On August 20, 2021, the long-awaited Personal Information Protection Law of the People’s Republic of China (“PIPL”) was officially adopted by the National People’s Congress Standing Committee after its third reading. The PIPL will take effect on 1 November 2021, leaving organisations less than three months to prepare for this first piece of comprehensive and dedicated personal information protection law in China. The first and second drafts of PIPL were released on 21 October 2020 and 29 April 2021 respectively and you can find the key takeaways of the first draft and main changes introduced by the second draft in our previous newsletters (available here and here).
What are the Key Changes under the Finalised PIPL Compared to the Second Draft?
I. Legal basis of processing and consent
Legal basis of processing
One of the most welcoming changes introduced by the PIPL, which has been reflected in the first and second drafts of the PIPL, is the expansion of the legal basis of personal information processing. Until now, consent has long been the only legal basis of personal information processing under PRC law. The finalised PIPL includes the following seven legal bases of the data processing:
contractual necessity or necessity arising from the human resources management implemented in accordance with the labour rules and regulations of the employer formulated according to the law or collective contracts signed according to law;
compliance with legal responsibilities or obligations;
responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property;
processing personal information that is already made public within the reasonable scope and in accordance with the requirements of the PIPL;
for purposes of carrying out news reporting and public opinion monitoring for public interests; and
other circumstances permitted by laws and regulations.
Compared with the second draft, the only substantial change made by the finalised PIPL in relation to legal basis is to add, in the clause of contractual necessity, specific reference to labour governance rules and collective contracts that are made/signed in accordance with laws. The concept of both “labour rules and regulations” (劳动规章制度) of the employer and “collective contracts” (集体合同) can be found in the PRC Labour Law and are embedded with Chinese characteristics. By adding specific references to above labour rules and collective contracts, employers now have a solid legal basis to rely upon for personal information processing in the employment context, although the concept of necessity remains to be defined.
The fifth legal basis above - processing personal information in the public domain - was unfound in the first draft but introduced in the second draft and remains in the finalised PIPL. While the processing is permitted, it should be noted that such processing is not unrestricted and should be conducted within “reasonable scope” and in compliance with the PIPL. Whether this will serve as an effective restriction on practices such as web scraping is currently unclear.
A noteworthy omission is, unlike the GDPR, "legitimate interest" is not included as a legal basis for processing under the final PIPL.
With respect to the consent requirement, the finalised PIPL’s requirements on consent, including what amounts to a valid consent, consent withdrawal and circumstances when new consent is required, remain consistent with previous PIPL drafts (see Deep Dive (2)). In particular, the requirement for “separate consent”, which is a new concept created by the PIPL and unfound in previous PRC data protection regulations and guidance, remain unchanged in the finalised PIPL. Specifically, separate consent is required to be obtained in the following scenarios:
Providing personal information to a third party (article 23);
Public disclosure of personal information (article 25);
Personal information collected by devices installed in public place if used for purposes other than public security (article 26);
Processing of sensitive personal information (article 29); and
Providing personal information of an individual to a party outside the territory of China (article 39).
Similar to previous drafts, “separate consent” is not defined under the finalised PIPL and how this requirement will be implemented by organisations in practice (such as through separate pop-up box) remains to be seen. Compared with the second draft, one difference to be noted is as article 28 of the finalised PIPL now specifically includes personal information of the minor aged under 14 as “sensitive personal information”, and separate consent from minor’s guardian should be obtained before processing their personal information.
II. Cross-border data transfer rules
Compared with the second draft, the finalized PIPL further enhances its international data transfer system by introducing 3 main changes:
First, the PIPL supplements that international treaties or covenants concluded or acceded to by China may prevail where for example their relevant provisions specify conditions on transferring personal information outside China.
In addition, the PIPL further mandates all personal information processors (also called “handlers”, a concept akin to a “controller” under the EU GDPR) ("PI Processors") to adopt necessary measures to ensure that processing activities of foreign recipients satisfy an equivalent level of protection provided in the PIPL.
Echoing the recently-adopted Data Security Law, the PIPL is now aligned on how to handle personal information requests by foreign judicial or law enforcement organs, i.e. personal information stored within China should not be provided to such foreign organs unless approval has been obtained from the competent government authority, who will handle such request in accordance with international treaties or covenants, or under the principle of equality and mutual benefits.
That being said, the previous data localisation requirements introduced since the first draft and the cross-border data transfer mechanisms (see Deep Dive (1)) introduced in the second draft remain applicable in the finalized PIPL. In summary:
Data localisation: All personal information collected and generated in China by Critical information infrastructure operators (“CIIOs”) and organizations processing personal information reaching a certain amount designated by the authority are required to store such information in China.
Cross border transfer restrictions: PI Processors should satisfy one of the following requirements prior to exporting personal information outside of China:
passing security assessment as required for CIIOs and organizations processing personal information reaching a certain amount designated by the authority;
undergoing personal information protection certification conducted by certified institutions;
entering into a standard contract (which is to be formulated by the authority) with the foreign recipient; or
other circumstances provided in laws, regulations or by the authority.
On top of the above, information notice is still required to be provided to, and "separate consent" collected from, data subjects whose personal information will be transferred.
Organizations hoping to assess its compliance with these international data transfer rules now would, nevertheless, likely face a number of hurdles as a result of lack of implementing rules as to, e.g. the threshold “amount” under the data localisation requirement and option 1) of the transfer mechanisms, the to-be-established certification mechanism under the option 2), the remain-to-be-seen “standard contract” which would likely be the most popular approach similar to the standard contractual clauses (“SCCs”) under the GDPR upon its availability. Furthermore, considering the relatively high standard applicable to “separate consent” to transfer, some special privacy-by-design mechanisms (e.g. a pop-up window) may need to be implemented to cater for such need before the effectiveness of the PIPL.
III. Data subject rights
A number of changes are introduced to the final version of the PIPL insofar as data subject rights (see Deep Dive (3)) are concerned:
Deceased’s data subject rights: The much debated data subject rights for the deceased exercisable by close relatives and introduced in the second draft has been significantly changed in the final version. The relevant provision now provides that a close relative may, for his or her own lawful and proper interest, request sight, copy, amendment and erasure of a deceased data subject’s personal information, unless the deceased whilst he or she is alive provides otherwise. Under PRC law, a close relative of a deceased includes his spouse, parents, children, siblings, grand-parents and grand-children. In other words, consistent with international practice, a deceased’s data subject rights lapse when he or she passes away.
Data portability: As previewed in various official press releases, and consistent with international practice, the PIPL also introduces a data portability right for the data subject. The PIPL provides that a data subject has the right to request a PI Processors to have his personal information transferred to another PI Processor provided that such transfer satisfies the requirements of the Cybersecurity Administration of China (“CAC”). The PI Processor then has an obligation to provide a channel for such transfer. It is worth noting that the PIPL has not prescribed what the CAC’s requirements could be.
Redress: The final version of the PIPL has included an additional right for the data subject: if a PI Processor refuses to comply with the request of a data subject, the data subject may seek redress in courts.
Automated decision-making: A data subject’s right relating to automated decision making has been further expanded in the PIPL: the law expressly prohibits unreasonable different treatments on transaction terms, such as payments, by a PI Processor if automated decision making process is used.
IV. Accountability and data governance
The key accountability and data governance obligations as set out in the previous drafts of the PIPL remain unchanged in the final version. These include:
DPO: PI Processors are required to appoint a data protection officer ("DPO") in relation to the processing of personal information exceeding a certain threshold amount – however, the final PIPL still does not prescribe what this threshold amount is, nor any guidance on whether this is a dedicated role, and whether the DPO can be a hired contractor outside of the company.
Local representative: As noted in previous drafts of the PIPL (see Deep Dive (4)), in circumstances when the PIPL applies to organisations on an extra-territorial basis, PI Processors are required to appoint a local representative to handle matters relating to personal information processing, but there is no further guidance on any specific requirements that the local representative must meet.
Data Protection Impact Assessments ("DPIA"), Data Protection Compliance Audits and Certification: The substance of these provisions remain unchanged in the final PIPL. PI Processors should note the specific circumstances when DPIA are required, and must also put in place a process for conducting regular data protection compliance audits (see Deep Dive (4)). Whilst there are various references to promoting the provision of certification services by professional bodies, this is currently only limited in the context of cross border data transfers (see above).
Given that the final PIPL does not provide any further guidance on the details of the above requirements, it is expected that separate implementation rules will be needed before organisations can take concrete steps for compliance.
It is also noteworthy that Article 59 of the PIPL directly imposes obligations on "entrusted parties" (i.e. those who are entrusted by PI Processors for processing of personal information, akin to "data processors" under the GDPR) to adopt necessary measures to protection personal information in accordance with the PIPL, and to assist PI Processors to comply with the same.
V. Data breach/incident notification
Under the final PIPL, the personal information breach/incident notification requirements are broadened in a number of respects, making the notification obligation applicable in circumstances that may not require notifications in other jurisdictions:
Trigger for notification: PI Processors are required to notify relevant personal information protection authorities and data subjects in the event a data incident has occurred, or is likely to occur. This means that in certain circumstances, PI Processors will be required to notify even if a data incident has not yet occurred.
Data incident: A "data incident" that triggers notification is extended beyond circumstances involving loss or unauthorised disclosure of personal information, but also include "tampering" of personal information. This extends the notification obligation to circumstances that do not involve any loss or disclosure of personal information.
When to notify: As with previous drafts of the PIPL, PI Processors are required to notify data incidents "promptly" i.e. there is no specified deadline/time limit for the notification, unlike in some jurisdictions e.g. the EU.
Who to notify: As with previous drafts of the PIPL, notification should be made the data protection authority and affected data subjects although PI Processors may elect not to notify affected data subjects if it determines that it has taken effective measures to prevent harm caused by the data incident (although this determination may be overridden by the data protection authority).
What to notify: A notification should include (i) the types of data affected by the data incident; (ii) the reasons giving rise to the data incident; (iii) the possible harm caused by the incident; (iv) the steps taken by the PI Processor to mitigate the harm arising from the incident; and (v) contact information of the PI Processor.
Unlike the current security incident reporting regime in China (which provides for "graded" notification obligations depending on severity of breach), it appears that the data incident reporting regime under the PIPL has much wider application.
The "PRC GDPR" is finally here, and implementation is imminent! Non-compliance with the PIPL may lead to administrative fines of up to 5% of the annual turnover or RMB50 million (approx. US$7.7 million) and persons directly responsible may also be subject to fines between RMB100,000 (approx. US$15,000) to 1 million (approx. US$154,000) and more significantly, such persons may be prohibited from assuming managerial positions in relevant organisations for a certain period.