China has reinforced its legal framework to protect its citizen’s personal information.
On 20 August 2021, China’s much anticipated 《个人信息保护法》(Personal Information Protection Law (“PIPL”)) was passed. The new law came into force on 1 November 2021. The PIPL, 《网络安全法》(Cybersecurity Law) and the new 《数据安全法》(Data Security Law) (which came into force on 1 September 2021), now form the main legal framework governing data security and the handling of both personal and non-personal data in China.
The PIPL has often been compared with the EU General Data Protection Regulation (“GDPR”) and while this statement is largely true there are many points of difference between the two regimes. For example, the cross-border transfer restrictions and extra-territorial application of the PIPL are broader than the equivalent provisions in the GDPR.
Application of the PIPL
The PIPL will govern personal information processing activities carried out by entities or individuals within China. The PIPL will also apply to an entity’s processing activities conducted outside of China, if the entity processes personal information about individuals located in China in the context of (1) offering goods or services to individuals in China, or (2) analyzing and evaluating the behavior of individuals in China.
In this sense, for those who have or plan to have a franchise business or a distribution system in China, even though they haven’t established entities in China, because they are involved in offering goods or services to individuals in China, they should pay attention to the PIPL.
Cross-border Data Transfers
In line with the Cybersecurity Law and Data Security Law, the PIPL has strict cross-border data transfer requirements. Personal information cannot be transferred out of China, unless it is truly necessary for business or other such requirements, and one of the following conditions are met:
1. A security assessment conducted by the “国家互联网信息办公室“(Cyberspace Administration of China (“CAC”), also known as the Office of the Central Cyberspace Affairs Commission) has been passed;
2. A security certification is obtained, which is conducted by an accredited body in accordance with regulations specified by the CAC;
3. An agreement with the foreign recipient is entered into based on the “standard contract” stipulated by the CAC (still to be issued), which sets out each party’s respective rights and obligations, and ensures that the personal information will be protected to the same standard as that provided under the PIPL; or
4. The transfer is in accordance with other laws or regulations, or other conditions prescribed by the CAC. [1]
Before any overseas transfer can take place, data controllers must also:
1. Conduct a privacy impact assessment in relation to the cross-border transfers (records of the risk assessment must be retained for at least three years);
2. Notify the affected data subjects of the foreign recipient’s name and certain other specified information; and
3. Where consent is being relied on as the grounds for processing, the data subject’s separate consent must be obtained for the transfer.[2]
“Notice and consent” is the primary legal basis for lawful processing personal information. Notably, the “one-click-for-all” approach to obtain consent won’t work in some circumstances. Separate consent is required in the disclosure of personal information to a third party, the processing of “sensitive” personal information, and the transfer of personal information outside of China.
On October 29, the National Internet Information Office issued a notice on the public comment on 《数据处境安全评估办法(征求意见稿)》(the Measures for Data Exit Security Assessment Draft for Comment (“Draft Measure”)). The Draft Measure stated the thresholds that data processors who provide data overseas should apply for data exit security assessment through the local provincial network information department, one of which is by the scale of personal information processed. If a personal information processor who provide personal information abroad have processed personal information of one million people, or cumulatively providing personal information of more than 100,000 people or sensitive personal information of more than 10,000 people abroad, then a security assessment is required. It’s unclear that the “people” here refers to Chinese citizens or users in general.
Data-enabled price discrimination
Article 24 of PIPL provided that “个人信息处理者利用个人信息进行自动化决策,应当保证决策的透明度和结果公平、公正,不得对个人在交易价格等交易条件上实行不合理的差别待遇。” This means that automated decision-making should not prejudice people whose personal information has been collected and used for such decision-making. Personal information handlers may not engage in unreasonable differential treatment of individuals in trading conditions such as trade price, etc.
Also, those conducting information push delivery or commercial sales to individuals through automated decision-making methods shall simultaneously provide the option to not target an individual’s characteristics or provide the individual with a convenient method to refuse.
Legal Liability
Failing to comply with provisions of PIPL, entities will face a correction order, confiscation of unlawful income, and a fine up to 50 million Yuan (equivalent to about 7 million USD), or 5% of annual revenue. Administrative penalties also include suspension of related business activities or cessation of business for rectification, and report to the relevant competent department for cancellation of corresponding administrative licenses or cancellation of business licenses.
Takeaway
As the PIPL will soon come into effect, companies are encouraged to review and update their privacy and compliance policies, and have proper technical solutions integrated into their operational system in order to satisfy the requirements under PIPL.
[1] Article 38 of PIPL
[2] Article 13, 14 and 39 of PIPL
Paul Jones, IDI Country Expert for franchising in China
Jiahui Zhang
