China Regulation – Personal Information Protection Law (PIPL)

This is part of ongoing series of articles covering the recent changes in policy & regulation that will impact how companies do business in China. Last month we covered Anti-monopoly, this month we will be talking about PIPL – Personal Information Protection Law.

On Aug 20, the Standing Committee of the National People’s Congress passed China’s first comprehensive data privacy law, the “Personal Information Protection Law”, which will come into effect on Nov 1, 2021. The PIPL is the first comprehensive national-level personal information protection law in China. Together with the Cybersecurity Law, and the Data Security Law, PIPL forms the three pillars of China’s comprehensive data protection legal regime.

Dubbed the strictest personal privacy law in the world, PIPL is influenced by Europe’s GDPR. The PIPL is a framework law that is not intended to provide granular detail on the majority of the policy matters it covers, but rather sets out broad principles, objectives, mandates, and responsibilities. The law’s focus is on protecting individuals, society, and national security from harms stemming from abuse and mishandling of personal information—targeting both the private sector and government functions.

The final text of the PIPL is the culmination of years of legislative work and policy debate in China. Although it retains most of the major features of the first NPC draft, published last year, the law underwent significant revisions.

Some of the key areas of interest for marketers include –

Cross-Border Data Transfer

The PIPL will have an extraterritorial effect and will apply to the following processing activities:

• processing, within China, of personal information of natural persons; and

• processing, outside of China, of personal information of natural persons who are in China, if such processing is:

1. for the purpose of providing products or services to natural persons in China;
2. to analyze/evaluate the behavior of natural persons in China; or
3. other circumstances prescribed by laws and administrative regulations.

If a company outside of China conducts processing activities as described above, the PIPL requires that it set up a special institution or designate a representative in China for handling personal information protection matters, and report the name and contact details of such institution or representative to the Chinese authorities.

Under the PIPL, sensitive personal information is defined as personal information that may lead to harm to the dignity of natural persons or serious harm to the safety of persons or property if disclosed or unlawfully used. Examples include – biometric characteristics, religious beliefs, specifically designated status, medical health, financial accounts, and individual location tracking.

Now minors’, under age 14, personal data is considered sensitive. This “sensitive” designation means, in addition to the typical privacy law requirement to obtain a parent or guardian’s consent for handling minors’ data, China’s PIPL limits the processing of minors’ data to when “there is a specific purpose and a need to fulfill and under circumstances of strict protection measures”.

Automated Decision-Making

The PIPL defines “automated decision-making” as “the activity of using computer programs to automatically analyze or assess personal behaviours, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions”. PIPL requires personal information handlers to “not engage in unreasonable differential treatment of individuals in trading conditions” and specifically prohibits price discrimination through automated decision-making. In addition, the final law requires opt-out methods to be “convenient.”

Legal Liability

The PIPL imposes significant penalties for serious violations, including rectification orders, confiscation of illegal gains, business suspension, revocation of business licenses, and, most notably, fines of up to CNY 50 million or 5% of turnover in the previous year.

Additionally, the directly responsible person inside such personal information processor and other directly responsible persons can incur personal fines between CNY 10,000 and CNY 100,000, and can be prohibited from holding certain management and director positions for a certain period

Meanwhile, the PIPL implicitly recognizes the potentially heavy compliance burdens for small data handlers who may pose comparatively limited risks to individuals. Article 62 authorizes regulators to “formulate specialized personal information protection rules and standards for small-scale personal information handlers,” but the PIPL does not define “small-scale.”