Gabriela Kennedy, Partner, and Karen Lee, Counsel, Mayer Brown, highlight key aspects of the Mainland’s much anticipated Personal Information Protection Law.
On 20 August 2021, the Mainland’s Personal Information Protection Law (PIPL) was passed. The new law came into force on 1 November 2021. The PIPL, Cybersecurity Law and the new Data Security Law (which came into force on 1 September 2021), now form the main legal framework governing data security and the handling of both personal and non-personal data in the Mainland.
The PIPL has often been compared with the European Union’s General Data Protection Regulation (GDPR) and while this statement is largely true there are many points of difference between the two regimes. For example, the cross-border transfer restrictions and extraterritorial application of the PIPL are broader than the equivalent provisions in the GDPR. This, as well as some of the key aspects of the PIPL, are discussed below.
Scope and extraterritorial effect
The PIPL regulates the processing of personal information of individuals within the Mainland. Personal information is defined as any information relating to identified or identifiable natural persons that is recorded by electronic or any other means, but excluding anonymous data.
The law also expressly applies to any processing activities performed outside the Mainland, if such activities are:
- for the purpose of providing products or services to individuals located in the Mainland
- for the purpose of analysing or evaluating the activities of individuals located in the Mainland, or
- they fall within any other circumstances specified under local laws or regulations.
All data controllers outside the Mainland who engage in such processing activities must establish a dedicated entity or appoint a legal representative in the Mainland to be responsible for all matters relating to the processing of personal information under the PIPL. The name and contact details of such local entity or legal representative will need to be provided to the relevant authority.
Whilst on the face of it the extraterritorial scope of the PIPL appears similar to the GDPR, there are some notable differences. Unlike the GDPR, which applies to the ‘offering’ of goods or services, the PIPL applies to the processing of personal information for the purpose of ‘providing’ products or services to individuals in the Mainland. In the absence of further clarification, the PIPL has the potential of applying to foreign companies that are not specifically targeting individuals in the Mainland but are incidentally providing products or services to them. The local authorities may issue interpretations and measures to provide further clarity on the scope of application of the PIPL.
Data controller and data processor
The responsibility and requirements under the PIPL are mainly imposed on personal information processors. The personal information processor is any organisation or individual that independently determines the purpose and means of processing of personal information. Data controllers remain responsible for supervising the entities to whom they have entrusted the processing of personal information. The parties must agree on the purpose, period and method of processing and type of personal information covered, as well as the security measures and rights and obligations of both parties. This should be reflected in an agreement between the parties. The data processor cannot further subcontract the processing of the personal information without the consent of the relevant data controller.
Under Article 59 of the PIPL, data processors are required to adopt necessary measures to protect the personal information entrusted to them in accordance with the PIPL, and other relevant laws and regulations, and to assist the data controller to comply with their obligations under the PIPL. Whilst data processors are potentially not directly regulated under the PIPL in the same way as they are under the GDPR, this Article 59 acts as a reminder that data processors may still be directly subject to the data security requirements under the Mainland’s Cybersecurity Law and Data Security Law.
Grounds for processing
Under the PIPL, personal information may only be processed if it is for a specific and reasonable purpose, and should be directly related to such purpose. Only the minimum amount of data required to fulfil such purpose should be collected, and the excessive collection of personal information is prohibited. Similar to the GDPR, the PIPL imposes general principles of openness and transparency, legality, legitimacy, necessity and good faith. The PIPL also sets out the lawful basis for the processing of personal information. Under Article 13 of the PIPL, data controllers can only process personal information if the grounds set out below are met.
- The data subjects have provided their consent. To be valid, individuals must provide their fully informed, voluntary and explicit consent. Where laws or regulations require separate or written consent, then this must be obtained.
- The processing is necessary: (a) for the conclusion or performance of a contract to which the data subject is a party; or (b) to conduct human resources management in accordance with labour rules and regulations established by the employer in accordance with the laws or collective contracts signed under law.
- The processing is necessary for the fulfilment of duties or obligations imposed under laws or regulations.
- There is a need to respond to public health emergencies or to protect an individual’s life, health or property in an emergency situation.
- The personal information is being processed for the purposes of conducting news reporting, supervising public opinion or other such activities that are in the public interest and the processing is within a reasonable scope.
- The personal information is already publicly available (either disclosed by the data subject or has otherwise been legally disclosed), and the processing is within a reasonable scope and in compliance with the PIPL.
- The processing is permitted pursuant to other laws and regulations.
Notably, unlike the GDPR, legitimate interest is not a ground for processing under the PIPL. However, the PIPL does specifically include publicly available information and human resources management as grounds for processing, which are absent from the GDPR.
Regardless of the basis of processing relied on by the data controller, the data controller must still explicitly notify the data subjects beforehand of the purpose of processing, the categories of personal information being handled, the mechanisms in which the data subjects can exercise their rights, and so on. The notification must be accurate, clear and easy to understand. Any changes to the original notice must also be notified to the data subjects.
If consent is being relied on as the basis of processing, then separate consent must be obtained if:
- personal information will be provided by the data controller to a third party
- the data controller intends to disclose the personal information publicly
- images and other personal information collected in public areas to safeguard public security (for example, information collected via CCTV or facial recognition technology) will be used for other purposes
- sensitive personal information will be processed, or
- personal information will be transferred outside the Mainland.
What amounts to separate consent has not been defined in the PIPL. It is likely that unbundled and distinct opt-in consent may be required, separate to the general consent collected in relation to the processing of the data subject’s personal information.
With regard to sensitive personal information, this is defined as any personal information that once leaked or illegally used could readily result in harm to the dignity of an individual, or the individual’s personal safety or security of their property. Examples include biometric identification information, religious beliefs, specially designated status, medical health information, financial accounts, tracking an individual’s location and personal information of minors under the age of 14. In this last case, relating to minors, the data controller must obtain the consent of the parent or guardian.
Cross-border data transfers
The PIPL has strict data localisation and cross-border data transfer requirements. Personal information cannot be transferred out of the Mainland unless it is truly necessary for business or other such requirements. Article 38 of the new law sets out a number of conditions that need to be met before any such transfers can be made. These may include having a security assessment conducted by the Cyberspace Administration of China (CAC). Moreover, a major difference to the GDPR is the restriction in the PIPL relating to the provision of personal information stored in the Mainland to any foreign judicial or law enforcement agencies, unless prior approval is obtained from the relevant Mainland authority.
Data controllers cannot use any automated decision-making that will result in unreasonable differential treatment of data subjects in terms of price or other transactional terms. It is believed that this provision was added to tackle increasing concerns about big data-enabled discriminatory pricing, which refers to the use of big data to evaluate consumers’ willingness to pay and charge different prices for the same product based on their established preference and payment conditions. This is an increasingly common practice and the Mainland has been ramping up efforts to grapple with it. For example, the Anti-Monopoly Guidelines for the Platform Economy issued in February 2021 took aim at such discriminatory treatment. On 27 August 2021, the CAC issued the draft Internet Information Service Algorithm Recommendation Management Regulations, which goes one step further and is intended to regulate the use of algorithms by companies to provide recommendations to users.
Data controllers are required to carry out a privacy impact assessment before using personal information for automated decision-making. They need to be transparent about how decisions are made, and are responsible for ensuring that the results are fair and impartial. In certain circumstances, the data subjects also have the right to request an explanation of how the automated decision was made and to refuse/opt-out of the use of automated decision-making.
Rights of data subjects
In line with the GDPR and international practice, the PIPL further strengthens a data subject’s rights by introducing the right to data portability, enabling data subjects to request a data controller to transfer their personal information to another, so long as the transfer meets the requirements established by the CAC. There is no certainty yet as to what these requirements may be. Other rights granted to data subjects under the PIPL are substantially similar to those under the GDPR, such as the right to access and correct data, the right to erasure, the right to object and restrict the processing of data, the right to withdraw consent, and so on. Further guidance will need to be provided on how data controllers must comply in practice with the exercise of these data subject rights.
Additionally, data subjects are entitled to seek recourse from the courts in the event that their requests to exercise their rights under the PIPL are rejected by a data controller. A data subject’s rights are also extended to allow a deceased person’s next of kin to access, copy, correct and delete the deceased person’s personal information for their lawful and legitimate interests.
Obligations of large internet platform service providers
Additional obligations are placed on data controllers that provide important internet platform services to a large number of users and/or who operate complex business models, including the need to establish an independent body (mainly consisting of external personnel) to oversee the data controller’s processing activities, and to stop providing services to those who offer products or services via the data controller’s platform, who are in serious violation of the relevant laws and regulations governing personal information. It is still unclear what would constitute a substantial number of users or complex business models. Further measures or regulations will be required to shed light on this requirement.
Data breach notification
Under Article 57 of the PIPL, if any leak, tampering or loss of personal information has or may have occurred, the data controller must immediately deploy remedial measures and notify the relevant local authorities and data subjects. It is important to note that this notification obligation arises even if the data incident is just a mere possibility. Currently, there is no clarification as to the degree of likelihood that a data incident may have occurred in order for the notification obligation to be triggered, for example, reasonably likely or mere suspicion. The notification obligation also applies even if there has been no data leak – if the personal information has been altered or tampered with, then this will require notification.
Data controllers can elect not to notify affected data subjects if they determine that they have taken measures that effectively prevent the data subjects from suffering any harm from the data incident. However, this decision can be overridden by the relevant authority, who can still decide that notification to the data subjects is required. Unlike the GDPR, the PIPL does not specify an exact deadline or time limit within which to notify the relevant authorities or data subjects. This may change once further measures or regulations are issued relating to the implementation of the PIPL.
Data controllers should also note that unlike the GDPR, there is no obligation under the PIPL for data processors to notify their data controllers in the event of any data incident. It is therefore vital that such obligation is incorporated in any data processing agreement between the parties, as the data controller will still remain liable for any failure to notify the relevant authorities or data subjects.
Breach of the PIPL can incur administrative fines of up to RMB50 million or 5% of the data controller’s annual revenue in the last year. Unlike the GDPR, it is unclear whether this revenue is calculated based on the data controller’s global revenue, or only the revenue generated in the Mainland. In addition to fines, other penalties include rectification orders, warnings, confiscation of illegal gains, suspension or cessation of services, cessation of operations or revocation of permits or business licenses, or entering the data controller on a credit list. The local authorities also have the specific power to take steps against any foreign organisation that is seen as engaging in processing activities that harm the rights and interests of Chinese citizens or which endanger national security or public interest, such as prohibiting Chinese entities from providing any personal information to them. Persons-in-charge and other directly responsible personnel may also be held personally liable and fined or prohibited from acting as directors, supervisors, senior managers or personal information protection officers.
While the PIPL resembles the GDPR, the PIPL appears to be one of the world’s most stringent personal data protection laws and its far-reaching effect may make it more challenging for companies, especially those with global operations, to ensure compliance. As the PIPL has just come into effect, companies are encouraged to review and update their privacy and compliance policies, align with suppliers, and have proper technical solutions integrated into their operational system in order to satisfy the requirements under PIPL. A sharp eye should also be kept out for any guidelines, measures or regulations likely to be issued by the authorities to flesh out the implementation of different aspects of the PIPL.
Gabriela Kennedy, Partner, and Karen Lee, Counsel
Copyright: Mayer Brown