In this five-part series, we examine several facets of the Personal Information Protection Law of the People’s Republic of China, which came into force Nov. 1, after two rounds of public consultation.
The drafting of the PIPL was heavily influenced by the EU General Data Protection Regulation, and follows GDPR closely in many areas. However, it has distinct features, scope and exclusions that global companies need to understand.
A key threshold distinction between the GDPR and the PIPL relates to nomenclature. The GDPR applies to “personal data” and its “processing” and its principal obligations apply to “data controllers.” The PIPL uses Chinese terms best translated into English as “personal information,” “handling” of PI, and PI “handlers” to refer to what are essentially the same concepts. Throughout this series, we use the latter English terms to discuss the PIPL.
Scope
The PIPL applies broadly to the handling of PI of natural persons that is undertaken within China. It also has extraterritorial reach. Article 3 provides that the PIPL also applies to the handling outside China of PI of natural persons in China under any of the following circumstances:
- Where the purpose is to provide products or services to natural persons in China.
- Where the behavior of natural persons in China is analyzed and evaluated.
- Other circumstances stipulated by laws and administrative regulations.
For the moment, no guidance has been provided as to the precise scope of this language. It remains uncertain, for example, whether an online company based outside China will become subject to the PIPL merely because it allows a Chinese resident to register an account or when its services are actively marketed to Chinese residents.
Article 53 of the PIPL provides that if a company or individual outside China engages in data-handling activities that fall within the ambit of the PIPL, it must establish a presence in China or designate a representative to assume responsibility for PI protection and report their name and contact information to the competent authority. Associated reporting procedures have yet to be put in place.
Article 72 specifies that the PIPL does not apply to the handling of PI undertaken by natural persons for personal or household matters. It also includes language evidencing an intention to exclude from the ambit of the PIPL the handling of PI for statistical or archival purposes organized and implemented by government agencies.
Personal information/sensitive personal information definitions and distinctions
Following the definition of “personal data” under GDPR, Article 4 of the PIPL defines PI broadly as information related to an identified or identifiable natural person that is recorded electronically or by other means, excluding anonymized information.
The PIPL also broadly follows the approach under GDPR when defining and providing enhanced protections for sensitive PI. Article 28 of the PIPL defines sensitive PI as PI the disclosure or illegal use of which may easily lead to the infringement of an individual’s personal dignity or harm to their person or property. The PIPL offers as examples: information about biometrics, religious beliefs, “specific identity” (a term that may cover personal attributes such as ID number and other personal identification, gender identity and sexual preferences), medical health, financial accounts, whereabouts and any PI relating to minors under the age of 14.
The PIPL imposes additional requirements on the handling of sensitive PI:
- A PI handler must have a specific purpose and establish sufficient necessity before handling sensitive PI and must adopt “strict” (but yet undefined) protective measures (Article 28).
- Where the handling of sensitive PI is based on consent, the PI handler must obtain the individual’s “separate consent,” unless laws or administrative regulations require that written consent be obtained (Article 29).
- The handling of sensitive PI is also subject to a heightened transparency requirement. In addition to the general notice requirement applicable to any handling of PI, Article 30 provides that individuals must be informed about the necessity of any handling of sensitive PI and the impact on the individual’s rights and interests.
- PI handlers must conduct a data privacy impact assessment and create a record of processing when handling sensitive PI (Article 55).
Legal bases for handling
Prior PRC laws rely on consent as being the most important basis for data handling. Article 13 of the PIPL, however, adopts the overall approach of the GDPR and provides for various permissible bases for handling. These include:
- Consent: The individual has voluntarily and clearly given informed consent.
- Contract/HR administration: The handling is necessary for the conclusion or performance of a contract to which the individual is a party or that is necessary for the implementation of human resources administration in accordance with lawfully formulated employment policies and rules and a lawfully concluded collective agreement.
- Statutory duties or obligations: The handling is necessary to perform statutory duties or obligations.
- Public health emergencies or vital interests: The handling is necessary to respond to public health emergencies, or to protect the life, health and property of natural persons in emergency situations.
- Public interests: The handling is for public interests such as news reporting or “public opinion supervision” and is within a reasonable scope.
- Public information: The PI being handled has been lawfully disclosed to the public and the handling is within a reasonable scope.
Notably absent from the PIPL is any legal basis comparable to “legitimate interests” under GDPR. Without that basis, consent is likely to remain a more central requirement under the PIPL than under the GDPR. Nonetheless, Article 13 includes catch-all language allowing PI handling in “other circumstances stipulated by laws and administrative regulations,” leaving scope for regulators to provide for other legal bases in the future, potentially including a basis similar to “legitimate interests.”
In recognition of the absence of a broad “legitimate interests” basis under the PIPL, the PIPL drafters most likely added HR administration as a basis for handling PI late in the drafting process of the PIPL to address concerns among employers.
Protections for minors
The PIPL provides numerous protections for minors under the age of 14.
Under Article 31, consent of the parent or guardian of a minor is required for the handling of the PI of a minor and a PI handler that handles the PI of minors must have separate rules for doing so.
As noted above, the PIPL also designates all PI of minors as sensitive PI, with the result that the PI of a minor is subject to enhanced protections and greater limitations on the scope of permissible handling.
Consent and separate consent
Consent under the PIPL must be voluntarily given and demonstrated by a clear action of the individual based on complete information. In the event of any change in the purpose or method of PI handling, or the types of PI handled, a new consent must be obtained (Article 14).
Where consent is the legal basis for PI handling, the PI handler is required to provide a convenient method to individuals to withdraw consent (Article 15). No specific procedural requirements are provided under the PIPL, but draft implementing regulations issued for public comment in November 2021 contemplate a timeline of fifteen business days for a PI handler to handle PI and provide feedback to a request to withdraw consent upon receipt.
The PIPL requires a higher level of consent — separate consent — for the handling of certain categories of PI, including cross-border data transfers (Article 39), data sharing with another PI handler (Article 23), handling of sensitive PI (Article 29), making PI public (Article 25), and using personal images and identification information collected by image collection and personal identification equipment in public places for purposes other than public safety (Article 26). The PIPL drafters settled on the concept of separate consent after a prior non-binding PI protection standard had contemplated borrowing from GDPR and using “explicit” consent as a second, higher standard for consent.
Separate consent is not well defined in the PIPL, but available guidance suggests that the consent needs to specifically relate to the relevant purpose, must be based on disclosure as to that purpose, and not be bundled into a privacy policy covering multiple processing activities. For consent to be viewed as “separate,” a separate opt-in checkbox, separate pop-up window, or similar mechanism may be required. Additional guidance from regulators may be needed before market best practices associated with separate consent evolve.
Notably, the requirements for separate consent provided for in the relevant articles of the PIPL only appear to apply when consent is the relevant basis for the handling of PI under Article 13. The prevailing view, which is still subject to debate, seems to be that if a specific basis under Article 13 other than consent is being relied upon for the handling of PI, separate consent is not required.
Conclusion
The implementation schedule for the PIPL is unusually brisk. Companies should anticipate further guidance on the interpretation of relevant PIPL provisions, such as those applicable to the handling of sensitive PI and those relevant to consent and separate consent requirements. It will be important for relevant companies to monitor developments in China closely.
Photo by Liam Read on Unsplash