China: PIPL overview – Key principles: Part one
The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 1 of this series, OneTrust DataGuidance discusses the PIPL and some of its provisions.
The PIPL is China's first comprehensive data protection legislation and aims to protect personal information rights and interests, regulate personal information handling activities, and promote the rational use of personal information. The PIPL entered into effect on 1 November 2021.
As part of a three-part series on the PIPL, this article intends to highlight key provisions, focusing the fundamental principles established in the PIPL, as well as important definitions and explanations on the handling of personal information.
Scope of application
General scope and exemption (Articles 3 and 72)
The PIPL clarifies that it applies to personal information handling of natural persons within the People's Republic of China ('PRC'). In addition, the PIPL also applies to the handling of personal information of natural persons within the PRC, that is conducted outside the PRC, where personal information is handled:
- for the purpose of providing products or services to natural persons within the territory;
- to analyse and assess the conduct of natural persons within the territory; and
- in other situations provided for by law or administrative regulations.
Please note that the PIPL does not apply to natural persons handling personal information for personal or family affairs.
The follow definitions are set out in Articles 4, 28, and 73 of the PIPL.
Personal information: Any type of information that identifies or can identify natural persons recorded electronically or by other means but does not include anonymised information.
Handling of personal information: The collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information.
Sensitive personal information: Personal information that once leaked or illegally used can easily cause natural persons to suffer encroachments on their dignity or harms to their persons or property; including information such as on biometric identifiers, religious faith, particular identities, medical care and health, financial status, and location tracking, as well as the personal information of minors under the age of 14.
Personal information handlers: Organisations or individuals that independently make decisions about the purposes and methods of personal information handling in personal information handling activities.
Automated decision-making: The use of computer programs to automatically analyse, evaluate, and make decisions on personal information on personal behaviour habits, hobbies or economic, health, credit status, and so forth.
De-identification: The process of handling personal information to make it impossible to identify a specific natural person without the help of additional information.
Anonymisation: The process in which personal information is handled so that it cannot be used to identify a specific natural person and cannot be restored after being so handled.
The PIPL establishes several principles that must be complied with when processing personal information.
Personal information processing principles (Articles 5 to 9)
When handling personal information controllers must respect the principles of legality, propriety, necessity, and creditworthiness, and not use misdirection, fraud, or coercion in personal information handling.
Further to the above, the PIPL stipulates that personal information handling must comply with the purpose specification, use limitation, transparency, quality, and accountability principles. More specifically, the PIPL provides that personal information handling must have a clear and reasonable purpose and employ the means with the smallest impact on individuals' rights and interests. In addition, the handling of personal information must comply with the principles of openness and transparency and responsible parties must ensure the quality of the personal information including ensuring that information is accurate or complete personal information.
Moreover, controllers are responsible for their personal information handling activities and must employ necessary measures to ensure the security of the handled personal information.
Retention and storage limitation (Article 19)
The PIPL stipulates that personal information must be retained for the shortest time necessary to achieve the purposes of handling except as otherwise provided by laws and regulations.
Prohibition against illegal processing and processing endangering national security and public interest (Article 10)
The PIPL establishes a general prohibition on illegal processing that endangers national security and/or the public interest. More specifically, the PIPL stipulates that organisations and individuals must not unlawfully collect, use, process, or transfer the personal information of others; must not unlawfully buy, sell, provide or disclose others' personal information; and must not engage in personal information handling activities that endanger national security or the public interest.
Legal bases (Articles 13 to 15)
The PIPL, similar to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), outlines the legal bases for the processing of personal information. Specifically, the PIPL states that personal information handlers can only handle personal information where one of the following circumstances is met:
- the individual's consent is obtained;
- as necessary to conclude or perform on a contract to which the individual is a party, or as necessary for carrying out human resource management in accordance with lawfully formulated labour rules systems and lawfully concluded collective contracts;
- as necessary for the performance of legally-prescribed duties or obligations;
- as necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property in an emergency;
- handling personal information within a reasonable range in order to carry out acts such as news reporting and public opinion oversight in the public interest;
- for a reasonable scope of handling of personal information that has been disclosed by the individual or otherwise already legally disclosed in accordance with this Law; and
- other situations provided by laws or administrative regulations
In relation to personal information handling on the basis of consent, the PIPL stipulates that consent must be given voluntarily and explicitly by individuals who are fully informed. In addition, where laws and administrative regulations provide that independent or written consent must be obtained for the handling of personal information, such provision must be followed. Moreover, where there are changes to the purpose or methods of information handling, or to the type of personal information to be handled, consent must be obtained again.
Furthermore, individuals have the right to withdraw their consent, and the method for such withdrawal must be convenient and easy. The withdrawal of the individuals' consent does not, however, impact the validity of personal information handling activities conducted before the withdrawal.
Information sharing and disclosure (Articles 25 and 27)
The PIPL prohibits controllers from disclosing the personal information they handle, unless they have obtained consent or as otherwise provided for by laws and administrative regulations.
However, controllers may process personal information disclosed by the individual themselves or that has been legally disclosed within a reasonable scope, unless the individual expressly refuses. Nevertheless, where personal information handlers handle disclosed personal information that has a significant impact on personal rights and interests, they shall obtain personal consent in accordance with the provisions of the PIPL.
Sensitive personal information (Articles 28 to 32)
The PIPL provides that controllers may only handle sensitive personal information for specified purposes and when fully necessary, and when employing strict protective measures. Please see above for the definition of sensitive personal information.
Further to the above, controllers handling sensitive personal information must obtain independent consent, and where laws and administrative regulations provide obtained written consent for the handling of sensitive personal information. Moreover, when handling sensitive personal information, controllers must, in addition to the notification requirements specified in Article 17 of the PIPL, notify individuals of the necessity of sensitive personal information handling and the impact on the individuals' rights and interests, except where this Law provides that that notice need not be provided to individuals.
Personal information of minors (Article 31)
In relation to the personal information of minors, the PIPL stipulates that those handling the personal information of minors under the age of 14 online must obtain the consent of the minors' parents or other guardians. In addition, special rules for the handling of such data must be developed.
This article highlighted some of the key principles established in the PIPL. Part 2 will discuss controller obligations.