China's Personal Information Protection Law (PIPL) is a data protection law that affects individuals around the world.
The structure and concepts of PIPL are very similar to existing laws in other regions, most notably the EU's GDPR, though with some significant practical differences. As with the GDPR, the PIPL can affect businesses around the world.
Here's what you need to know.
- 1. Background to the PIPL
- 2. Key Concepts of the PIPL
- 3. When the PIPL Applies
- 4. Key Definitions of the PIPL
- 5. Individual's Rights Under the PIPL
- 6. Lawful Bases for Processing Under the PIPL
- 6.1. Consent
- 6.2. Other Legal Bases
- 7. Other Requirements of the PIPL for Processors
- 7.1. Be Open and Transparent
- 7.2. Data Retention
- 7.3. Data Transfers Outside of China
- 7.4. Working With Other Organizations
- 7.5. Administration and Compliance
- 8. Penalties for Breaching the PIPL
- 9. Summary
Background to the PIPL
In 2020, China passed a Civil Code which took effect on 1 January 2021. It brought together China's civil (non-criminal) rules and regulations for the first time, including rights and responsibilities regarding privacy.
China then began developing a specific data privacy law, the PIPL, designed to build on the Civil Code and address the specific issues involved in personal data.
A second round of consultation is now complete, with the most likely timetable being a final draft published in late 2021 and legislation taking effect at some point in 2022.
Key Concepts of the PIPL
The central points of the PIPL are very similar to those of the GDPR, namely:
- Individuals have several rights over their personal data
- Processing personal data is only lawful under specific conditions (bases), the most prominent being consent from the individual concerned
- Businesses that process data have several obligations besides only processing personal data lawfully.
When the PIPL Applies
The PIPL applies in three main circumstances:
- The processing takes place in China
- The processing is done as part of offering or providing products or services to people in China, and/or
- The processing is done as part of analyzing or assessing people in China
The latter two apply even where either the processor or the processing (or both) is physically outside of China. How this works in practice remains to be seen and may depend on the approach of enforcement officials. For example, it's unclear if they'll work on the basis that:
- A non-Chinese website that accepts international orders is covered by the PIPL unless it explicitly blocks orders from Chinese addresses, or
- A non-Chinese website that accepts international orders is exempt from the PIPL unless it expressly markets to customers in China, for example by listing prices in Chinese currency
For example, Highborn would definitely be exempt as it intentionally blocks orders from China:
Meanwhile Planete Chocolat would definitely be covered as it explicitly offers products to customers in China:
It's also not clear how the rules will be enforced for digital services such as online subscriptions where the user doesn't need to provide a physical address.
Key Definitions of the PIPL
Some key terms in the PIPL have definitions similar to those in the GDPR. For example, "processing" covers any use of personal data, including collecting and sharing.
"Personal information" is any information relating to an identified or identifiable natural person. That means that data must relate to a human rather than a legal entity such as a corporation. The rules on lawful processing only cover data about living people. However, unlike GDPR, close relatives can exercise the data rights that were held by a deceased person, for example to ask that outdated data be deleted.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
The PIPL refers to the person or business that makes decisions about how to process data as the "data processor." The second draft of the PIPL introduces the concept of an "entrusted party," meaning a person or business that physically processes data under the instruction of a data processor.
(The PIPL's "data processor" is therefore equivalent to the GDPR's "data controller," while the PIPL's "entrusted party" is equivalent to the GDPR's "data processor.")
Individual's Rights Under the PIPL
The PIPL sets out key rights that individuals can exercise regarding their personal data:
- To know when and how their personal data is processed
- To request and receive a copy of the personal data that a data processor holds
- To correct inaccurate or incomplete information
- To complain about a breach of the PIPL
- To object to automated decision making (such as profiling)
- To object to their personal data being used for direct marketing
Individuals also have the right to tell a data processor to delete data if:
- It's no longer needed for the original purposes
- The individual was a customer but no longer receives products or services from the organization
- The individual withdraws consent
- The organization gave an expiry date for the processing and that date has been reached
- The organization has breached any relevant contract or laws, including the PIPL itself
For example, Dawson & Sanderson details several retention periods. Under the PIPL, users could insist on a processor sticking to such timescales:
The explicit inclusion of these rights in the PIPL could affect how officials or courts rule on any ambiguities or disputes about how the law works in specific cases.
The precise rules on how individuals can exercise their rights, such as how quickly data processors must comply with a request to do so, are not yet confirmed.
Remember that a deceased person's close relatives can exercise these rights regarding the deceased person's data. Exactly what counts as a close relative isn't yet confirmed.
Lawful Bases for Processing Under the PIPL
As with several other privacy laws, the PIPL uses the "lawful basis" system. This means wwwwing specific forms of processing, the law says you can only process personal information where a particular basis applies.
The first basis, which is likely to be the most commonly used, is that the data subject has consented. The consent must be freely given, meaning the person had a true choice in the matter. You cannot refuse to serve a customer who chooses not to consent unless the processing in question is necessary for the product or service. It must also be informed consent, meaning you've told the user about the processing beforehand.
Unlike some privacy laws, the PIPL doesn't offer too much detail about how the user gives consent and there's no requirement for it to be active or affirmative. This means it could be lawful to use opt-out methods where you can assume consent unless the individual objects.
As well as objecting initially, individuals have the right to withdraw consent at any time.
The main exception to these principles is if the processing covers sensitive information. This means information that could lead to physical or property damage or discrimination if used or accessed unlawfully. For this processing you will normally need active, written consent.
Under the PIPL, children aged under 14 can't give consent. Instead you'll need consent from a parent or guardian.
Other Legal Bases
The PIPL sets out six acceptable legal bases other than consent:
- A law requires the processing to take place
- The processing only involved publicly available information. (This basis isn't unlimited and instead must be 'reasonable' processing for these purposes.)
- The processing is necessary to carry out a contract between you and the data subject
- The processing is done for news reporting or public supervision. (This basis isn't unlimited and instead must be 'reasonable' processing for these purposes.)
- The processing is necessary to carry out a legal requirement or use a legal power.
- The processing will protect people's health or proprietary interests in an emergency.
Other Requirements of the PIPL for Processors
The PIPL sets out several other things that data processors must do.
Be Open and Transparent
You must only keep personal data for as long as necessary to carry out the purpose for which you collected it. The only exception is if a law says you must keep it for longer.
Data Transfers Outside of China
You must inform the data subject and get their consent before transferring their data outside of China. You must tell them who will get the data, how to contact them, how the third party will use the data, and how the data subject can exercise their rights over the third party's processing.
Before transferring the data you must use at least one method to make sure it remains secure in the other country.
Acceptable methods include the following:
- Carry out a risk assessment under China's cybersecurity laws
- Get a certification from a body approved by China's cybersecurity authorities
- Get the recipient to sign an agreement on what steps they will take to secure the data and how you'll confirm they have followed the measures of the PIPL. (The Cyberspace Administration of China will produce a standard contract that can be used for these purposes.)
Huawei's explanation to customers of how it protects data transferred outside of Europe is a good model for informing Chinese customers when the PIPL takes effect:
Working With Other Organizations
You can work with another organization and jointly decide how to process personal information. In this situation you must have a written agreement that sets out who has what legal responsibility.
If you use another organization to carry out processing on your behalf (and in line with your instructions), you must have a contract setting out the respective responsibilities. This contract must require the other organization to follow the PIPL.
Administration and Compliance
The PIPL says you must have appropriate administrative measures and procedures to make sure you process data securely and legally. This can include security measures such as encryption (including planning and testing for security breaches) and staff training.
Although the PIPL does not specifically require this, it can boost confidence and trust among customers if you detail your security measures as in this example from Privacy International:
You must carry out a risk assessment and keep it on file for three years in several situations:
- You process sensitive personal information
- You use personal information for automated decision making
- You pass on personal information to a third party, including to process data on your behalf
- You transfer personal information outside of China
If you are based outside of China but come under the PIPL, you must appoint somebody based in China to represent you. They'll be responsible for compliance.
Some organizations will have to appoint somebody to manage their data processing and tell the relevant authorities who this person is. The precise details for how this will work are not yet confirmed.
There'll be special rules for online platform services with a large number of users, such as social media companies. They'll need to create an external and independent body to supervise their data processing. They'll also need to publish "social responsibility reports."
Penalties for Breaching the PIPL
Breaching the PIPL can lead to a fine from a "competent authority." The size of the fine will be "proportional" based on the nature and circumstances of the breach. In cases that caused harm to data subjects, it's up to the data processor to prove they are not at fault for the breach.
The maximum fine allowed under the PIPL is 50 million Chinese yuan or five percent of annual turnover in the previous financial year.
These fines do not override the possibility of civil or criminal penalties if the breach also breaks any other laws in China.
Let's recap what you need to know about China's Personal Information Protection Law.
- The PIPL is in its final consultation stage and is likely to take legal effect in 2022.
- It applies to processing of personal data done in China. It also covers processing outside of China in the course of offering products or services to people in China or analyzing people in China.
- Personal data covers identified or identified humans. The close relatives of a deceased person can exercise the rights the person held over their data. Processing means any use, collection or disclosure.
- The PIPL uses the term "data processor" to mean the organization that decides how to process data while an "entrusted party" physically processes data while following a data processor's instructions.
- The PIPL gives individuals rights including knowing about, seeing and correcting the data a processor holds about them, complaining about breaches, and objecting to automated decision making or direct marketing using their data.
- Individuals can also ask processors to delete data when it's no longer needed for the original purpose, the original deadline for holding the data has passed, the individual is no longer a customer, or the individual has withdrawn consent.
- The PIPL only allows data processing where a lawful basis applies. The most common is consent. This must be freely given and informed, though not necessarily active, so opt-out systems may be allowed. Processing sensitive personal information needs active, written consent. Children aged under 14 can't consent so you'll need parental or legal guardian consent instead.
- Other lawful bases include that the information is publicly available, that the processing is for news reporting, that the processing is legally or contractually required, and that the processing can protect health in an emergency.
- Data processors must get consent before transferring data outside of China. They'll need to make sure it remains safe, for example through risk assessment, certification or a binding agreement with the recipient.
- Data processors must have procedures to make sure processing is lawful and personal data is secured.
- Some organizations will need to appoint an individual to manage their data processing, though details aren't yet confirmed. Organizations outside of China who come under PIPL must appoint a representative in China.
- The maximum penalty for a breach is 50 million Chinese yuan or five percent of annual turnover in the previous financial year.