On August 20, 2021, the Personal Information Protection Law (PIPL) was approved and will come into force from November 1, 2021 in China. The PIPL reorganizes the current legislation on personal data protection, previously contained in various provisions of the Network Security Law (in force since June 2017), of the Civil Code (in force since January 2021) and of the Data Security Law (in force since September 2021), and introduces some new features.
The Authority in charge of monitoring compliance with the regulations is the Cybersecurity Authority of China (CAC).
Here is an overview of the main points of the Chinese law.
Scope of application
The PIPL applies to those who process personal data of natural persons present in Chinese territory, regardless of the place where this processing takes place or the registered office of the data controller. The PIPL therefore has an extraterritorial effect, being able to apply both to entities established in China and to those operating outside China.
Violations of the PIPL are punished with fines of up to 5% of annual revenues or RMB 50 million (approximately € 6,705,000).
Legitimacy of the processing and standalone specific consent
The Network Security Law provided that for the legitimacy of the processing of personal data, the information and consent of the interested party were sufficient. The PIPL adds to these two requirements a list of legal basis for processing personal information set out in Article 13 and which include, among others: contract management, human resource management, personal information already disclosed, health and public safety.
The consent of the data subject must be standalone, explicit and preferably documented in writing, unless a preeminent public interest or a health emergency situation is recognized.
The consent of the data subject must also be specific and separate to undertake certain actions such as the processing of sensitive data or the cross-border transfer of data.
The data subject consent requirements should induce operators subject to the PIPL to prefer opt-in systems instead of opt-out systems to collect data subjects' consent.
Rights of the data subjects
right to be informed of the purposes and methods of data processing
right to access their information and to obtain a copy
right to rectification or cancellation of their data
right to refuse to be subjected to automated decisions and not to be subjected to discriminatory commercial treatments (for example related to price or conditions of sale)
right to refuse the processing of their personal data for marketing purposes
right to disable targeted content and ads based on personal characteristics
Data localization and cross-border transfer of personal data
The PIPL requires large-scale personal data controllers and critical information infrastructure operators (dealing with information that may harm security or public interest) to retain data within Chinese territory. In these cases, any data cross-border transfer must be subject to a security assessment by the Cyberspace Administration of China (CAC). Remote access from abroad to data stored in China is also considered to be data cross-border transfer.
Small-scale personal data controllers can instead transfer data abroad without the prior security assessment of the CAC, provided that such transfer complies with the law requirements, including: the signature of a data transfer contract with the overseas data recipients according to a template provided by the CAC, obtaining a specific consent from the data subject, conducting a preventive "data protection impact assessment".
Data Protection Impact Assessment (DPIA)
The PIPL requires the DPIA in certain cases such as: the application of automated decision-making processes, the processing of sensitive data, the communication of data to third parties, the transfer of data between different data controllers and the cross-border transfer of data.
Data Breach Notification
The PIPL requires “timely” notification to the authorities of any data breach. Timeliness may require a period of time of less than 72 hours from the discovery of the data breach provided for by the European GDPR.
Obligations of the data controller
Articles 51 to 56 of the PIPL indicate in detail the obligations of the data controller, which include organizational, administrative and IT security measures.
Among the organizational measures, we point out the appointment of a Data Protection Officer for the processing of personal data on a large scale and of a local representative in China for the controllers and processors established abroad.
Article 62 of the PIPL provides some exemptions from the heavier and stringent obligations for small businesses that process data on a small scale.
In conclusion, the PIPL on the one hand seems to take up the general principles, rights and obligations established by the GDPR (EU Regulation 2016/679), while on the other hand it provides for higher and more stringent standards for companies. For this reason, being GDPR-compliant does not necessarily always mean being PIPL-compliant.
Avv. Lifang Dong and Avv. Chiara Civitelli
The content of this article does not constitute legal advice, but has an informative function. For personalized legal advice, contact the firm by e-mail firstname.lastname@example.org or by phone +39 06 916505710. © Dong & Partners International Law Firm, All rights reserved