Data protection law in China

Chinese laws on data privacy and security was issued in 2021 include the Personal Information Protection Law (PIPL), which came into effect in November 2021. It gives Chinese data principals new rights as it seeks to prevent the misuse of personal data. The Data Security Law (DSL), which came into force in September 2021, requires business data to be categorized by levels of importance, and puts new restrictions on cross-border transfers.

These regulations will have a significant impact on how companies collect, store, use and transfer data, but are essentially focused on giving the government overreaching powers to collect data as well as to regulate private companies that collect and process information.

China’s PIPL is deemed to be “similar” to the EU’s GDPR in that it gives Chinese consumers the right to access, correct, and delete their personal data gathered by businesses, but credibly impacts offshore data processors that deliver goods and services or analyse individuals in China.

Applicability

The PIPL is not only applicable to organizations and individuals who process personally identifiable information (PII) in China, but also those who process data of China citizens' PII outside of China.

Definitions

Personally Identifiable Information (PII)

All kinds of information relating to identified or identifiable natural persons which is recorded by electronic or other means, excluding any anonymized information. PII includes Critical Information Infrastructure (CII) and Sensitive Information (SI).

Critical Information Infrastructure (CII)

Information which will result in serious damage to state security, the national economy and the people's livelihood and public interest if it is destroyed, loses functions or encounters data leakage.

Sensitive Information (SI)

Information that, once leaked or illegally used, may lead to personal discrimination or material harm to personal or property security, including race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking and other information.

An individual’s consent refers to consent which is given voluntarily and unambiguously by the individual who has been fully informed. Where the laws and regulations require separate or written consent for processing personal information, such requirement shall be complied with. Obtaining individuals’ consents is one of the legal bases for processing personal information.

When there is any change to the processing purpose, means of processing and categories of personal information, consent shall be obtained again. If the processing of publicly disclosed personal information has serious impact on the rights and interests of individuals, the individuals’ consents shall be obtained.

Processors of personal information shall obtain separate consents from individuals in the following situations: when

  • providing personal information to other processors of personal information;
  • publicising personal information;
  • processing sensitive personal information;
  • personal images and identification information collected in public venues are used for purposes other than public security; and
  • transferring personal information out of the Mainland.

When processing personal information belonging to a minor under the age of 14, processors of personal information shall obtain the consent of his or her parent or guardian.

Impact

  • Data subjects are given more rights over the use of their own data. They can request to edit, remove, restrict the use of their data, or withdraw consent given previously.
  • More stringent requirements on data sharing and data transfer, which your organization and any third party joint data controllers may need to pass data related assessments.
  • Penalties and fines on organizations for data breaches. Including increased fines (up to 50 million RMB), revenue confiscation (up to 5% annual revenue) and business cessation.
  • Mandatory security controls to be applied when storing and processing the PII, and trainingto be provided to responsible personnel who handles the PII.
  • Mandatory data localization when the amount of PII exceed the threshold set by the Cybersecurity Administration of China (CAC).

Penalties

Below impacts and penalties will be resulted if PII processors fail to comply to the requirements stipulated in this law:

  • Confiscate unlawful income
  • Issue warning
  • A fine of up to 50,000,000 RMB or 5% annual revenue
  • Suspension of related business activities
  • Cessation of business for rectification
  • Cancellation of professional licenses or business permits.
  • Additional fine of max. 1,000,000 RMB if correction is refused

When PII rights and interests are infringed, PII handlers need to compensate the individualsfor:

  • the loss the individuals suffered
  • the benefit obtained by the PII handler(s)

Differences from the GDPR

While there are many similarities between the PIPL and the GDPR, the PIPL diverges from the EU’s data privacy law in a number of ways that may make it stricter than the GDPR. For one, the PIPL does not provide a “legitimate interest” processing basis, which is the most flexible of the GDPR’s six legal bases for processing personal data. Under the GDPR, companies are allowed to process personal data as long as the data was collected legally and with a justifiable basis.

With this legal basis noticeably missing from the PIPL, companies that do business in China must obtain an individual’s consent before handling their personal information unless their reason fits into one of the six exceptions delineated. The last exception states that parties can handle personal information without an individual’s consent when there are “other circumstances provided in laws and administrative regulations.” However, it remains unclear under what circumstances companies will be eligible for this exception. This may give the Chinese government more flexibility and authority to either broaden or narrow the scope of the PIPL as they wish in the future.

Moreover, unlike the GDPR, the PIPL also has a strong data localization provision, requiring that personal information reaching certain quantities be stored within China and that transfer of such data overseas be subject to a security assessment by the Cyberspace Administration of China prior to transfer. The PIPL does not specify the quantity threshold, nor does it provide more information on the nature of the security assessment and its evaluative components.

Another notable difference from the GDPR is the penalties set by the PIPL. The GDPR sets a maximum fine of 20 million Euros (22.6 million USD), or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. The PIPL imposes a maximum fine of up to 50 million Yuan (7.8 million USD), or 5% of the annual revenue of the preceding financial year. Importantly, the PIPL does not specify whether the “annual revenue” in its provisions refers to worldwide turnover, as in the GDPR, or to annual revenue in China only.