China: PIPL overview – Ensuring compliance: Part two
The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 2 of this series, OneTrust DataGuidance discusses the controller obligations which are key to ensuring compliance.
The PIPL is China's first comprehensive data protection legislation and aims to protect personal information rights and interests, regulate personal information handling activities, and promote the rational use of personal information. The PIPL entered into effect on 1 November 2021.
Similar to Part 1 of this three-part series on the PIPL, this article intends to highlight key provisions in the PIPL, focusing on the obligations of controllers necessary to ensure compliance with the PIPL.
Outsourcing and vendor management
Joint controllers (Article 20)
Where two or more entities jointly determine the purpose and manner of personal information handling, the PIPL stipulates that these entities should agree on their respective rights and obligations.
Nevertheless, it should be noted that such agreements do not affect the exercise of individual rights, and joint controllers may be held jointly and severally liability for violations of the PIPL.
Processors (Article 21)
The PIPL outlines several obligations when outsourcing or entrusting handling activities to processors and third parties. In particular, by way of an agreement, the controller should stipulate: the purpose, duration, and manner of the handling; the type of personal information involved; any protection measures; and the rights and obligations of both parties.
In turn, the processor must handle personal information in compliance with the agreement and never beyond the agreed purpose and manner. In the event that the agreement is deemed void or has been terminated, the PIPL clarifies that the processor is not permitted to retain the personal information and must either return or delete the same.
Personal information protection programme (Article 51)
As part of their duties under the PIPL, controllers are expected to implement a number of measures to ensure that handling activities comply with laws and regulations and prevent unauthorised access, disclosure, tampering, and loss of personal information. In line with the specific operations of the controller, and with the risk-based approach, such measures include:
- developing an internal management system and operating procedures;
- classifying and managing personal information;
- adopting appropriate security measures, such as encryption and de-identification;
- determining the operating limits for personal information handling, and regularly conducting education and training for employees;
- formulating security incident response plans; and
- other measures provided in law or regulations.
Designating representatives (Articles 52 and 53)
The PIPL requires controllers that handle personal information within thresholds prescribed by the Cybersecurity Administration of China ('CAC') to appoint a person in charge of personal information protection, responsible for supervising handling activities and the protection measures taken.
Separately, foreign controllers must establish a dedicated entity or designate a representative within the People's Republic of China ('PRC') to deal with matters relating to the protection of personal information.
The appointment of a personal information protection officer or, in the case of foreign controllers, the establishment of a designated entity or representative must be notified to the responsible State authority.
Auditing, assessing risk, and record-keeping (Articles 54 to 56)
Controllers are obliged to conduct regular compliance audits of their handling operations in accordance with laws and administrative regulations.
Under the PIPL, controllers are also required to conduct a prior Personal Information Protection Impact Assessment ('PIPIA'), as well as record the processing activities, in the following scenarios:
- when handling sensitive personal information;
- when making use of personal information in automated decision-making;
- when entrusting the handling of personal information, or otherwise disclosing the same, to other entities;
- when transferring personal information overseas; or
- other handling activities that have a significant impact on the interests of individuals.
The PIPL clarifies that PIPIA reports, and records of processing should be kept for at least three years. PIPIA reports, in particular, should document whether the purpose and manner of handling personal information is lawful, legitimate, and necessary; the impact on individual interests and any risks; and whether risk-based protective measures have been adopted.
Notifying data breaches (Article 57)
Where personal information has been disclosed, altered, or lost, or is likely to, the controller must immediately take remedial measures and notify the responsible State authority and affected individuals. The PIPL specifies that notification should include:
- the controller's contact information;
- the types of personal information involved, as well as the causes and possible risks of the breach; and
- remedial measures taken by the controller and mitigation measures that may be taken by individuals.
However, notification to affected individuals may not be required where the controller has taken measures which effectively avoid any harm created by the breach, unless otherwise required by the responsible State authority.
Internet platforms (Article 58)
In addition to the general obligations outlined above, the PIPL specifically targets internet platform services. More specifically, controllers of significant services, with a large number of users and a complex business model, are subject to the following requirements:
- to establish compliance systems and structures for the protection of personal information in accordance with the State regulations, as well as an independent body to supervise the protection of personal information;
- to comply with principles of openness, fairness, and justice, establish rules for the platform, and clarify standards for the handling of personal information by product or service providers within the platform and the obligation to protect personal information;
- to stop providing services to product or service providers in platforms that seriously violate laws and administrative regulations; and
- to issue periodic reports on social responsibility and accept social supervision.
Transferring personal data overseas (Articles 38 and 39)
In terms of cross-border data transfers, the PIPL provides several mechanisms for transferring personal information. Personal information may be transferred under the following conditions:
- where a security assessment organised by the CAC is conducted;
- after undergoing personal information protection certification carried out by an specialised institution;
- where the controller has entered with the recipient into a standardised contract established by the CAC; or
- as stipulated by laws, administrative regulations, and other conditions by the CAC.
Furthermore, international agreements may be concluded, or acceded to, by the PRC, which may entail further conditions for cross-border transfers.
More importantly, entities are required at all times to ensure that the activities of the recipient meet the standards set forth in the PIPL. In addition, entities must inform individuals and obtain their consent to the transfer. Information to be provided to individuals must include the name and contact information of the recipient, the purpose of processing, the type of personal information, and the methods of exercising his or her rights under the PIPL with the recipient.
As noted above, cross-border data transfers are also subject to a PIPIA under the PIPL.
Data localisation (Article 40)
In addition to the aforementioned conditions applicable to cross-border data transfers, the PIPL also establishes data localisation requirements. Operators of critical information infrastructure, and entities that handle personal information within certain thresholds prescribed by the CAC, are required to store information that is collected and generated within the PRC domestically.
Where it is necessary to transfer such information overseas, the controller must conduct a security assessment organised by the CAC, unless otherwise exempted by the CAC.
This article highlighted some of the obligations the PIPL introduces for controllers. Part 3 will discuss enforcement and individual rights.