China – Personal Information Protection Law

The top legislative body in the People’s Republic of China passed the Personal Information Protection Law on August 20, 2021. It is China’s first comprehensive law in personal information protection domain and is based on China’s Constitution. It is effective from November 1, 2021.

The main objective of PIPL are as follows:

• To protect the rights and interests of individuals.
• To regulate processing activities possessing personal information.
• To promote the rational use of personal information.
• To facilitate reasonable use of personal information.

This law applies to the processing of personal information of natural persons within the territory of the People’s Republic of China.

This law also applies to the processing of personal information of natural persons outside the People’s Republic of China under any of the following circumstances:

• For the purpose of providing products or services to domestic natural persons.
• Analyze and evaluate the behavior of natural persons in the territory.
• Other circumstances stipulated by laws and administrative regulations.

• Personal Information: Personal information is a variety of information related to an identified or identifiable natural person recorded electronically or by other means, excluding anonymized information. (Article 4)
• Processing of Personal Information: The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc., of personal information. (Article 4)
• Sensitive Personal Information: Sensitive personal information is personal information that, once leaked or used illegally, can easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, Information such as whereabouts, as well as personal information of minors under the age of fourteen. (Article 28)

Under PIPL, individuals have the following rights:

1. Right to know: Individuals have the right to know and make decisions about the processing of their personal information. (Article 44)
2. Right to restrict or refuse the processing of their personal information: Individuals have the right to restrict or refuse the processing of their personal information by others. (Article 44)
3. Right to data portability: Individuals have the right to consult and copy their personal information to the personal information processor. (Article 45)
4. Right to recertify/rectify: If an individual discovers that his personal information is inaccurate or incomplete, he has the right to request the personal information processor to correct or supplement it. (Article 46)
5. Right to deletion: Individuals have right to deletion to personal information. (Article 47)
6. Right to understand the processing rules of processor: Individuals have the right to request personal information processors to explain their personal information processing rules. (Article 48)

Processing of Personal information shall be valid only if one of the following circumstances is met:

1. Personal consent: Obtained personal consent.
2. Performance of a contract: Necessary for the conclusion and performance of a contract in which an individual is a party, or necessary for the implementation of human resource management.
3. Statutory duties or statutory obligations: Necessary to perform statutory duties or statutory obligations.
4. Vital interest: Necessary to respond to public health emergencies, or to protect the life.
5. Public interest: Carry out news reports, public opinion supervision and other acts for the public interest.
6. Self-disclosed or legally disclosed personal information: Processing personal information disclosed by individuals or other legally disclosed personal information.
7. Other circumstances stipulated by laws and administrative regulations.

If the processor needs to provide personal information outside the People’s Republic of China due to business needs, it shall meet one of the following conditions:

1. Provide individuals with certain specific information about the transfers and obtaining separate consent.
2. Adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL.
3. Carry out a personal information protection impact assessment.
4. Other conditions stipulated by laws, administrative regulations, or the national cyberspace administration department.

In the following situations, personal information protection impact assessment is required to be conducted in advance and record the processing situation:

1. Processing sensitive personal information.
2. Using personal information to make automated decision-making.
3. Entrust the processing of personal information, provide personal information to other personal information processors, and disclose personal information.
4. Providing personal information abroad.
5. Other personal information processing activities have a significant impact on personal rights and interests.

If a processing entity violates the requirements under the PIPL, regulators may order it to take corrective actions, issue warnings, confiscate illegal income, suspend services or issue a fine. The fine can be up to 50 million RMB or 5% of an organization’s annual revenue for the prior financial year (Article 66).

Further, the processing entities shall be liable for infringement of rights and interests of personal information (Article 69). If the processing entities infringe the rights and interests of a large number of individuals, the People’s Procuratorate and other designated organizations may file public interest lawsuits (Article 70).