The PIP Law together with the Cybersecurity Law (effective from June 1, 2017) and the Data Security Law (effective from September 1, 2021) will serve as the three fundamental and framework laws regulating cybersecurity and data security protection in China. This alert focuses on what multinational companies that process personal information of natural persons in the PRC need to know about the PIP Law.
Definitions of Personal information (PI), PI Processing and PI Processor
Under the PIP Law, personal information is defined under PIP Law (Article 4) as “all kinds of electronic or otherwise recorded information related to an identified or identifiable natural person”. This definition mirrors and further expands the term under the Cybersecurity Law and the Civil Code of the PRC, which is defined as “the various types of electronic or otherwise recorded information that can be used separately or in combination with other information to identify the natural person, not including information after anonymization.”
The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.
A personal information processor (PI Processor) is defined as “an organization or individual that autonomously determines the purpose and means of processing during personal information processing activities”. Where two or more PI Processors jointly decide on a personal information processing purpose and means, they shall agree on the rights and obligations of each party. However, such agreement should not restrict an individual from exercising his/her rights against any of the joint PI Processors and the joint PI Processors are also jointly liable for any breaches. Where PI Processors jointly processing personal information infringe personal information rights and interests and result in damages, they shall bear joint liability according to the law.
Scope of Application & Extraterritorial Application
The PIP Law primarily applies to the activities of processing personal information of natural persons within the PRC.
If the PRC subsidiary of an overseas company collects and processes personal information of natural persons in the PRC and shares such information with its headquarters, affiliates or other unrelated third parties outside the PRC, such collection, processing and transferring of information are subject to the Chinese PIP Law.
If an overseas company directly collects personal information from natural persons in the PRC and processes such information outside of the PRC, such activities are also subject to the PIP Law, if any of the following circumstances exist:
As such, a PI Processor under the PIP Law covers both (i) a PRC-incorporated entity and an individual in the PRC (Onshore PI Processor), and (ii) an overseas entity and an individual outside of the PRC (Offshore PI Processor).
For any Offshore PI Processor, Article 53 of the PIP Law requires it to establish a designated office or appoint a representative in the PRC to handle personal information protection matters and submit the name and contact information of such office or representative to the regulatory authority. How this article will be enforced remains to be seen.
Principles for Processing Personal Information
Article 5 to Article 9 of the PIP Law set forth the principles that shall be followed by a PI Processor throughout the entire life cycle of personal information processing activities. These principles include:
General Rules for Processing Personal Information
The PIP Law sets forth general rules for processing personal information in Chapter 2, which apply to both Onshore PI Processors and Offshore PI Processors. We address a few important rules for personal information processing below.
1. Individual Consent and Other Legal Basis for Processing
Based on Article 13 of the PIP Law, a PI Processor may process personal information on the ground of the following legal basis:
Except for scenarios under item (2) through item (7) above, where individual consent is not required, a PI Processor must obtain consent from an individual in processing any personal information.
2. Notice and Consent
Where the processing of personal information is based on individual consent, the consent shall be made voluntarily and expressly by an individual with full knowledge. A separate consent or a written consent must be obtained where required by laws and administrative regulations.
Prior to processing any personal information, a PI Processor must explicitly notify individuals truthfully, accurately and completely of the following items using clear and easy-to-understand language:
Where any of the above items changes, the PI Processor must inform individuals of such changes. Where any of (i) the purpose of processing, (ii) the means of processing, or (iii) the categories of personal information to be processed changes, the PI Processor must obtain individual consent again.
A PI Processor must not refuse to provide products or services on the grounds that an individual does not give consent to the processing of his or her personal information or withdraws his or her consent, except where the processing of personal information is essential for providing the products or services.
3. Entrusted Processing
In practice, a PI Processor may entrust a third-party service provider to collect and process personal information. According to Article 21 of the PIP Law, the entrusting party should conclude an agreement with the entrusted party on the purpose for entrusted processing, the time limit, the means of processing, the categories of personal information to be processed, protection measures, as well as the rights and duties of both parties, etc., and conduct supervision of the personal information processing activities of the entrusted party.
Data Localization and Cross-Border Information Transfer
A key issue about which many multinational companies with business in the PRC are concerned is the rules on cross-border information transfer.
Article 38 of the PIP Law provides that if a PI Processor has business or other needs to transfer personal information outside of the PRC, it must fulfill at least one of the following conditions:
It is likely that most PI Processors would prefer to choose to meet item (3) since it does not involve a CAC security assessment or certification by a professional institution, which may take time and incur additional cost. Item (3) is more likely to be chosen if the Onshore PI Processor and the offshore recipient are affiliated companies or have an entrustment agreement for processing personal information. The CAC has not yet published any template of such a standard contract. Once the standard contract is published, business operators that have a need to transfer personal information outside the PRC should update their existing data sharing agreement or data transfer agreement to make it consistent with the CAC standard template.
In addition, Article 39 requires the PI Processor to notify each individual of at least the following information in case of any cross-border transfer of personal information: identity and contact information of the offshore recipient; purposes and means of processing; categories of personal information to be transferred; and the means and procedures for an individual to exercise rights under this law towards the offshore recipient. In addition, the PI Processor must obtain a separate consent from each individual for such cross-border transfers.
Based on Article 55 of the PIP Law, a PI Processor is also required to conduct personal information protection impact assessment prior to transferring any personal information to overseas. Such impact assessment must include (i) whether the purpose and means of processing are legal, justified and necessary, (ii) impact and security risks on personal interest, and (iii) whether the protective measures adopted are legal, effective and commensurate with the security risks. Any such impact assessment report and record of processing shall be kept for at least three years.
Similar to other recently published laws (e.g., Export Control Law) and regulations (e.g., Provisions on Unreliable Entity List), Article 42 of the PIP Law also contemplates a “blacklist” to which the CAC has the power to designate Offshore PI Operators conducting personal information processing activities that infringe rights and interests of PRC citizens relating to personal information, or endangering national security or public interest of the PRC. PI Processors will be prohibited or restricted from transferring personal information to parties on the blacklist.
In addition, Article 43 of the PIP Law provides that if any country or region imposes any prohibitive, restrictive or other similar measures in a discriminatory manner against the PRC with respect to personal information protection, the PRC may, based on actual circumstances, take corresponding measures against said country or region.
Sensitive Personal Information
Sensitive personal information is defined under the PIP Law as personal information, of which leakage or unlawful use may lead to discriminatory treatment or serious damage to personal or property safety, including race, ethnicity, religious beliefs, personal biometrics, medical health information, financial accounts, and personal whereabouts, etc., including personal information of minors younger than 14 years old.
The PIP Law imposes more restrictions on the processing of sensitive personal information. A PI Processor may only process sensitive personal information if (i) it has specific purposes, (ii) such processing is sufficiently necessary, and (iii) the PI Processor has adopted strict protection measures. Separate consent or written consent (if required by laws or administrative regulations) from the individuals must be obtained before processing sensitive personal information. A PI Processor is also required to inform individuals the necessity of processing sensitive personal information and impact on personal interest.
The PIP Law imposes a fine of up to RMB1 million (approximately USD150,000) on the PI Processor and up to RMB100,000 (approximately USD15,000) on the responsible personnel in case of a violation of the law in addition to other penalties, such as warning and confiscation of illegal income. If the violation is considered serious, the fine may be up to RMB50 million (about USD7.5 million) or 5 percent of the PI Processor’s annual revenue for the prior year and up to RMB1 million (approximately USD150,000) on the responsible personnel.
The PIP Law is China’s first national statute on protection of personal information which, together with other laws (e.g., Cybersecurity Law, Data Security Law and Civil Code) and regulations, serves as the legal basis for corporate compliance and government enforcement. In recent years, companies in the financial industry, telecommunications and internet sectors and apps collecting personal information have been the target of enforcement actions. With the promulgation of the PIP Law, business operators in all sectors need to pay extra attention to their personal information practices.
For multinational corporations that have subsidiaries in the PRC that process personal information and/or transfer personal information to the overseas’ headquarters and affiliates, and for overseas organizations and individuals that collect information directly from individuals in the PRC for purposes specified in the PIP Law, it is suggested that these companies follow the development of any CAC rules on CII and cross-border data transfer. The Regulation on the Security Protection of Critical Information Infrastructure requires that sectoral regulators of different industries must formulate rules to identify CIIs within their respective industrial jurisdictions and notify operators of the identified CIIs. If any business operator is identified by its sectoral regulator to be a CII operator or if the volume of personal information it is to be transferred out of China reaches a volume threshold to be specified by the CAC, it must pass China’s security assessment before any personal information can be transferred out of the PRC. If it is not an operator of CII, it should be aware that cross-border transfer of information is allowed if it meets any of the three criteria described in the criteria set forth in Article 38 of the PIP Law that we discussed in the section above regarding Data Localization and Cross-Border Information Transfer.