Before we start however, please note that this article - while carefully researched and drawn upon reputable sources - does not constitute formal legal advice or serve as an exhaustive guide to the application of the Personal Information Protection Law of the People’s Republic of China (PRC).
The intention is that this article provides a helpful guide and framework to better navigate the PIPL’s potential implications on your company and actionables that your business can take in response in this evolving landscape.
It is important to note that the legislation instructs in a broad fashion, leaving room in this legislation for interpretation with the full scope and its related applications for organisations and individuals. It is also important to note that a number of cross-border processor conditions have yet to be issued, with updates expected sometime in 2022. More on this below.
*Note that this article does not discuss the requirements that are specifically applicable to Chinese government agencies as that falls under a different discussion.
For context, the PIPL is a part of a three-part broader cybersecurity & data processing initiative enacted by the People’s Republic of China (PRC) titled the “Three Horse Carriages”.
Cybersecurity Law of the PRC relating to the construction, operation, use of the network in the PRC territory.
The Data Security Law of the PRC, primarily relating to governance, tracing, and data security - generally outside of personal information
PIPL, the newest addition regulating activities related to the processing of personal information.1
The PIPL stands for The Personal Information Protection Law of the PRC. This legislation regulating personal information and related matters was officially enacted by the People’s Republic of China (PRC) on 1 November 2021.
Personal information in the context of Chinese law is defined in a broad fashion, along with other aspects of the text, which means that there is no clearly defined scope that one can adhere to across all situations. This means that actionably, the definition would remain somewhat at the discretion of the context.
The PIPL defines “processing” similarly broadly, covering all possible touch points throughout the “life cycle of personal information”, inclusive of “collection, storage, use, processing, transmission. provision, public disclosure, deletion and any operation which is performed on personal information”2
Sensitive Personal Information
The concept of “sensitive personal information” is defined more clearly in examples inclusive of medical & health care, financial account, location, religious belief, biometric data, and data of minors under the age of 14. In essence, this information is defined as information that may easily cause harm or dignity to the person or their property.
The PIPL applies to all organisations, including foreign organisations3, which process personal information of individuals in the Mainland for the purpose of offering products or services to them, or assessing their behaviours4.
A processor of personal information in this broader text refers to any individual or organisation able to make its own decision on the purpose, processing means and other matters relating to the processing of personal information5.
Yes, PIPL applies to Information processing activities outside of China inclusive of the purpose of providing products or services to natural persons located within China, to analyze or assess the conduct of natural persons located within China, and under any other circumstance as provided by any law or administrative regulation.
Conditions for cross-border provision of services are to meet 1 of the following criteria. Note a number has yet to be issued, suggested to be released in 2022.
Obtaining a Personal Information Protection Certification (to be issued, or released)
Entering into a data export agreement compliant with the CAC’s standard contract (to be issued, or released)
Passing CAC-administered review
*A Security Assessment6 is mandatory if Information Processing includes -
Personal Information and Important Information collected and generated by Public Service Providers
Information contains Important Information
Personal Processors with an existing database of Personal Information about over one million of individuals
Transferring Personal Information about over 100,000 individuals or Sensitive Personal Information to over 10,000 individuals
^The above is subject to change pending the finalised Security Assessment of Outbound Data Transfers which has yet to be enacted as of publication date.
The PIPL stipulates that the level of obligation can differ among personal information processors based on the kind and volume of information that they collect.
(i) Operators of critical information infrastructure, and
(ii) Controllers who process an over-the-threshold volume of personal information, which is so far defined as, 1 million personal information subjects as threshold
It is worth noting that one of the latest changes absorbed by the enacted PIPL include the statement that the “Cyberspace Administration of China” (CAC) will be publishing specific rules and standards for small-size PIPs. One interpretation suggests that smaller-sized PIPs may be subject to a different, more lenient set of standards.
The PIPL stipulates that processors of personal information shall implement necessary measures7 to ensure the security of personal information as they process.
In light of the PIPL’s broad delineation of scope and guidelines, what are some key elements to understand for best practices? Here we will list these key principles and their interpreted understanding with suggested recommendations any business can take.
“Legitimacy, fairness, necessity and good faith”8. Do not use fraudulent or misleading means to process personal information. Actionably, this means being clear about why you are collecting information.
“Purpose limitation”: The personal information must be relevant to the purposes of processing. Any change in context will require “fresh” consent in that use of information.
“Openness & transparency”9: An accessible notice must be for individuals to review, access and consent to. For example, an Opt-in consent box in customer forms with accessible terms and use cases for their information.
“Data minimization”: Strive to limit information collection to what is necessary
“Integrity and accuracy”: Maintain accurate information The PIP must ensure the quality of personal information and refrain from causing adverse impact on the rights and interests of individuals due to inaccurate or incomplete personal information
Informed consent10 from the personal information subject has been granted
In order to perform a contract to which the personal information subject is a party
Where personal information is required to perform legal duties or related obligations
Where personal information is required to protect the health and safety of that individual
Where personal information has been processed “to a reasonable extent” for acts related to public interest, such as the purposes of news report
Where personal information has been processed or made public by the subject or other legitimate channels
Other scenarios outlined in other administrative regulations of the PRC
Name and contact of the Personal Information Processor (Organisation or Individual)
Means and purposes of processing
Types of information to be processed
The retention period of such information
The procedure and means for individuals to exercise their rights pertaining to personal information under the PIPL
Any other information required by laws and administrative regulations which is broad possibly by intention
Processors of sensitive information11 are asked to provide additional information in a privacy notice.
Evaluate whether your organisation would be considered a processor of sensitive information or critical information structure. Possible examples may include tech platforms with 1mill users, collectors of biometric data and more. More in our sensitive information section above.
Update your digital properties to provide individuals with certain specific information about the transfers & obtaining separate consent12 such as in forms
Update your privacy notice, with consideration to include a version in Simplified Chinese
Adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL, which is more broadly defined with instructions on cross-border processors to release later in 2022.
Carry out an personal information protection impact assessment13
How does PIPL compare with GDPR?
Note these examples are a non-exhaustive list and are purely to illustrate the broad scope and potential applicability of the PIPL.
Healthcare related institutions that collect sensitive biometric data of 10,000+ individuals stored outside of China
Educational Institutions that collect information of minors under the age of 14 are subject to additional requirements under the CAC.
Tech platforms with 1mill+ China visitors are subject to additional requirements
Information collected is hosted and processed by a form service provider (e.g. Hubspot) outside of China. Note that this is related to cross-border information processors under which guidelines have yet to be fully prescribed with expected updates in 2022.
Media companies & publications that reports public affairs in China
Analytic Service companies that collect, process, personal data of over 1mill+ individuals in China. Note this is separate to organisations that use anonymised analytic services that include visitors in China. More in this article here.
Read more about data localisation in relation to the PIPL.
Article 1 of the Personal Information Protection Law (PIPL)
Baker & McKenzie, Insight Plus 2022
Article 3 of the Personal Information Protection Law (PIPL)
Article 2 of the Personal Information Protection Law (PIPL)
Article 73(1) of the Personal Information Protection Law (PIPL)
Article 40, (Article 40, PIPL; Article 4)
Article 59 of the Personal Information Protection Law (PIPL)
Article 5 of the Personal Information Protection Law (PIPL)
Article 7 of the Personal Information Protection Law (PIPL)
Article 13 of the Personal Information Protection Law (PIPL)
Examples include medical & health care, financial account, location, religious belief, biometric data, and data of minors under the age of 14. More as outlined in Article 29 of the Personal Information Protection Law (PIPL)
Article 39 of the Personal Information Protection Law (PIPL)
Article 55 of the Personal Information Protection Law (PIPL)
Article 4, Draft Security Assessment for Outbound Data Transfers, Cyberspace Administration of China (CAC)