information should comply with PIPL and other related laws. They should take the necessary steps to keep that personal information safe. They should also help the organizations meet their obligations.
The Personal Information Protection Law is regulated by the Cyberspace Administration of China. There are other departments, such as the Ministry of Public Security, the State Administration for Market Regulation, and the Ministry of Science and Technology, also have the authority to enforce the law.
Below are the responsibilities of the departments performing personal information protection in China:
- Spread awareness and educate people about protecting personal information. Guide and oversee those managing personal information to ensure they follow proper protection procedures.
- Receive and address complaints and reports related to protecting personal information.
- Coordinate and assess applications for personal information protection, sharing the evaluation outcomes.
- Investigate and take action against any illegal handling of personal information.
- Fulfill other responsibilities specified in laws and administrative regulations.
Follow the below guidelines to comply with PIPL:
- Inform users about what data is collected, why it is collected, and who all have access to the data.
- Obtain prior consent from site visitors for collecting and processing personal data.
- Obtain explicit consent for collecting sensitive personal information.
- Collect personal information only for the specified purpose.
- Implement proper security measures for protecting personal data from potential breaches and unauthorized access.
- Conduct regular impact assessments to find any potential threats to personal information.
- In case of data breaches, establish a breach response mechanism. Inform individuals and concerned authorities.
- Appoint a data protection officer to manage compliance and address concerns from individuals.
- If you are using third-party services, make sure they comply with the regulations.
- For cross-border data transfer, appoint a Chinese representative for handling personal data and managing compliance.
Also Read: EU’s ePrivacy Regulation: What is it?
The People’s Republic of China (PRC) has drafted some regulations for cross-border data transfer. Below are the major obligations for cross-border data transfer:
- Providing personal information of over 10,000 but fewer than 1 million individuals overseas requires a standard contract for export and filing with the provincial cybersecurity department or certification. A data export security assessment is required for over 1 million individuals, with individual consent needed.
- Free trade pilot zones can draft their negative lists for data export regulations, excluding listed data from security assessments, standard contracts, or certification requirements.
- State agencies and critical infrastructure operators providing personal information or important data overseas must comply with relevant laws and regulations.
- Data processors exporting important data and personal information overseas must comply with legal provisions.
- Local cybersecurity departments must supervise data export activities, ensuring compliance and rectifying risks or incidents promptly to maintain data security.
Exceptions to data export security assessment, standard contract for personal information export, or personal information protection certification include:
- Providing personal information overseas for completing a contract (e.g., cross-border shopping, remittances).
- Implementing human resources management as per labor regulations and collective contracts.
- Providing personal information overseas to safeguard life, health, and property in emergencies.
- Provision of personal information of fewer than 10,000 individuals overseas within a year requires no data export security assessment, contract, or certification except when based on individual consent.
The violation of PIPL guidelines may result in fines of up to 1 million yuan for the directly responsible person in charge and fines ranging from 10,000 to 100,000 yuan for other responsible personnel.
For severe violations, the personal information protection authority at or above the provincial level may order corrections, confiscate gains, and impose fines up to 50 million yuan or 5% of the previous year’s turnover. It can also suspend business, revoke licenses, and ban responsible individuals from specific roles.
Conclusion
The Personal Information Protection Law governs the processing of personal information of Chinese citizens. It applies to all types of personal data processing activities in China and the processing of personal data of Chinese citizens outside the territory of China.
The law grants several rights to individuals to protect their personal data, similar to GDPR. It also lists several obligations for organizations handling the personal data of Chinese citizens. The Cyberspace Administration of China is responsible for regulating the law, and there are many state departments responsible for enacting the regulation.
We hope this article has provided you with enough information on China’s principal data protection regulation. If you have any queries, drop them in the comments section; we’d be happy to help you.
Disclaimer: This article was written based on a translated version of China’s Personal Information Protection Law. It was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.
