As the world’s second largest economy and home to one of the biggest consumer markets on the planet, it is hard to overlook the potential opportunities in China. With the introduction of the Personal Information Protection Law (PIPL), many have also noticed the country’s laws on privacy and information security are keeping pace with its rapid modernisation.
In this quick primer, we will provide some background knowledge and guidance for businesses looking to tap into this market, but are not quite sure if their products and services will comply with local privacy and information security regulatory requirements.
Which privacy and information security law(s)?
While the PIPL has crystallised many principles, privacy and personal information protection rules can actually be found across multiple laws. The Civil Code for example requires the processing of personal information to follow the principles of lawfulness, justification, and necessity. This typically entails obtaining consent (Art 1035). Individuals have the right to access and correct their personal information, as well as to request corrections (Art 1037). The Criminal Law further addresses illegal acquisition, sale and provision of personal information (Art 253a). The Protection of Consumer Rights and Interests Law (Art 50) and the Regulations on the Online Protection of Minors (Chapter 4) add extra safeguards for specific scenarios.
It should also be noted that separate Data Security (DSL) and Cybersecurity Security Laws (CSL) define data security obligations. Under the former, internet products and services providers must apply stricter management systems to personal information relating to important data (Art 27) - which is described as data that, if tampered with, destroyed, leaked, or illegally obtained or used, may directly endanger national security, economic operation, social stability, public health, and safety (Art 62(4) of the Regulations on the Administration of Network Data Security). The CSL complements the DSL by placing specific responsibilities on ‘network operators’ in relation to their operations (Chapter 3, Section 1 & Chapter 4). With ‘network operators’ defined to be ‘owners, administrators and network service providers of networks’ (Art 76(3)), the law captures a wide variety of entities from different industries, not just those involved in technology.
Are all parties treated equally?
Obligations for two specific categories of entities are worth noting under the PIPL. The first relates to providers of significant internet platform services (Art 58), who must establish a compliance system for personal information protection, formulate platform rules, and stop services for downstream providers violating laws. They are also required to publish regular social responsibility reports. The second relates to entrusted parties (Art 21). An entrusted party is a third party to whom a personal information processor delegates the processing of certain personal information. The scope of this processing can be circumscribed by an agreement.
Cross border data transfers
There are three main ways to facilitate cross border data transfers – through a security assessment, by obtaining a personal information certificate or through standard contractual measures (Art 38). The individual whose information is being transferred overseas must also be notified of it (Art 39). Under the Regulations on Promoting and Regulating the Cross-Border Flow of Data, there are however exemptions in relation to activities such as fulfilling human resource regulatory requirements and cross-border shopping, delivery, remittance, payment, account opening, flight and hotel reservations, visa application and examination services (Art 5). Other exemptions include processors (other than operators of critical infrastructure) providing less than 100,000 personal information records (excluding sensitive personal information) abroad since the start of the year.
Is a Data Protection Officer required?
Under Art 52 of the PIPL (and based on the Information security technology - Personal information (PI) security specification GB/T 35273—2020, 11.1(c)), if the main business involves the processing of personal information and the number of employees exceeds 200, 1M records or 100,000 sensitive records of personal information is processed, a processor must designate a person in charge of personal information protection. This officer is responsible for supervising the personal information processing activities of the processor and ensuring that protective measures are implemented effectively. Additionally, the personal information processor is required to disclose the contact information of this officer and submit the officer's name, contact information, and other relevant details to authorities.
Individual Rights
Consumer rights are wide ranging (Art 24 & Chapter 4). Individuals have the right to be informed, to rectification, deletion, withdraw consent, restrict or refuse processing, refuse automated decision-making, request explanation, bring claims against processing entities and as next-of-kin of deceased individuals.
It should also be noted that the PIPL extends its jurisdiction beyond China's borders. It applies to the processing of personal information of natural persons within China by entities outside of China under certain conditions (Art 3). These conditions include when the processing is for the purpose of providing products or services to natural persons within China or analysing and assessing the behaviour of natural persons within China.
Record keeping
Personal information processors are required to retain impact assessment reports and processing records for at least three years (Art 56). According to Article 55 of the PIPL, a personal information processor must assess the impact on personal information protection in advance and keep a record when:
- processing sensitive personal information
- using personal information to conduct automated decision-making
- entrusting personal information processing to another party, providing personal information to another party, or publicizing personal information
- providing personal information to any party outside the territory of the People's Republic of China
- conducting other personal information processing activities that may significantly impact individuals.
We hope the above gives you an idea of what might be involved in entering into the Chinese market, should your products or services involve the processing of personal information.