China: PIPL Overview – Enforcement and individuals' rights: Part three
The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 3 of this series, OneTrust DataGuidance discusses individual rights and enforcement.
The PIPL is China's first comprehensive data protection legislation and aims to protect personal information rights and interests, regulate personal information handling activities, and promote the rational use of personal information. The PIPL entered into effect on 1 November 2021.
Similar to Parts 1 and 2 of this three-part series on the PIPL, this article intends to highlight key provisions in the PIPL, focusing on the rights of individuals and the enforcement of the PIPL.
The PIPL provides for a number of rights for individuals whose personal information is handled by controllers.
In general, an individual has the right to know and determine the handling of their personal information, as well as to restrict or reject such processing, except as otherwise provided in laws and administrative regulations.
In this regard, the PIPL establishes additional provisions pertaining to the following rights.
Right to be informed (Articles 17, 18, 30, and 48)
Content of information
Prior to the handling of personal information, the PIPL requires controllers to inform individuals truthfully, accurately, and fully of the following matters in clear and understandable language:
- the name and contact information of the controller;
- the purpose and manner of handling personal information, the type of personal information involved, and the retention period;
- the ways and procedures for individuals to exercise their rights under the PIPL; and
- other matters to be communicated under laws and administrative regulations.
Where a change occurs in the aforementioned matters, controllers are expected under the PIPL to inform the individual of such change.
More generally, where the controller provides the required information by means of rules for the handling of personal information, such rules must be kept public and easily accessible.
Notwithstanding the above, controllers are not required to notify individuals in the case where laws or administrative regulations provide so or otherwise stipulate that personal information should be kept confidential.
Furthermore, in an emergency, where it is not possible to inform the individual in a timely manner in order to protect an individual's life, health, or security of their property, controllers should notify the individual promptly after the elimination of the emergency.
Other matters to be notified
Separately, controllers must notify individuals and provide certain information where information is transferred to third parties.
In terms of sensitive personal information, in addition to the matters outlined in above, controllers must also inform individuals of the necessity of handling such information, as well as the impact on their rights and interests.
Finally, the PIPL also confers the right of individuals to request an explanation of the rules governing the processing of personal information.
Right of access and data portability (Article 45)
An individual has the right to access and receive a copy of their personal information from a controller, which the controller must provide promptly upon request. However, controllers are exempted from complying with this obligation where laws or administrative regulations provide so or otherwise stipulate that personal information should be kept confidential.
If the individual requests the transfer of personal information to their designated controller, the controller is obliged to provide the means of transfer if they meet the conditions prescribed by the Cybersecurity Administration of China ('CAC').
Right to rectification (Article 46)
If an individual discovers that their personal information is inaccurate or incomplete, they have the right to request the controller to correct or complete their information.
The PIPL clarifies that where an individual requests the correction or supplementation of their personal information, the controller is required to verify the personal information and correct and supplement it in a timely manner.
Right to erasure (Article 47)
The PIPL establishes that controllers should actively delete personal information under certain circumstances and, where a controller fails to do so, the individual has the right to request deletion.
These circumstances include:
- the purpose of handling has been achieved, is impossible to achieve, or is no longer necessary for the purpose of handling;
- the controller has ceased the provision of the product or service, or the retention period has expired;
- the individual has withdrawn their consent;
- the handling of personal information violates laws, administrative regulations, or agreements; and
- other circumstances prescribed by laws and administrative regulations.
Nevertheless, if the retention period prescribed by law or administrative regulations has not expired, or the deletion of personal information is technically difficult to achieve, the controller is expected to instead stop the handling, except for storage and taking necessary security measures.
Right to withdraw consent (Article 15)
Where the individual consents to the handling of personal information pursuant to Article 13 of the PIPL, the individual has the right to withdraw their consent.
The PIPL stipulates that controllers should provide an easy means of withdrawing consent, and the withdrawal of consent by the individual shall not affect the effectiveness of the handling activities carried out prior to the withdrawal.
Rights of the deceased (Article 49)
Where a natural person dies, the PIPL permits their close relatives to, for their own lawful and legitimate interests, exercise the right to access, correct, and delete the relevant personal information of the deceased, unless otherwise arranged before the death of the deceased.
Procedure requirements (Article 50)
Controllers should establish convenient mechanisms for the processing of applications by individuals exercising their rights.
If a request is refused, the reasons thereof must be provided to the individual. In addition, the PIPL confirms that where a controller rejects a request, the individual may file a lawsuit with a People's Court in accordance with law.
Duties of responsible State authorities (Article 60 to 64)
At the national level, the CAC is responsible for the overall coordination of personal information protection and related supervision and management. Furthermore, the relevant departments of the State Council of the People's Republic of China are also responsible for the protection, supervision, and administration of personal information within their respective areas of responsibility, in accordance with the PIPL and other relevant laws and administrative regulations.
At the local level, such duties of protection, supervision, and administration of personal information are determined in accordance with the relevant provisions of State regulation.
Duties of responsible State authorities
Under the PIPL, responsible State authorities are expected to fulfil the following duties:
carrying out personal information protection publicity and education, and directing and supervising controllers to carry out personal information protection work;
- receiving and handling complaints and reports relating to the protection of personal information;
- organising assessments of personal information protection, such as procedures, and publishing the results;
- investigating and handling unlawful handling activities; and
- other duties prescribed by laws and administrative regulations.
Role of the CAC
In addition to the duties outlined above, the CAC is authorised to:
establish specific rules and standards for the protection of personal information;
- formulate special rules and standards for small-scale controllers, the processing of sensitive personal information, as well as new technologies and applications such as facial recognition and artificial intelligence;
- support the research and development, and promoting the application of electronic identification technology and the establishment of public services for network identification;
- promote the establishment of systems for personal information protection, and supporting relevant institutions in carrying out Personal Information Protection Impact Assessments and certification services; and
- improve mechanisms for complaints and reporting.
Supervisory authority measures
The PIPL empowers responsible State authorities to take a number of measures against controllers in fulfilling their duties. This includes:
enquiring about the parties concerned and investigating the circumstances relating to the handling activities;
- inspecting and copying contracts, records, accounts, and other relevant information relating to the handling activities of the parties;
- carrying out on-site inspections to investigate suspected unlawful handling activities; and
- inspect equipment and articles related to handling activities. Where there is evidence that the equipment and articles have been used to engage in unlawful handling activities, the authority may seize or confiscate such equipment and articles, following approval from their department.
In such cases, where a responsible State authority performs its duties according to the law, the party concerned are obliged to assist and cooperate and may not refuse or obstruct the same.
More importantly, the responsible State authority may also interview the legal representative or the principal person in charge, pursuant to prescribed authority and procedure, or require the controller to engage a specialised institution to conduct a compliance audit. Thereafter, controllers must take measures as required to correct or eliminate any risks.
Finally, the responsible State authority may refer persons, who is in violation of the PIPL in connection with a suspected crime, to the public security organs of the People's Republic of China.
Enforcement of the PIPL
The PIPL provides several methods for the enforcement of its provisions. As will be examined below the PIPL can be enforced by individuals, organisations, as well the relevant regulatory authority, and the legally designated consumer protection organisations, among others.
Right to complain (Article 65)
The PIPL states that all organisations and individuals have the right to complain or report to the department illegal personal information processing activities. To this end, the departments receiving the complaint or report must promptly handle it in accordance with PIPL and notify the complainant or informant of the outcome.
Monetary penalties (Article 66)
The PIPL stipulates that where personal information is handled in violation of its provision, or personal information is not handled in compliance with personal information protection obligations the following may be imposed: correction order, issuance of warnings, the confiscate of unlawful gains; or an order to suspend or stop provisions of services. In addition, a fine of up to RMB 1 million (approx. €140,520) may be imposed; and a fine of between RMB 10,000 (approx. €1,400) and RMB 100,000 (approx. €14,050) issued to the directly responsible managers and other directly responsible personnel.
Further to the above, where the circumstances outlined above are serious, the relevant department will issue correction orders, confiscate unlawful gains, and give a concurrent fine of up to RMB 50 million (approx. €7 million) or up to 5% of the preceding year's business income. Moreover, such departments may order that suspension of the operation, suspension of the operations for rectification, or report to relevant regulatory departments for the cancellation of business permits or licenses. Finally, directly responsible managers and other directly responsible personnel may be fined between RMB 100,000 (approx. €14,050) and RMB 1 million (approx. €140,520) and a decision may be made to prohibit their serving as the board member, supervisor, senior management, or person in charge of personal information protection for an enterprise during a set period.
Liability for damages (Article 69)
Where personal information handling infringes on rights and interests in personal information and causes harm, and it cannot be proven that the personal information processor is not at fault, they will be liable to compensate losses.
Administrative fines and criminal responsibility (Article 71)
The PIPL establishes that where a violation of its provision constitutes a violation of the administration of public security, public security administrative sanctions are issued in accordance with law, and where a crime is constituted, criminal responsibility is pursued in accordance with law.
Legal action (Article 70)
Where personal information handlers violate the PIPL's provisions in their handling of personal information and infringe on the rights and interests of many individuals a lawsuit may be filed in the People's Court by the legally designated consumer protection organisations, and organisations designated by the CAC.
This article highlighted some of the key provisions on individual rights and enforcement in the PIPL. For an overview of key principles and controller obligations, see Parts 1 and 2 respectively.