The Complete Guide to China’s Personal Information Protection Law (PIPL)

This article was written by Pacific Prime, an insurance advisor that offers solutions for people and businesses all over the world.

Data privacy regulations have taken center stage in many countries, and things are no different in the People’s Republic of China, where the draft Personal Information Protection Law (PIPL) came into review in October 2020. A second version of the draft PIPL was issued on April 29^th 2021, and will be open for public comments until May 28^th 2021. Though the framework of PIPL, there are some minute changes that have been made.

There has been no news regarding when the law will be promulgated, but when it does, it will be the first comprehensive law of its kind in the country. This law will impact how businesses engage with residents of China, so it’s important to be aware of what it entails.

Laws protecting personal information are complex, so mechanisms have been established that allow employers to adhere to the regulations in a reasonable manner. Although the PIPL draft is much shorter in length than the similar General Data Protection Regulation (GDPR), it will require the same diligence and understanding to ensure adherence and avoid penalties.

PIPL: A More Comprehensive Piece of Legislation

Currently, China’s Cybersecurity Law (CSL), which came into effect in 2017, oversees the protection of personal information. CSL focuses on the protection of information in cyberspace and the protection of critical information infrastructure, as well as the regulation of network operators. As big data industries have gained traction in recent years, a need for more comprehensive legislature grew, paving the way for the draft PIPL.

Inspired by (though not identical to) the GDPR in the EU, the PIPL draft comprises 8 Chapters with 70 articles, setting out:

• Data protection principles
• Rules for processing of “personal information” and “sensitive personal information”
• Rights of individual data subjects
• Penalties for breaches

What Businesses Should Know

Businesses need to be aware of what the draft PIPL entails so they can be prepared for the changes. Under the PIPL draft, the employer is considered the processor. Therefore, it is the employer who will determine the purpose and method of processing the employees’ personal information (PI). This concept is similar to the data controller under the GDPR.

The main responsibilities of the processor are divided into two aspects: the organizational and the technical. The processor must ensure the security of PI throughout the life cycle to minimize any exposures.

Rules will apply outside China’s borders

The rules regarding processing an individual’s personal information will apply outside China’s border if:

• The personal information in question belongs to an individual within China
• The information is needed for analyzing an individual’s activities within China’s borders
• Personal information needs to be processed due to legislative or administrative regulations

Given this, businesses that would be affected by the PIPL should consider appointing a specified data protection officer or representative in China to oversee the handling of personal information.

Circumstances for handling of personal information

Other than obtaining an individual’s consent (more on this below), a business can collect and process an individual’s personal information in any one of the following circumstances:

• It’s necessary to either:
  • Enter into or perform a contract involving the individual
  • Comply with duties or obligations as per the law
  • Respond to sudden public health incidents, or
  • Protect the lives, health and property security of an individual in an emergency
• The handling of personal information is for news reporting and scrutiny of public opinion for public interest
• Other circumstances prescribed by law or administrative regulations

Individuals will have more rights and protection

Individuals must provide clear and voluntary consent for use of their data. In addition to this, individuals can revoke consent and must be asked for consent again if there are changes in the purpose or method of handling and the kind of personal information being handled.

This extends to publicly available personal information if the use of information is not in line with its original purpose. Sensitive personal information also needs stand-alone consent, which is information that may cause discrimination or damage to an individual if there is a data breach.

Right to be informed
Individuals also have the right to be informed on matters including, but not limited to:

• Identity and contact information of their personal information handler (more on this below)
• Identity and contact information of a third party (more on this below), if their personal information needs to be transferred to a third party due to a merger or demerger
• Purpose and method of handling the personal information, as well as the kind and duration of information held
• Rights of the individual
• The necessity of handling sensitive personal information and the impact of this to the individual

Businesses must be transparent in handling personal information and not withhold the aforementioned information from individuals. They must obtain consent from the individual and can’t refuse to provide a product or service on the basis of consent.

Personal information handlers will be regulated

A personal information handler is the entity who decides the purpose and manner of handling an individual’s personal information, whereas a third party is the entity who receives an individual’s personal information from the personal information handler.

If a third party receives an individual’s personal information, the individual should be informed as per the individual’s right to be informed. Furthermore, if a third party receives this information on an anonymous basis, they can’t try to uncover the identity of the individual.

Cross-border transfers of personal information may be allowed in some cases

Personal information should be stored within China’s borders. However, in some cases, it can be transmitted abroad if the personal information provider fulfills one or more of the following criteria:

• Provider passes the security assessment conducted by the Cyberspace Administration of China (CAC)
• Provider obtains certification of data security by a professional body recognized by the CAC
• Provider enters into an agreement with the overseas receiving party which governs the rights and liabilities of the parties in ways consistent with the requirements under the draft PIPL
• Provider satisfies other conditions required by law, administrative regulations or the CAC

If the quantity of personal information exceeds the limit designated by the CAC, then a security assessment conducted by the CAC will have to be passed before the personal information can be transmitted abroad.

Fines for noncompliance are hefty

If a business refuses to rectify a breach after receiving warning from the regulatory body, the penalty could be as high as RMB 1 million. However, for serious breaches, the business could face penalties such as:

• Sanctions (suspension of business and/or cessation of operation permits)
• A fine up to RMB 50 million or up to 5% of the total revenue of the preceding financial year, though it has yet to be determined if the higher or lower amount will be applied.

Information has yet to be provided on the parameters of a “serious breach.”

Businesses can protect themselves from data breaches by strengthening cyber security measures and securing cyber insurance.

Hylant clients can contact their service team members for additional guidance on PIP. Not a Hylant client yet but need help? Contact us here.

The above information does not constitute advice. Always contact your insurance broker or trusted adviser for insurance-related questions.