Chinese Data Protection Law

The Personal Information Protection Law commonly known as the PIPL is the Chinese Data protection law. It provides direction on rules for processing personal and sensitive information including the legal basis and disclosure requirements. It also introduces rules for personal information protection processes as well as data subject rights and outlines requirements regarding international data transfers to third parties.

What does the Personal Information Protection Law deal with?

• The PIPL mainly deals with protecting personal information.
• The PIPL deals with the principles for processing personal information such as legality, legitimacy, necessity, and good faith. Importantly, how personal information shouldn’t be processed such as by misleading, fraud, coercion or other means.
• The main role players are the personal information processors (processor) and the (state) departments performing personal information protection duties (Article 11 and 12)

Who does the PIPL apply to?

The PIPL applies to you if you process personal information within China. Additionally, it also applies if you are outside of China but you process the personal information of persons within China. For example, when personal information is processed outside of China but is processed to provide products or services to persons within China. So PIPL will apply to you if you’re a business that is outside of China but provides products or services to persons within China. Another example is if you are outside of China but process personal information to analyse or access persons within China.

Who regulates the PIPL?

The State cyberspace administration (also known as departments within the Act) is responsible for regulating the PIPL. They are responsible for coordinating the protection of personal information, relevant supervision and the administration work of the PIPL.

Risk of non-compliance

If PIPL applies to you and you do not comply with its requirements the departments could take one of the following actions against you:

• Order you to make a rectification.
• Give you a warning and confiscate your illegal gains.
• Order you to suspend the illegal processing of personal information.
• Order you to terminate the provision of services.
• If you refuse rectification, you could be fined RMB 1 million.
• The person directly in charge of the processor or other directly liable persons can also be fined between RMB 10 000 and RMB 100 000.

Where the circumstances are serious in any of the above circumstances you could:

• Receive anywhere below RMB 50 million and not more than 5% of your turnover in the previous year.
• Lose your business permit or licence.
• Be fined between RMB 100 000 and RMB 1 million if you’re a person who is directly in charge of the processor. Additionally, you could be prohibited from serving as a director, supervisor or senior manager, and a person in charge of personal information of the particular organisation for a particular period.

Why do we need the Personal Information Protection Law?

The People’s Republic of China enacted PIPL in accordance with the Constitution of the People’s Republic of China to:

• Protect personal information rights and interests.
• Regulate the processing of personal information.
• Ensure that processors reasonably use personal information.

The status of the PIPL

The Standing Committee of the 13th National People’s Congress (NPC) of the Republic of China adopted PIPL in the 30th Standing Committee meeting and came into effect on 1 November 2021. The NPC gave organisations several months to prepare to implement measures to comply with the PIPL.

The implications of the PIPL

Obligations of Personal Information Processors

You must put measures in place to protect the personal information you process. The measures you put in place are to ensure you prevent unauthorized access, leaking, falsifying and any loss of personal information. As well as to ensure you comply with laws and administrative regulations.

The Act indicates the following measures you must put in place:

• Formulate internal management system and operational procedures
• Classify personal information to manage it.
• Use technical security measures such as encryption and de-identification.
• Determine the authority to process personal information.
• Conduct security education and training for employees on a regular basis.
• Have a plan in place to respond to personal information security incidents.
• Other measures as prescribed by laws and administrative regulations.

Rights of Individuals

The PIPL empowers individuals with various rights when it comes to their personal information. They have a right to know and make decisions regarding the processing of their personal information. They can restrict or refuse the processing of their personal information. These rights are however not absolute and may be subject to other laws and administrative regulations. Where other laws may limit the rights, the other laws may prevail. There is no specific indication of how other laws may be applicable when it opposes any of the rights individuals have over their personal information.

A processor must provide a convenient way for individuals to exercise their rights. In cases where the processor refuses an individual’s request to exercise their rights, the processor must provide reasons for why they are rejecting the individual’s request. An individual may go to court to appeal a processor’s refusal the allow the individual to exercise their rights in the PIPL.

Actions you can take

• Dive into the detail by reading the PIPL in the form of a website.
• Keep up to date with emerging data protection laws by joining our programme.
• Comply with data protection laws by getting practical legal solutions from Michalsons by consulting with one of our attorneys.
• Comply with your legal obligations by asking Michalsons to draft or review your data protection policies.
• Get notifications of important data protection updates in China and other countries around the globe by subscribing to our newsletter.