China Enacts Personal Information Protection Law: What Multinational Companies Need to Know | Pillsbury Winthrop Shaw Pittman LLP

Bizar Male

Definitions of Personal information (PI), PI Processing and PI Processor

Under the PIP Law, personal information is defined under PIP Law (Article 4) as all kinds of electronic or otherwise recorded information related to an identified or identifiable natural person”. This definition mirrors and further expands the term under the Cybersecurity Law and the Civil Code of the PRC, which is defined as “the various types of electronic or otherwise recorded information that can be used separately or in combination with other information to identify the natural person, not including information after anonymization.”

The processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.

A personal information processor (PI Processor) is defined as “an organization or individual that autonomously determines the purpose and means of processing during personal information processing activities”. Where two or more PI Processors jointly decide on a personal information processing purpose and means, they shall agree on the rights and obligations of each party. However, such agreement should not restrict an individual from exercising his/her rights against any of the joint PI Processors and the joint PI Processors are also jointly liable for any breaches. Where PI Processors jointly processing personal information infringe personal information rights and interests and result in damages, they shall bear joint liability according to the law.

Scope of Application & Extraterritorial Application

The PIP Law primarily applies to the activities of processing personal information of natural persons within the PRC.

If the PRC subsidiary of an overseas company collects and processes personal information of natural persons in the PRC and shares such information with its headquarters, affiliates or other unrelated third parties outside the PRC, such collection, processing and transferring of information are subject to the Chinese PIP Law.

If an overseas company directly collects personal information from natural persons in the PRC and processes such information outside of the PRC, such activities are also subject to the PIP Law, if any of the following circumstances exist:

  1. The purpose of processing personal information is to provide products or services to natural persons within the PRC;
  2. The processing of personal information is to analyze and assess the activities of natural persons within the PRC; or
  3. Other circumstances specified by laws or administrative regulations.

As such, a PI Processor under the PIP Law covers both (i) a PRC-incorporated entity and an individual in the PRC (Onshore PI Processor), and (ii) an overseas entity and an individual outside of the PRC (Offshore PI Processor).

For any Offshore PI Processor, Article 53 of the PIP Law requires it to establish a designated office or appoint a representative in the PRC to handle personal information protection matters and submit the name and contact information of such office or representative to the regulatory authority. How this article will be enforced remains to be seen.

Principles for Processing Personal Information

Article 5 to Article 9 of the PIP Law set forth the principles that shall be followed by a PI Processor throughout the entire life cycle of personal information processing activities. These principles include:

  1. The principle of legality, propriety, necessity and sincerity: a PI Processor is prohibited from processing personal information in misleading, swindling, coercive or other such ways.
  2. The principle of clarity, relevance and minimum impact: a personal information processing activity must have a clear and reasonable purpose and must be directly related to the purpose of processing and use a method with minimum impact on individual rights and interests.
  3. The principle of minimum degree: The collection of personal information must be limited to the minimum degree for realizing the purpose of processing, and excessive collection of personal information is prohibited.
  4. The principle of openness and transparency: a PI Processor must disclose the rules for processing personal information and clearly indicate the purpose, method, and scope of processing.
  5. The principle of accuracy and completeness: a PI Processor must ensure the quality of personal information and avoid adverse effects on individual rights and interests from inaccurate or incomplete personal information.
  6. The principle of security: a PI Processor is responsible for its personal information processing activities and must adopt necessary measures to safeguard the security of the personal information it processes.

General Rules for Processing Personal Information

The PIP Law sets forth general rules for processing personal information in Chapter 2, which apply to both Onshore PI Processors and Offshore PI Processors. We address a few important rules for personal information processing below.

1. Individual Consent and Other Legal Basis for Processing

Based on Article 13 of the PIP Law, a PI Processor may process personal information on the ground of the following legal basis:

  1. The PI Processor has obtained consent from the individual;
  2. Processing personal information is necessary to enter into or perform a contract to which the individual is a party, or is necessary for the implementation of human resource management in accordance with the labor rules and regulations established in accordance with the law and the collective contract signed in accordance with the law;
  3. Processing personal information is necessary to perform legal duties or legal obligations;
  4. Processing personal information is necessary to respond to a public health emergency or to protect life, health and property safety of a natural person in an emergency;
  5. Processing personal information to a reasonable extent is necessary for the purpose of carrying out news reporting and public opinion monitoring for public interests;
  6. Processing personal information disclosed by individuals or processing other legally disclosed personal information within a reasonable scope is necessary and in accordance with the provisions of the PIP Law;
  7. Other circumstances specified by laws and administrative regulations.

Except for scenarios under item (2) through item (7) above, where individual consent is not required, a PI Processor must obtain consent from an individual in processing any personal information.

2. Notice and Consent

Where the processing of personal information is based on individual consent, the consent shall be made voluntarily and expressly by an individual with full knowledge. A separate consent or a written consent must be obtained where required by laws and administrative regulations.

Prior to processing any personal information, a PI Processor must explicitly notify individuals truthfully, accurately and completely of the following items using clear and easy-to-understand language:

  1. The name and contact information of the PI Processor;
  2. Purpose and means of processing, categories of personal information to be processed, and retention period;
  3. Means and procedures for an individual to exercise rights under this law;
  4. Other items that laws or administrative regulations provide shall be notified.

Where any of the above items changes, the PI Processor must inform individuals of such changes. Where any of (i) the purpose of processing, (ii) the means of processing, or (iii) the categories of personal information to be processed changes, the PI Processor must obtain individual consent again.

A PI Processor must not refuse to provide products or services on the grounds that an individual does not give consent to the processing of his or her personal information or withdraws his or her consent, except where the processing of personal information is essential for providing the products or services.

3. Entrusted Processing

In practice, a PI Processor may entrust a third-party service provider to collect and process personal information. According to Article 21 of the PIP Law, the entrusting party should conclude an agreement with the entrusted party on the purpose for entrusted processing, the time limit, the means of processing, the categories of personal information to be processed, protection measures, as well as the rights and duties of both parties, etc., and conduct supervision of the personal information processing activities of the entrusted party.

Data Localization and Cross-Border Information Transfer

A key issue about which many multinational companies with business in the PRC are concerned is the rules on cross-border information transfer.

Article 38 of the PIP Law provides that if a PI Processor has business or other needs to transfer personal information outside of the PRC, it must fulfill at least one of the following conditions:

  1. Pass a security assessment administered by the Cyberspace Administration of China (CAC) in accordance with Article 40 of the PIP Law.

    According to Article 40, the operators of Critical Information Infrastructure and processors that transfer a certain volume of personal information (to be specified by CAC) must locally store personal information collected and generated in the PRC and must undergo a security assessment if cross-border transfer is necessary, unless such security assessment is not required by laws, administrative regulations and CAC rules. “Critical Information Infrastructure” refers to important network infrastructure and information systems in public telecommunications, information services, energy sources, transportation and other critical industries and domains, in which any destruction or data leakage will have severe impact on national security, the nation’s welfare, the people’s living and public interests.

  2. Undergo personal information protection certification with a professional institution in accordance with the applicable CAC rules.
  3. Enter into a contract with the offshore recipient in accordance with the standard contract published by the CAC, which contract will specify the rights and obligations of both parties.
  4. Other condition(s) to be specified by laws, administrative regulations or CAC rules.

It is likely that most PI Processors would prefer to choose to meet item (3) since it does not involve a CAC security assessment or certification by a professional institution, which may take time and incur additional cost. Item (3) is more likely to be chosen if the Onshore PI Processor and the offshore recipient are affiliated companies or have an entrustment agreement for processing personal information. The CAC has not yet published any template of such a standard contract. Once the standard contract is published, business operators that have a need to transfer personal information outside the PRC should update their existing data sharing agreement or data transfer agreement to make it consistent with the CAC standard template.

In addition, Article 39 requires the PI Processor to notify each individual of at least the following information in case of any cross-border transfer of personal information: identity and contact information of the offshore recipient; purposes and means of processing; categories of personal information to be transferred; and the means and procedures for an individual to exercise rights under this law towards the offshore recipient. In addition, the PI Processor must obtain a separate consent from each individual for such cross-border transfers.

Based on Article 55 of the PIP Law, a PI Processor is also required to conduct personal information protection impact assessment prior to transferring any personal information to overseas. Such impact assessment must include (i) whether the purpose and means of processing are legal, justified and necessary, (ii) impact and security risks on personal interest, and (iii) whether the protective measures adopted are legal, effective and commensurate with the security risks. Any such impact assessment report and record of processing shall be kept for at least three years.

Similar to other recently published laws (e.g., Export Control Law) and regulations (e.g., Provisions on Unreliable Entity List), Article 42 of the PIP Law also contemplates a “blacklist” to which the CAC has the power to designate Offshore PI Operators conducting personal information processing activities that infringe rights and interests of PRC citizens relating to personal information, or endangering national security or public interest of the PRC. PI Processors will be prohibited or restricted from transferring personal information to parties on the blacklist.

In addition, Article 43 of the PIP Law provides that if any country or region imposes any prohibitive, restrictive or other similar measures in a discriminatory manner against the PRC with respect to personal information protection, the PRC may, based on actual circumstances, take corresponding measures against said country or region.

Sensitive Personal Information

Sensitive personal information is defined under the PIP Law as personal information, of which leakage or unlawful use may lead to discriminatory treatment or serious damage to personal or property safety, including race, ethnicity, religious beliefs, personal biometrics, medical health information, financial accounts, and personal whereabouts, etc., including personal information of minors younger than 14 years old.

The PIP Law imposes more restrictions on the processing of sensitive personal information. A PI Processor may only process sensitive personal information if (i) it has specific purposes, (ii) such processing is sufficiently necessary, and (iii) the PI Processor has adopted strict protection measures. Separate consent or written consent (if required by laws or administrative regulations) from the individuals must be obtained before processing sensitive personal information. A PI Processor is also required to inform individuals the necessity of processing sensitive personal information and impact on personal interest.

Legal Liability

The PIP Law imposes a fine of up to RMB1 million (approximately USD150,000) on the PI Processor and up to RMB100,000 (approximately USD15,000) on the responsible personnel in case of a violation of the law in addition to other penalties, such as warning and confiscation of illegal income. If the violation is considered serious, the fine may be up to RMB50 million (about USD7.5 million) or 5 percent of the PI Processor’s annual revenue for the prior year and up to RMB1 million (approximately USD150,000) on the responsible personnel.

Our Observations

The PIP Law is China’s first national statute on protection of personal information which, together with other laws (e.g., Cybersecurity Law, Data Security Law and Civil Code) and regulations, serves as the legal basis for corporate compliance and government enforcement. In recent years, companies in the financial industry, telecommunications and internet sectors and apps collecting personal information have been the target of enforcement actions. With the promulgation of the PIP Law, business operators in all sectors need to pay extra attention to their personal information practices.

For multinational corporations that have subsidiaries in the PRC that process personal information and/or transfer personal information to the overseas’ headquarters and affiliates, and for overseas organizations and individuals that collect information directly from individuals in the PRC for purposes specified in the PIP Law, it is suggested that these companies follow the development of any CAC rules on CII and cross-border data transfer. The Regulation on the Security Protection of Critical Information Infrastructure requires that sectoral regulators of different industries must formulate rules to identify CIIs within their respective industrial jurisdictions and notify operators of the identified CIIs. If any business operator is identified by its sectoral regulator to be a CII operator or if the volume of personal information it is to be transferred out of China reaches a volume threshold to be specified by the CAC, it must pass China’s security assessment before any personal information can be transferred out of the PRC. If it is not an operator of CII, it should be aware that cross-border transfer of information is allowed if it meets any of the three criteria described in the criteria set forth in Article 38 of the PIP Law that we discussed in the section above regarding Data Localization and Cross-Border Information Transfer.

In light of these new developments on personal information protection, we will gladly assist multinational companies and domestic companies to review their privacy policy and current practice of personal information processing to ensure compliance and will closely monitor further developments any developments of implementing rules and enforcement actions under the PIP Law and update our clients.

Next Post

Legality of school mask mandates likely to remain hazy

TALLAHASSEE, Fla. (CNS) – Judge John Cooper has officially issued his ruling on school mask mandates, but with the state planning an immediate appeal their legality will remain in a state of uncertainty at least for now. The state has taken the position it can continue imposing sanctions on school […]