What are the legal grounds for processing personal information?

A company/organisation can process an individual’s personal information if it has obtained their consent. Such consent must be given voluntarily, explicitly and on a fully informed basis. For example, the opt-out consent mechanism allowed under the CCPA would not be considered as valid consent under the PIPL.

The PIPL further provides that consent is not required if processing personal information is necessary on any of the following lawful grounds:

• necessity for concluding or performing contracts to which the individual concerned is a party;
• necessity for employees and human resources management in accordance with legally-adopted internal regulations and legally-concluded collective contracts;
• necessity for performing legal duties or legal obligations;
• to respond to public health emergencies, or necessity for the protection of natural persons’ life, health, and property safety in an emergency situation;
• processing, within a reasonable scope, of personal information for the broadcasting or publishing of news, for the oversight through public opinions, and for taking other acts in the public interest;
• processing within a reasonable scope and in accordance with the PIPL, of personal information that has been made public by the data subject or through other lawful means.

Even where one of the above lawful bases is established, it is critical that the principles of lawfulness, necessity (purpose limitation, data minimisation and storage limitation), fairness, transparency, accuracy, and accountability are all duly considered and met to achieve compliance. In practice, determining which lawful ground(s) may apply and stand in any specific scenario can be tricky, as the devil is always in the detail.

When can personal information be transferred outside of China?

As a general rule, personal information must be stored locally within China. Where a personal data processor needs to provide personal data to a party outside of China (including giving access to anyone based outside of China) for business reasons, it must satisfy at least one of the following conditions:

• Pass a security assessment organised by the national cyberspace administration (i.e., the Cyberspace Administration of China or CAC), if the transferor is an operator of critical information infrastructure (CII) or the volume of the affected personal information reaches the threshold to be further specified by the CAC.
• Obtain personal data protection certification from a qualified accreditation agency in accordance with provisions to be further specified by the CAC.
• Conclude a contract with the overseas recipient based on the model contract to be developed and issued by the CAC, specifying both parties’ rights and obligations.
• Comply with other conditions provided in laws, or administrative regulations, or other regulations to be issued by the CAC.

With reference to the underlined wording above, it is expected that the CAC will issue further detailed regulations on implementation and guidance on cross-border transfers of personal information in the near future.

Prior to a cross-border transfer of personal information, the data processor is required to obtain the consent of the individuals concerned and take all necessary measures to ensure the foreign recipient also fully complies with the applicable provisions in the PIPL.

It is worth noting that the PIPL grants powers to the CAC to create a list of foreign organisations or individuals to whom the provision of personal information is on a restricted basis or prohibited, where this infringes upon the rights and interests of Chinese citizens or is to the detriment of China’s national security or public interest. 

Are there special rules for sensitive personal information under the PIPL?

The legal definitions of ‘personal information’ and ‘sensitive information’ are consistent with those provided in the national standard ‘GB/T35273-2020 Information security technology – Personal information security specification’¹.  If certain personal information that is leaked or used unlawfully can cause natural persons to suffer encroachments on their dignity or harm to their person or property, then this information will be considered sensitive. Examples include an individual’s biometric identifiers, religious faith, medical records and health status, financial status, and location tracking, as well as personal information of minors under the age of 14.

The PIPL now clearly requires that an individual’s explicit and specific consent must be obtained in order to process their sensitive personal information. For example, if a company collects face IDs, medical data, or other sensitive personal information, it must carefully consider whether it is essential to collect such information in view of the data minimisation principle, and whether sufficient security and protection measures have been put in place, and prepare a separate privacy notice or consent form for such sensitive personal information.

The PIPL requires that personal information of minors under the age of 14 can only be collected and processed with the consent of that relevant minor’s parent or guardian.

What are the key obligations of a data processor?

In summary, the PIPL sets forth the following key obligations for all data processors:

To take security measures to protect personal information, including developing internal policies, emergency plans and procedures, adopting technical measures (such as encryption and de-identification), establishing internal classification rules on personal information, and providing regular training.

• To appoint a data protection officer (DPO), where the personal information handled by the company/organisation exceeds the threshold to be further specified by the CAC; and disclose the DPO’s contact information to data subjects and enforcement authorities.
• To conduct a regular compliance review and audit.
• To conduct data protection impact assessments (the PIPL provides the requisite items to be covered in such assessments and all assessment records must be kept for at least three years), where sensitive personal information, automated decision-making, or a cross-border transfer is involved, or where the company/organisation commissions others to process personal information on its behalf, or shares personal information with others, or undertakes any data processing activities that have a significant impact on the individuals concerned.
• To immediately take remedial measures, and notify the relevant authority and individuals concerned, where there is an actual or suspected leakage, tampering or loss of personal information.

Who are the enforcement authorities?

The PIPL clarifies that the following are the key enforcement authorities, and outlines each of their responsibilities.

• The CAC plays a leading role and is primarily responsible for (i) the overall planning and coordination of personal information protection, and (ii) related supervision and administrative work with respect to the personal information protection in China.
• The relevant ministries and departments of the State Council will also be responsible for personal information protection, as well as supervision and administration within their respective purview (e.g., the Ministry of Industry and Information Technology will supervise telecom business operators, the People’s Bank and China Banking and Insurance Regulatory Commission will oversee the handling of personal financial data, etc.).

What happends if a company/organisation fails to comply with the PIPL?

Sanctions

Depending on the severity of the violation, the PIPL confers the personal information protection authorities in China with different powers to address any non-compliance with the PIPL’s rules, including issuing a correction order or warning, confiscating unlawful gains, ordering the suspension or cessation of a business, revocation of a business licence and/or imposing fines.

For serious violations, enforcement authorities at the provincial level or higher can at their discretion, in addition to the confiscation of any unlawful gains resulting from the violation, concurrently impose a fine of up to RMB 50 million or 5 per cent of a company’s business income in the preceding year, as well as a fine ranging from RMB 100,000 to RMB 1 million on any individual responsible person within the company’s management.

Damages

Individuals have a right to claim compensation for a company/organisation’s violation of the PIPL. The PIPL makes it clear that in the case of personal information infringement:

• when two or more data processors jointly control and process personal information, regardless of any contractual arrangements among themselves, they will assume joint and several liability to the data subjects;
• the burden of proof is shifted to the data processor, who must produce evidence to show that it acted in compliance with the PIPL and was not at fault for any infringement; and
• the claims raised by the individuals are not limited to the financial loss suffered but can also relate to the benefits obtained by the processor, which could be much higher.

When a large number of individuals’ rights and interests are involved, the People’s Procuratorate, legitimate consumer protection organisations, and organisations designated by the CAC have the additional right to file a public interest lawsuit against the infringing data processor.

How should we prepare for compliance with the PIPL?

Each company/organisation that has operations in China should start by:

• Conducting an internal review and audit on its existing consent forms, privacy policies/SOPs and relevant agreements, and update these as necessary and appropriate to reflect the requirements under the PIPL. Questions to ask that pertain to employees’ personal information may include: 

a. Have our internal policies, emergency plans, etc. been duly prepared and established?

b. Do our existing privacy notice, consent form and assessment report cover all requirements under the PIPL?

c. Where sensitive personal information (such as face IDs for checking attendance) is collected from our employees, is independent consent sought from them?

d. Where there is any cross-border transfer of personal data, what is the volume of such data? Is it necessary to transfer the data out of China? Have we obtained valid consent for the transfer?

e. Where any personal data is collected based on our employee handbook, is the disclosure sufficient? Has the employee handbook been properly passed and legally adopted following completion of all employee consultation procedures? Have our employees been duly notified?

f. Do we have a local DPO?

• Arranging training and establishing compliance programmes to improve the awareness of its management, employees and vendors.
• Monitoring developments in legislation, including any implementation rules, accreditation and certification measures, and standard cross-border transfer agreements to be issued by the CAC.

Our lawyers at Reed Smith are here to help you navigate China’s new PIPL. Feel free to reach out to any of us. We look forward to being of support to you.

1. This national standard sets out recommendations, but has no legally binding force. Before the PIPL, it served as a key reference for guidance on good practice with respect to privacy and personal data protection in China. The first version of the standard was issued in 2017 and the most recent update was issued in March 2020.