China: The PIPL - Frequently asked questions
The Personal Information Protection Law ('PIPL') introduces new requirements for most of the key areas of China's data protection framework. OneTrust DataGuidance answers some of the most commonly asked questions about the PIPL and its provisions.
Does the PIPL have exterritorial application?
Yes. The PIPL will apply exterritorialy where the handling of personal information of natural persons within the People's Republic of China ('PRC'), is conducted outside the PRC, and personal information is handled (Article 3(2) of the PIPL):
- for the purpose of providing products or services to natural persons within the territory;
- to analyse and assess the conduct of natural persons within the territory; and
- in other situations, provided for by law or administrative regulations.
Please note that the PIPL will not apply to natural persons handling personal information for personal or family affairs (Article 72(1) of the PIPL).
How can personal data be lawfully transferred outside of the PRC?
The PIPL provides several mechanisms for transferring personal information outside of the PRC (Article 38(1) of the PIPL).
In particular, personal information may be transferred outside of the PRC based on one of the following conditions (Article 38(1) of the PIPL):
- where a security assessment organised by the Cyberspace Administration of China ('CAC') is conducted according to Article 40 of the PIPL;
- after undergoing a personal information protection certification carried out by a specialised institution;
- where the personal information handler has entered with the recipient into a standardised contract established by the CAC; or
- as stipulated by laws, administrative regulations, and other conditions by the CAC.
In addition, international agreements may be concluded, or acceded to, by the PRC, which may entail further conditions for cross-border transfers (Article 38(2) of the PIPL).
Notably, entities are required at all times to ensure that the activities of the recipient meet the standards set forth in the PIPL (Article 38(1) of the PIPL).
Please see our China – Data transfers Guidance Note for further information on data transfer requirements in China.
Is legitimate interest a lawful basis provided under the PIPL?
The PIPL does not outline the legitimate interest of personal information handlers as a lawful basis for processing personal information.
The PIPL states that personal information handlers can only handle personal information where one of the following circumstances is met (Article 13(1) of the PIPL):
- the individual's consent is obtained;
- as necessary to conclude or perform on a contract to which the individual is a party, or as necessary for carrying out human resource management in accordance with lawfully formulated labour rules systems and lawfully concluded collective contracts;
- as necessary for the performance of legally-prescribed duties or obligations;
- as necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property in an emergency;
- handling personal information within a reasonable range in order to carry out acts such as news reporting and public opinion oversight in the public interest;
- for a reasonable scope of handling of personal information that has been disclosed by the individual or otherwise already legally disclosed in accordance with the PIPL; and
- other situations provided by laws or administrative regulations.
What are the conditions for valid consent under the PIPL?
The PIPL stipulates that consent must be given voluntarily and explicitly by individuals who are fully informed (Article 14(1) of the PIPL). In addition, where laws and administrative regulations provide that independent or written consent must be obtained for the handling of personal information, such provision must be followed (Article 14(1) of the PIPL).
Notably, where there are changes to the purpose or methods of information handling, or to the type of personal information to be handled, consent must be obtained again (Article 14(2) of the PIPL).
Furthermore, individuals have the right to withdraw their consent, and the method for such withdrawal must be convenient and easy (Article 15(1) of the PIPL). The withdrawal of the individuals' consent does not, however, impact the validity of personal information handling activities conducted before the withdrawal (Article 15(2) of the PIPL).
What are the data localisation requirements under the PIPL?
Operators of critical information infrastructure and entities that handle personal information within certain thresholds prescribed by the CAC, are required to store information that is collected and generated within the PRC domestically (Article 40 of the PIPL).
Further to the above, where it is necessary to transfer such information overseas, the personal information handler must conduct a security assessment organised by the CAC, unless otherwise exempted by the CAC (Article 40 of the PIPL).
Further clarification from the CAC is expected in relation to thresholds.
When does a data protection officer have to be appointed? And what are their tasks?
The PIPL stipulates personal information handlers that handle personal information reaching quantities provided by the CAC shall appoint Personal Information Protection Officer ('PIPO'), to be responsible for supervising personal information handling activities as well as adopted protection measures, etc (Article 52(1) of the PIPL).
Further to the above, personal information handlers must disclose the methods of contacting PIPO and report the personal names of the officers and contact methods to the departments responsible for the protection of personal information (Article 52(1) of the PIPL).
When does a data breach have to be notified? And what must be included in the notification?
The PIPL stipulates where personal information has been disclosed, altered, or lost, or is likely to, the personal information handler must immediately take remedial measures and notify the responsible State Authority and affected individuals (Article 57 of the PIPL). However, notification to affected individuals may not be required where the personal information handler has taken measures which effectively avoid any harm created by the breach, unless otherwise required by the responsible State Authority (Article 57 of the PIPL).
In regard to the contents of the notification, the PIPL specifies that notification should include (Article 57 of the PIPL):
- the personal information handler's contact information;
- the types of personal information involved, as well as the causes and possible risks of the breach; and
- remedial measures taken by the personal information handler and mitigation measures that may be taken by individuals.
What must be included in a privacy notice?
The PIPL establishes that prior to the handling of personal information, personal information handlers must inform individuals truthfully, accurately, and fully of the following matters in clear and understandable language (Article 17(1) of the PIPL):
- the name and contact information of the personal information handler;
- the purpose and manner of handling personal information, the type of personal information involved, and the retention period;
- the ways and procedures for individuals to exercise their rights under the PIPL; and
- other matters to be communicated under laws and administrative regulations.
Moreover, where a change occurs in the aforementioned matters, personal information handlers are expected under the PIPL to inform the individual of such change (Article 17(2) of the PIPL).
Furthermore, where the personal information handler provides the required information by means of rules for the handling of personal information, such rules must be kept public and easily accessible (Article 17(3) of the PIPL).
The PIPL provides exception to the above, stating that personal information handlers are not required to notify individuals in the case where laws or administrative regulations provide so or otherwise stipulate that personal information should be kept confidential (Article 18(1) of the PIPL).
In addition, in an emergency, where it is not possible to inform the individual in a timely manner in order to protect an individual's life, health, or security of their property, personal information handler should notify the individual promptly after the elimination of the emergency (Article 18(2) of the PIPL).
Please note that the PIPL details other instances where individuals must be notified of personal information processing including where information is transferred to third parties and the handling of sensitive personal information, among others.
For further information on the right to be informed please see our China – Data Subjects Rights Guidance Note.
When must a vendor contract be put in place? And what must it include?
Where personal information handlers entrust the handling of personal information, they must conclude an agreement with the entrusted person on the purpose, duration, and manner of the entrusted handling, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information handling activities of the entrusted person (Article 21(1) of the PIPL).
In addition, entrusted persons must handle personal information according to the agreement and must not handle personal information beyond the agreed purpose and manner of processing. If the entrusting contract does not take effect, is void, has been cancelled, or has been terminated, the entrusted person shall return the personal information to the personal information handler or delete it, and may not retain it (Article 21(2) of the PIPL)..
Please note that without the consent of the personal information handler, the entrusted person may not entrust others to handle personal information (Article 21(3) of the PIPL)..
For further information on vendor management in China please see our China – Vendor Privacy Contracts Guidance Note.
What individual rights available in the PIPL?
Please note the following rights are provided in the PIPL:
- right to know;
- right to decide relating to their personal information;
- right to consult and copy;
- Right to data portability;
- right to correction;
- right to deletion;
- right to withdraw consent; and
- right to request personal information handlers explain personal information handling rules.
To this end, personal information handler must establish convenient mechanisms for the processing of applications by individuals exercising their rights (Article 50(1) of the PIPL). In addition, where a request is refused, the reasons thereof must be provided to the individual, and the individual may file a lawsuit with a People's Court in accordance with law (Article 50(2) of the PIPL).
Finally, the PIPL permits in the case of deceased individual that their close relatives to, for their own lawful and legitimate interests, exercise the right to access, correct, and delete the relevant personal information of the deceased, unless otherwise arranged before the death of the deceased (Article 49 of the PIPL).
For further information on the right to be informed please see our China – Data Subjects Rights Guidance Note.
Are there special requirements for the processing of minors' data?
In relation to the personal information of minors, the PIPL stipulates that those handling the personal information of minors under the age of 14 online must obtain the consent of the minors' parents or other guardians. In addition, special rules for the handling of such data must be developed (Article 31 of the PIPL).
Furthermore, the PIPL classified minors' data as sensitive data (Article 28 of the PIPL).
What constitutes sensitive data in the PIPL?
Sensitive personal information refers to personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14 (Article 28 of the PIPL).
Are there record keeping requirements in the PIPL?
The PIPL provides that personal information handlers must record processing activities, in the following scenarios (Article 55 of the PIPL):
- when handling sensitive personal information;
- when making use of personal information in automated decision-making;
- when entrusting the handling of personal information, or otherwise disclosing the same, to other entities;
- when transferring personal information overseas; or
- other handling activities that have a significant impact on the interests of individuals.
The PIPL clarifies that records of processing should be kept for at least three years (Article 56 of the PIPL).
What are the requirements for internet service platforms in the PIPL?
The PIPL provides that personal information handlers of significant services, with a large number of users and a complex business model, are subject to the following requirements:
- to establish compliance systems and structures for the protection of personal information in accordance with the State regulations, as well as an independent body to supervise the protection of personal information;
- to comply with principles of openness, fairness, and justice, establish rules for the platform, and clarify standards for the handling of personal information by product or service providers within the platform and the obligation to protect personal information;
- to stop providing services to product or service providers in platforms that seriously violate laws and administrative regulations; and
- to issue periodic reports on social responsibility and accept social supervision.
Does the PIPL provide requirements for the processing of employee data?
The PIPL does not explicitly address the processing of personal information in the employment context.
Keshawna Campbell Lead Privacy Analyst [email protected]