China’s Personal Information Protection Law (PIPL) came into force on November 1st, 2021. The law establishes strict rules on handling the personal data of Chinese citizens and sets immediate compliance requirements.
Large international tech companies will likely be affected the most, as they have to establish their presence in China and use local servers to onboard Chinese users. We’ve summarized the law’s key principles and how to comply with them.
The PIPL affects public and private organizations that handle the personal data of Chinese citizens for activities including, but not limited to:
- public disclosure.
The law equally applies to foreign businesses, including those without a legal entity in China. This could be a non-Chinese business that advertises to Chinese users or onboards them to its app or e-store.
Third-party vendors providing businesses with data handling services must also comply with the PIPL. However, it’s on businesses to make agreements with vendors and supervise them to ensure compliance.
Definitions under the PIPL
Personal information is any data by which an individual can be identified, such as their name, appearance, email address, IP address, cookie ID, and so on. Personal data doesn’t include anonymised data.
Sensitive personal information includes biometrics, religion, medical and financial information, individual location tracking, as well as information relating to minors under the age of 14.
What are the main obligations set by the PIPL?
Businesses that are subject to the PIPL must guarantee users’ personal information rights and protect personal data from breaches and unlawful usage. The PIPL lays out the legal bases for data handling and explains when to ask for a user’s consent to it.
The PIPL also introduces data localization and data transfer rules, which restrict storing and transferring personal information outside of China. Click the toggles for more details:
The PIPL defines the grounds for handling personal information. This includes the following cases:
- signing a contract with a user;
- signing a collective contract (as a part of HR obligations);
- fulfilling “statutory duties”;
- pursuing public interest (e.g., news reporting, public surveys);
- protecting public health during emergencies;
- handling information already lawfully disclosed.
In case none of the legal bases above are appropriate, businesses must request the individual’s consent.
How to comply
The law requires businesses to map their data flows by covering what personal information is processed and why, as well as where it is held and transferred. The mapping should include:
- business activities relating to personal information;
- categories of information and users;
- legal bases for handling personal information;
- a list of contractors involved in data handling;
- physical location of data storage;
- overseas transfers/transfers to foreign companies.
The resulting record is used as a basis for implementing protection measures under the PIPL.
If a business doesn’t have an appropriate legal basis for data handling, it must obtain user consent in a non-coercive way. Accordingly, user consent must be:
- explicit—users express their consent in an obvious way, such as ticking box;
- informed—users know what they’re consenting to;
- voluntary—users aren’t pressured into giving consent or suffering consequences if they refuse.
Additionally, the PIPL introduces a separate consent requirement, which is uncommon for other data privacy laws such as the European General Data Protection Regulation (GDPR). Under the PIPL, separate consent is needed when:
- sensitive information is handled;
- personal data is transferred outside of China;
- personal data is provided to a third party;
- personal data is publicly disclosed.
In cases involving the handling of information of minors under the age 14, a parent or trustee should provide consent.
How to comply
Before handling a user’s data, businesses must provide them with a consent form which clarifies the following:
- the name of the company and its contacts;
- the purpose of information handling;
- the scope of information;
- handling method;
- retention period;
- the individual’s rights.
The consent form can be provided via a pop-up notification.
For cross-border data transfers, businesses must additionally provide the user with the foreign receiving side’s name and contacts before requiring separate consent.
The PIPL provides individuals with a set of rights relating to their personal information. These include the rights to:
- know what personal information is handled;
- know how the information is handled;
- access the information;
- ask for it to be corrected or supplemented;
- ask to limit the scope of the information or to delete it;
- withdraw consent to personal information processing.
Under the PIPL, it is the company’s obligation to ensure and protect these rights.
How to comply
Businesses must ensure that users can make decisions relating to their personal information and have the tools to opt out. Therefore, it’s required to review privacy policies and notices to ensure that they contain the following:
- a separate email address for user requests relating to their personal information;
- explanations of why and how personal information is handled, as well as categories of information handled, handling methods, and the retention period;
- the user’s rights.
All in all, businesses are recommended to develop internal processes and policies for responding to user requests and providing them access to their personal information.
The PIPL sets restrictions on the use of personal data for automated profiling in online advertising:
- firms cannot conduct unfair user profiling, such as setting higher prices for users with higher income;
- firms must let users opt out if they aren’t willing to allow their data to be collected and analysed.
Personal data used for automated profiling can relate to the user’s behavior, habits, interests, hobbies, as well as their financial, health, credit, or other status.
How to comply
The PIPL introduces a data localization rule, which prohibits the following types of companies from storing data on servers outside of China:
- Critical Information Infrastructure Operators (CIIOs), i.e., those engaged in public, financial, e-government, utility and other services;
- Businesses that have onboarded more than 1 million users*.
This requirement has the potential to force large multinational tech companies to open an office in China to ensure data localization.
How to comply
Compliance measures for companies outside China vary according to the following parameters:
- companies with more than 1 million users* must set up an office in China and use local servers;
- companies with less than 1 million users* must either set up a branch or appoint a representative in China.
Local companies must be prepared for an on-demand assessment by the Cyberspace Administration of China (CAC), which may want to make sure the data localization rule is fulfilled.
*As of 25.01.2022, the CAC hasn’t provided any clarification on whether “1 million users” refers to Chinese users specifically.
The PIPL sets restrictions on transferring personal data outside of China. The following entities and data types fall under the restrictions:
1. Entities affected:
- Critical Information Infrastructure Operators (CIIOs), i.e. businesses engaged in public, financial, e-government, utility and other services;
- Those which have onboarded more than 1 million users;
2. Data types affected:
- “important” data, i.e. posing a threat to national interests or citizens’ rights;
- large-scale data, i.e. relating to more than 100,000 users or 10,000 users in case the information is sensitive.
If the above-mentioned criteria apply, businesses must undergo a security assessment by the Cybersecurity Administration of China (CAC) before transferring data abroad.
In all other cases, firms are allowed to transfer personal information under one of three conditions:
- passing a CAC security assessment (same as above);
- obtaining a CAC certification;
- entering a contract with a receiving side standardized by the CAC.
Any firm willing to transfer personal data outside China must conduct a self-assessment, examining whether personal information handling is lawful and necessary, and whether protective measures are suitable to the degree of risk.
How to comply
To apply for the CAC security assessment, businesses must provide a package of documents, including:
- a written application;
- a self-assessment report;
- a contract with the recipient entity.
The contract must limit the recipient’s data usage scope and indicate penalties for contract violations. It’s also required to indicate security measures and where the data will be physically located.
According to the same guidance, businesses must indicate administrative and technical measures in their self-assessment report for the cross-border transfer. These include:
- legal grounds and necessity of data transfer;
- quantity, type, and sensitivity of data;
- risks to national security and individuals’ rights;
- measures preventing data leakage and damage;
- purpose, scope, and the method of data handling by a recipient, as well as their obligations for ensuring data security.
Although the CAC hasn’t yet provided clear mechanisms for security assessments, it issued draft Measures for the Security Assessment of Outbound Data on October 29th, where general requirements are provided.
When a firm handles a certain amount of data (to be further specified by the CAC), it’s obliged to appoint a Personal Information Protection Officer, analogous to the DPO under the GDPR.
How to comply
The names and contacts of Personal Information Protection Officers should be reported to the CAC and indicated in the privacy policies of the firm. It’s also recommended to watch for additional guidance on required qualifications of officers, which may be issued by the CAC.
If a firm is established outside China and is handling the personal data of Chinese citizens, it must designate a representative within China. A representative can be either a natural person or a legal entity.
How to comply
The representative’s names and contacts should be reported to the Cybersecurity Administration of China (CAC). It is also recommended to watch for additional guidance on requirements for the representative, which may be issued by the CAC.
The PIPL was passed on August 20th, 2021 and came into effect on November 1st, 2021, giving businesses only two months to implement compliance measures. As of November 2021, the law requires immediate compliance from obliged businesses.
Sanctions for non-compliance with the PIPL depends on whether a company is local or foreign. For local firms, sanctions include:
- correction orders, confiscation of unlawful income, provisional suspension, or termination of service;
- an additional fine of not more than CNY 1,000,000 if correction orders are refused, CNY 50,000,000 (about USD 775,000) in administrative fines or up to 5% of the organization’s annual business revenue;
- CNY 1,000,000 (about USD 150,000) in personal administrative fines on the person responsible.
Overseas companies that don’t fall into line with the PIPL or harm the national security of China may be:
- placed on a blocklist;
- banned from handling the personal information of Chinese citizens.
The CAC is responsible for creating and updating the blocklist.
Where to find out more:
- Personal Information Protection Law (PIPL) translated in English
- China’s Data Security Law (DSL) translated in English
- China’s Cybersecurity Law (CSL) translated in English
- The CAC Measures for the Security Assessment of Outbound Data (Draft) original text
- The CAC Measures for the Security Assessment of Outbound Data (Draft) translated in English