Lawfulness of processing under the PIPL

Article 13 of the PIPL provides seven legal bases for the processing of personal information (although it may be more accurate to say six legal bases, with the seventh being a kind of miscellaneous provision), namely:

• the consent of the data subject;
• where the processing is necessary for performance of a contract with a data subject, internal employment rules/policies, or a collective contract in accordance with the laws and regulations;
• where the processing is necessary for performance of legal duties or compliance with legal obligations;
• where the processing is necessary to respond to public health incidents, or to protect the life, health, and property safety of natural persons in an urgent situation;
• where the processing is necessary for the public interest to carry out the news report and public opinion supervision within a reasonable scope;
• when processing personal information which is publicly disclosed by the individual himself or herself, or by other persons legally, within a reasonable scope; and
• other provisions required by the laws and regulations.

Overall, while some of these legal bases will be familiar to those acquainted with the GDPR, others will be less so.

Consent and 'standalone consent'

According to the Article 14 of the PIPL, consent should be freely given, express, and fully informed. Furthermore, Article 15 of the PIPL provides that consent should be withdrawable if the processing is based on consent. To this end, the personal information processor must give the data subject an easy way to withdraw their consent.

Prior to the PIPL, no law indicated that the consent should be express, nor provided that it should be withdrawable, although rules relevant to apps do require express consent to privacy notices. However, there is no clear requirement for consent to be specific under the PIPL, differing from the GDPR on this point. Thus, although consent is withdrawable at any time, if the consent is not specific, the right to withdraw may not be exercisable since the data subject cannot withdraw consent to one element of a general consent form. At any rate, however, we will in practice see consent become commonplace as a legal basis under the PIPL, since most organisations will choose to rely on consent to process personal information.

Under Article 14 of the PIPL, in certain scenarios, standalone or separate consent should be obtained. According to the requirements of the PIPL, in cases of personal information sharing, sensitive personal information processing, public disclosure of personal information, and cross-border data transfers, the personal information processors should obtain standalone consent. With standalone consent, the standard is higher than general consent. 

Legitimate interest

Unlike the GDPR, legitimate interest is not a legal basis under the PIPL. As such, some GDPR-ready companies will need to reassess the appropriate legal base when they process personal information on this basis.

Under Recital 47 of the GDPR, the processing of personal data strictly necessary for the purposes of preventing fraud can constitutes a legitimate interest of the data controller. However, under the PIPL, the relevant legal basis in this scenario would be a legal obligation or to protect the life, health, and the property safety of natural persons. While the processing of personal data for direct marketing purposes may be carried out on the legal basis of legitimate interest under the GDPR; under the PIPL, the relevant legal basis would be consent.

Further to the above, under Recital 48 of the GDPR, controllers that are part of a group of undertakings or institutions affiliated to a central body may rely on the legal basis of legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of client or employee personal data. Under the PIPL, a personal information processor alternatively may rely on the legal basis of necessary for performance of a contract with a data subject, internal employment rules/policies, or a collective contract in accordance with the laws and regulations. However, with regard to client information under the PIPL, this may not be based on the above in some scenarios, and it will be necessary to clarify what has been done by the personal information processor.

Under Recital 49 of the GDPR, the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security constitutes a legitimate interest of the data controller concerned. Under Chinese laws, ensuring network and information security may constitute an obligation for the personal information processors under Cybersecurity Law, and the Data Security Law, as well as invoke the purpose of protecting the personal property of a natural person.

Employment rules and policies

The PIPL has expanded the basis of the performance of contract to include internal employment rules and collective contracts in accordance with Chinese labour laws. Thus, an organisation processing employee personal information for the purpose of internal anti-corruption inspections or internal compliance audits can rely on this only if the organisation has such internal employment rules or policies. This differs from the GDPR, which provides that such processing activities may constitute a legitimate interest of the data controller.

Publicly disclosed information

The PIPL has provided a legal basis separate from consent for information publicly disclosed by the data subject, which does not exist under Article 6 of the GDPR (although a similar legal basis is provided under Article 9 of the GDPR). Processing publicly disclosed information or information which has been disclosed by other persons legally within a reasonable scope will be lawful; however, under Article 27 of the PIPL, the data subject whose information has been disclosed publicly and legally can object to the processing. Where a personal information processor processes publicly disclosed information that has a significant impact on personal rights and interests, the personal information processor must obtain consent. Furthermore, if the processing has a significant impact on personal rights and interests, the personal information processor must conduct a Personal Information Protection Impact Assessment as per to Article 55 of the PIPL.

Conclusion

Organisations must conduct detailed data mapping to analyse the purposes of processing and data categories and assess the legal bases of the PIPL, especially organisation who have a privacy program strictly aligned with the GDPR. Although there are no requirements to disclose the legal bases in the privacy notice or privacy policy according to Articles 17 or 30 of the PIPL, processing activities in China must be based on one of the legal bases under the PIPL; otherwise, the processing will not be lawful, and will violate the PIPL in a direct and serious manner.

Dehao Zhang Counsel
[email protected]
Fieldfisher China, Beijing