China: Q&A on PIPL
Despite the Personal Information Protection Law ('PIPL') having been in force since 1 November 2021, a number of matters in relation to the operation of the PIPL remain unclear. Dehao Zhang, Counsel at Fieldfisher, provides answers to some outstanding questions regarding the operation of the PIPL.
Under Article 56 of the PIPL, what is meant by 'measures undertaken are legal, effective, and suitable to the degree of risk'. Are there any examples of this?
From my understanding, it is closely connected with the security measures under Article 51 of the PIPL, 'taking into account the processing purposes, means, data categories, the possible impact on individuals' rights and interests, and the possible security risks, personal information processors shall take appropriate measures to protect the data from any data breach or security incident'.
In addition, the requirements in question are very similar to those contained in Article 35(7)(d) of the General Data Protection Regulation (Regulation (EU) 2016/679)('GDPR'), 'the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned'.
For example, a personal information processor ('PIP') wants to implement a project involving facial recognition, which may involve processing biometric information as defined under Article 28 of the PIPL, thus they have conducted a Personal Information Protection Impact Assessment ('PIPIA') pursuant to Articles 55 and 56 of the PIPL. However, they have assessed that the impact on individuals might be that the users will not be notified and provide consent before the processing is carried out, which might cause the individuals difficulty in knowing what information has been collected, how it is being used, and what rights they have. The data protection officer ('DPO') of the PIP assesses this risk and gives a suggestion before the users actually use the facial recognition function, a facial recognition information notice must be provided and users must freely give their express consent, so that users are aware of the nature of the processing and the rights they have. In addition to this, users should also be provided with a method to opt-out of the processing and the facial recognition function.
How can the CAC be contacted? Are there specific protocols that need to be followed in order to report to or engage with the CAC?
The Cyberspace Administration of China ('CAC') does not provide any contact details for PIPs to notify them of data breaches. We expect that the CAC will release some rules or guidance for PIPs on data breaches/security incidents and set up a mechanism for data breach reports. Currently, if anyone want to engage with the CAC, they will need to:
- fill in the form on the following page: http://www.cac.gov.cn/zrxx/A0918index_1.htm. The form only allows 1,000 words in Simplified Chinese;
- for internet platform users, if they become aware of any data breach or personal information infringement, they can contact the CAC report centre via www.12377.com or call 12377 directly; and
- users can also report the incident by the following methods:
- when there is a data breach, users can contact the email address: [email protected] or the telephone number: +86 10 82990999;
- when users find any serious bugs or threats, or wish to share technical solutions, they can contact the China National Vulnerability Databases via [email protected] or +86 10 82991537; and
- when users wish to report any telemarketing/SMS marketing communication violation, they can report it on the Ministry of Industry and Information Technology ('MIIT') platform: https://yhssglxt.miit.gov.cn/web/.
Are there templates available to assist with the key compliance requirements, such as security assessments, consent, or DPIAs?
Unlike European Union member states, there is no official template released by Chinese data protection authorities currently, as the PIPL has been effective for no more than six months.
However, organisations can still find some useful templates from other recommended guidance, such as Information Security Technology – Guidance for Personal Information Security Impact Assessments which provides a useful template for organisations on DPIAs at Annex C and Information Security Technology – Personal Information Security Specification which also provides some templates on consent at Annex C, and templates on privacy policies at Annex D.
In line with Article 42, in what way might an organisation violate the personal information rights and interests of citizens of the PRC, or harm the national security or public interest of the PRC? What action might cause an offending organisation to be placed on the Blacklist?
There is no clear guidance for this requirement right now. For example, some organisations based outside of China may obtain Chinese citizen's personal information by theft, fraud, coercion, or other unlawful means. Some international criminal groups may do that for the purposes of committing telecommunications crimes or other serious crimes which target Chinese citizens, China's national security, or the public interest.
Are there any specific measures and requirements (certifications, agreements, etc.) that organisations not subject to PIPL, but handling the personal information of Chinese citizens must fulfil?
If the organisations are not subject to PIPL, there are no direct obligations. However, organisations should refrain from processing personal information unlawfully outside of China, since in line with Article 42, if the organisation violates the personal information rights and interests of citizens of the People's Republic of China ('PRC'), or harms the national security or public interest of the PRC, such organisations may be placed on the blacklist. The CAC will restrict or prohibit such organisations from obtaining personal information from China.
How does the CAC ID/understand who their 'dedicated entity', or appointed representative is? What is the definition of such entity?
There is no official definition of such an entity released by the CAC currently. I understand that such an entity would play a role as a point of contact for the CAC within the PIP.
If an intra-group agreement is in place between two entities, do the CSL, DSL, and PIPL still apply?
The intra-group agreement will involve processing of personal information of natural persons in China, such as transferring Chinese residents' personal information outside of China, the laws still apply and the intra-group agreement should comply with the laws as well.
What are the main challenges for companies operating in the Chinese market with the introduction of the PIPL?
Companies operating in China must pay attention to personal information compliance and update their global data protection strategy, especially companies which have app(s) operating in China. International companies which have worked on global data protection compliance, especially GDPR compliance, will find it easier to adapt to this change in China.
What do the special rules for the processing of minor's personal data include?
- the obligation to have an external privacy notice for minor's personal data, especially for organisations which process large amounts of minors' personal data, such as game operators or short video app operators; and
- the obligation to have an internal data protection policy for minor's personal data.
Before the PIPL was effective, on 23 August 2019, the CAC adopted the Regulations on the Protection of Children's Personal Information Online. After the PIPL was effective, the CAC had drafted the Regulations on the Protection of Minors on the Internet (Draft for comments), Section 4 of which requires data protection for minors.
When are we likely to see guidance from the CAC in areas such as data localisation and standard contractual clauses?
The answer to this is not very clear. It is said that the CAC is working on this, it is expected that the draft version of the standard contractual clauses will be released before the end of this year.
Dehao Zhang Counsel