China Promulgates Personal Information Protection Law

On 20 August 2021, the PRC promulgated the long-awaited Personal Information Protection Law (“PI Protection Law”); it will come into effect on November 1. Its 74 articles comprise both high-level and specific rules for a broad range of issues related to the processing of personal information of individuals. On the one hand, its coverage overlaps with several laws, regulations, recommended national standards, etc. released in the last few years, such as the Cybersecurity Law, the Civil Code, the Information Security Technology — Personal Information Security Specification (“PI Specification”), a series of rules applicable to processing of personal information by mobile apps, and the recently promulgated Data Security Law,[1] and thus may serve as a synthesis of rules while superseding existing conflicting rules. On the other hand, it both contains new or extended rules and leaves some aspects of the protection of personal information to future implementation rules. This Newsletter summarizes the principle provisions of the PI Protection Law, particularly from the perspective of how businesses may be affected.

Who and What Are Protected

The PI Protection Law defines “personal information” (“PI”) as “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons”, explicitly excluding anonymized information,[2] and “processing” as “collection, storage, use, processing,[3] transmission, provision, publishing, deleting, etc.” These definitions are in line with existing and other draft laws, regulations, standards, etc. of China.

Based on these definitions, the PI Protection Law provides that it applies to any processing, by any individual or entity, of PI done within China’s borders.[4] It also provides for two circumstances in which processing of PI of natural persons within China done outside China will be subject to the PI Protection Law (plus a catch-all “other circumstances provided for by [other] laws and administrative regulations”): (1) the processing is for the purpose of providing products or services to natural persons within China; (2) the processing is for analyzing and evaluating the behavior of natural persons within China. The offshore parties undertaking such PI processing are required to “establish special institutions or designated representatives” within China for dealing with matters related to the protection of PI, and the information about special institutions or designated representatives are required to be submitted to authorities performing PI protection duties.

The PI Protection Law arguably gives a significant signal of “extraterritorial” legal effects on particular service providers. However, from a practice perspective, the two extraterritoriality standards are vague. Further implementing rules are needed to clarify: (1) the kind(s) of connection between PI processing and offering of products or services such that an offshore processor may be subject to the law; (2) what constitutes “analyzing and evaluating the behavior of natural persons”; (3) the specific forms, establishment procedures, etc. of the special institutions and designated representatives; (4) to which authorities are such special institutions and designated representatives required to submit information; and (5) what legal liability can be imposed on such special institutions or representatives if the offshore parties fail to comply with the PI Protection Law, not to mention what consequences might there be if no special institution is established or no representative is designated.

Conditions to General Processing of PI

For how PI should be processed, the PI Protection Law includes both several generic principles (e.g., the processing must be “open”, “transparent”, “minimum for achieving the reasonable purpose”, and “directly connected to achieving the reasonable purpose”), which may have some general interpretative value, and a plethora of provisions that are more specific yet still open to wide interpretation and application. The following are the most notable specific conditions to processing PI:

• The processing can only be done if:
  • consent has been obtained from the individual whose PI is processed (“PI Subject”);
  • it is necessary for the conclusion or performance of a contract to which the PI Subject is a party;
  • it is necessary for the performance of legally-prescribed duties or obligations;
  • it is necessary for responding to public health incidents or protecting natural persons’ lives, health, or property in an emergency;
  • it is necessary for carrying out acts such as news reporting and public opinion oversight in the public interest;
  • it is done, for carrying out activities permitted under this PI Protection Law, on PI that has been voluntarily disclosed by PI Subjects or otherwise disclosed legally; or
  • other laws or administrative regulations provide for the processing.
• Before processing PI, processors must inform PI Subjects of the following (in a conspicuous fashion and in clear and understandable language):
  • The name and contact information of the processor;
  • the purpose, manner, type of PI, and storage time of the processing;
  • how PI Subjects can exercise their rights under the PI Protection Law; and
  • other matters provided for by other laws or administrative regulations.
• Except as otherwise provided by other laws and administrative regulations, PI retention periods must be the shortest necessary to realize the purpose of the processing. (For example, the E-commerce Law[5] requires e-commerce operators to retain for three years certain information about commodities, services, etc.)

Some of the above are subject to further requirements, exceptions, or other rules. For example, in the case of processing PI by obtaining consent: it must be “voluntary and explicit”; it must be obtained anew if the purpose, methods, or type of PI of the processing change; PI Subjects have the right to withdraw consent; and products and services cannot be refused to PI Subjects who do not consent unless the processing is “necessary to provide the products or services”. As another example, processors do not need to inform PI Subjects of the information mentioned above in circumstances where laws or administrative regulations provide that secrecy shall be preserved or notification is not necessary or in certain emergency circumstances (though the PI Subjects must be notified after the end of the emergency). The “consent” is further notable in likely being a heightened standard, “voluntary and explicit”, as compared to the generic consent so far understood in practice to apply (except in a limited set of circumstances) under the Cybersecurity Law: “explicit consent” is defined in the PI Specification as an act whereby a PI Subject explicitly authorizes the specific processing of his/her PI by making a written statement, including by electronic means, or an oral statement, or by making an affirmative action[6] of his/her own accord.

Processing “sensitive personal information” (PI that, if leaked or illegally used, may cause individuals to suffer infringement of human dignity or serious harm to their security in their persons and property, e.g., health and medical information, religious beliefs, location information and PI of individuals under 14 years old; “SPI”) will be subject to additional rules. The rules specific to SPI under the PI Protection Law are few and vague: processing it must have a specific purpose and sufficient need and strict protective measures; it must be based on the PI Subject’s specific consent; and PI Subjects must be informed of “the necessity of processing sensitive personal information and the impact on the individuals’ interests and rights”, unless laws and regulations provide otherwise. Neither the PI Protection Law nor any other effective or draft laws, regulations, etc. define “specific consent”,[7] which will be left to implementing rules or other measures to define.

The PI Protection Law specifically requires that special processing rules be made when the PI of individuals under 14 years old is processed, and such rules are required to be published so that the guardians of the minors can be informed and give consent to the processing of minors’ PI.

Conditions Specifically to Overseas Transfer of PI

The PI Protection Law includes several provisions for situations in which two parties are “jointly” processing PI, one party entrusts another party to process PI from and on the first party’s behalf, or the processor “changes” as a result of merger, division, dissolution, bankruptcy, etc., but the requirements and other rules governing such situations mostly flow from the conditions to general processing of PI (see above). The PI Protection Law’s more significant rules concerning transfer of PI are aimed at cross-border and foreign activities.

To transfer PI outside China due to business needs, a business must:

• pass a “security assessment” organized by the Cyberspace Administration of China (“CAC”) when PI transferors are “critical information infrastructure operators” (“CIIOs”)[8] or the PI volume to be processed by the processors reaches a threshold specified by CAC;[9]
• obtain a personal information protection certification from a specialized body designated by CAC;
• execute a standard agreement (template to be released by CAC) with the overseas party covering both sides’ rights and obligations; or
• meet other conditions provided for by laws, administrative regulations, or provisions of the State Internet information departments.

In addition, the transfer of PI outside China must also comply with international conventions and treaties executed or joined by China where there are applicable rules. The PI processor should adopt necessary measures to ensure that the processing activities of PI by foreign recipients meet the personal information protection standards stipulated under the PI Protection Law. Moreover, the PI Subjects must be notified of the foreign recipient’s name and contact method, the purpose, manner, and type of PI to be processed, and the ways and procedures through which the PI Subject may exercise its rights under the PI Protection Law in relation to the foreign recipient – and specific consent for the overseas transfer is needed.

In comparison to the above, the draft Measures for the Security Assessment for Cross-Border Transfer of Personal Information[10] (“Draft Measures”) provide that before any network operator may transfer personal information out of China, it must conduct and report a “security assessment” for the review of the provincial CAC branch. The PI Protection Law limits the requirement for a “security assessment” to CIIOs and parties who process more PI than a threshold (to be) set by CAC, thus going back on the apparent broadening of the requirement that might have applied under the Draft Measures. Relatedly, the PI Protection Law refers to a “local storage” requirement (for PI collected or originated within China), but it does so also only with respect to CIIOs and volume processors.

Finally, the PI Protection Law includes sets of rules that are very similar to rules already in effect and/or rules in the Data Security Law: providing PI stored in China to foreign judicial or enforcement authorities requires prior approval from relevant PRC authorities; if foreign individuals or organizations process PI in ways that harm PI rights or interests of PRC citizens, or the national security or public interests of the PRC itself, they may be subject to such measures as specific prohibitions or restrictions on providing or being provided PI; China may adopt equivalent retaliatory measures against any country that adopts discriminatory prohibitions, limitations, or other similar measures against China in the area of PI protection.

Other Obligations on PI Processors

The PI Protection Law includes various other standing obligations on any party that processes PI. Some such obligations derive from “rights” accorded to PI Subjects. For example, PI Subjects have the right to access and copy their PI from PI processors as well as to have any errors corrected, so conversely, PI processors must satisfy such requests “in a timely manner”. Furthermore, processors must have in place mechanisms for dealing with applications from PI Subjects attempting to exercise their rights, must explain the rules of the PI processing, and must explain reasons for any rejections of PI Subjects’ applications. The PI Protection Law provides that PI processors must provide channels for PI to be transferred to other PI processors if PI Subjects request, provided that CAC’s (as yet unspecified) requirements are met. The PI Protection Law specifies that PI Subjects may file lawsuits before people’s courts if PI processors reject requests exercising above-mentioned rights.

Other obligations have wider scope. For example, processors must delete PI where any of the following circumstances arises, either upon a request from a PI Subject or “actively” on the processors’ own initiative:

• The processing purpose has been achieved, it is unable to be achieved, or the PI is no longer necessary for achieving the processing purpose.
• The PI processor has ceased the provision of products or services, or the retention period has expired.
• The PI Subject has rescinded consent.[11]
• The processing has violated laws, administrative regulations, or agreements.
• Other circumstances provided by laws or administrative regulations.

Some obligations are of wider scope but relative to the specifics of the PI processing. For example, processors have to adopt certain measures to ensure their processing of PI complies with relevant laws and administrative regulations, and more generally prevents unauthorized access, disclosure, tampering, or loss of the PI; however, while the PI Protection Law specifies some such measures, it provides that the measures that should be adopted depend on the purposes and methods of the processing, the types of information to be processed, the impact and potential risks to individuals, etc.:

• Formulating internal management structures and operating rules.
• Implementing tiered and categorized PI management.
• Adopting corresponding technical security measures such as encryption, de-identification, etc.
• Reasonably determining operational limits for PI processing, and regularly conducting security education and training for employees.
• Formulating and organizing the implementation of PI security incident response plans.

Moreover, PI processors must conduct periodic audits of their PI processing activities and conduct and record PI protection assessments in advance of any one of the following circumstances:

• processing SPI;
• using PI to conduct automated decision-making;[12]
• entrusting the processing of PI, or providing PI, to other PI processors, or otherwise disclosing PI;
• providing PI abroad; or
• “other personal information processing activities that have a major impact on individuals’ interests and rights”.

Likewise, upon discovery of events or possible events of leakage, tampering, or loss of PI, processors must take remedial measures, including notifying affected individuals, unless the processors take measures that can effectively avoid the harm caused by the information leakage, tampering and loss, and in any case notifying relevant PRC authorities (who may require notification to affected individuals if harm may be caused).

When using PI to conduct automated decision-making, the PI Protection Law specifically requires that: (1) no unreasonable differential treatment can be imposed on the transaction price based on the result of automated decision-making; (2) when marketing through automated decision-making, the PI processors must provide PI Subjects an option to not target personal characteristics of an individual or convenient channels for not allowing such automated decision-making marketing.

The PI Protection Law imposes heightened protection obligations on PI processors who provide important Internet platform services and have a large volume of users and complex business types. Such heightened protection obligations mainly include:

• setting up an independent body mainly comprised of “external members” to supervise the protection of PI;
• developing platform rules specifying the standards for PI processing and the obligations of PI protection to be followed by product or service providers who are on the Internet platform;
• ceasing to provide services to product or service providers on the Internet platform who process PI severely violating laws or administrative regulations; and
• publishing social responsibility reports on PI protection on a regular basis and being subject to public supervision.

Regulatory Oversight and Penalties

The PI Protection Law includes provisions on the powers (as well as duties) of regulatory authorities in relation to PI protection. Most notable are their empowerment to:

• question the relevant parties and investigate circumstances related to PI processing activities;
• access and reproduce contracts, records, account books, and other materials related to the parties and PI processing activities;
• conduct on-site inspections and investigate suspected illegal PI processing activities;
• check the equipment and items related to PI processing activities (and seal or seize any found to be used in illegal PI processing activities); and
• request “informal conversations” (“yuetan” in Chinese), in which regulators demand clarifications or provide warnings, perhaps alongside some nonsignificant fines, or request a compliance audit to be conducted by professional authorities.

For the avoidance of doubt, the PI Protection Law explicitly provides that parties “shall provide assistance and cooperate, and must not refuse or obstruct” the regulatory authorities when the latter “are lawfully performing their duties”.

When authorities identify illegal PI processing, they can give warnings, order “corrections” (i.e., that the illegal processing be brought in line with law or ceased), confiscate illegal gains, and/or order suspension or cessation of services/products (e.g., mobile apps) that illegally process PI – and if corrections are not done, the authorities can impose a fine of up to RMB 1 million on the entity and between RMB 10,000 and 100,000 on the directly responsible management and other directly responsible personnel. If the illegal processing is “serious”, in addition to warnings and confiscation, the following further penalties can be given straightaway: a fine of RMB 50 million or five percent of the previous year’s annual business volume, suspension of relevant operations, suspension of business for “correction”, and revocation of relevant business permits or licenses, plus fining directly responsible persons RMB 100,000 to 1 million and prohibiting them from serving as directors, supervisors, senior management, or PI protection officers of relevant enterprises within a prescribed period. Furthermore, where the illegal processing infringes on rights or interests of private individuals, or constitutes a crime or violation of public security administration, processors can suffer further penalties.

Takeaways

The PI Protection Law includes many provisions apparently imposing concrete responsibilities on parties processing PI, and heightened requirements for those that control large volumes of PI or operate important online platforms. The PI Protection Law addresses many concerns that have recently come to be key in China, including automated decision-making and PI cross-border transfers. However, some rules remain at a high level or unclear. Many specifics still need to be set out, likely in implementing measures to be issued in the coming months and years.

The PI Protection Law would bring some innovations (though still subject to how certain clauses would be implemented, interpreted, and applied), e.g., the extraterritoriality standards and the heightened (i.e., “specific”) consent standard. Parties who process PI should pay attention to obligations and requirements imposed by the PI Protection Law, and promptly set up or reinforce PI compliance policies and engage professionals to address PI issues when necessary, as the PI Protection Law heralds a more strict and complex PI legal compliance regime in China.

[1] Cybersecurity Law of the People’s Republic of China (《中华人民共和国网络安全法》), promulgated by the Standing Committee of the National People's Congress on 7 November 2016 and effective as of 1 June 2017; Civil Code of the People's Republic of China (《中华人民共和国民法典》), promulgated by the National People's Congress on 28 May 2020, to take effect on 1 January 2021; Information Security Technology — Personal Information Security Specification (《信息安全技术-个人信息安全规范》), issued by the State Administration for Market Supervision of the People’s Republic of China and Standardization Administration of the People’s Republic of China on 6 March 2020 and implemented on 1 October 2020; Data Security Law of the People’s Republic of China (《数据安全法》), promulgated by the Standing Committee of the National People's Congress on 10 June 2021 effective as of 1 September 2021; Methods for Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information (《App违法违规收集使用个人信息行为认定方法》)jointly issued by the Cyberspace Administration of China (CAC), Ministry of Industry and Information Technology (MIIT), Ministry of Public Security (MPS), State Administration for Market Regulation (SAMR) on 28 November 2019 and effective as of the same date; Circular on Issuing the Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications(《关于印发<常见类型移动互联网应用程序必要个人信息范围规定>的通知 》), jointly issued by CAC, MIIT, MPS and SAMR on 12 March 2021 and effective as of 1 May 2021.

[2] Article 73 of the PI Protection Law defines “anonymization” as the process of handling any PI to make it unable to identify a specific natural person and unable to be restored to its original state.

[3] The Chinese term corresponding to “processing” here is “加工”, whereas the Chinese word corresponding to the more general word “processing” used in all other places in this Newsletter (and generally in English-language versions of China’s cybersecurity laws, regulations, etc.) is “处理”.

[4] China’s borders in this Newsletter refer to mainland China’s borders, i.e., not including Hong Kong SAR, Macao SAR, and Taiwan Region. In this Newsletter, “China” will generally be used to refer to mainland China in this way.

[5] E-commerce Law of the People’s Republic of China (《电子商务法》),  issued by the Standing Committee of the National People's Congress on 31 August 2018 and effective as of 1 January 2019.

[6] Affirmative action includes situations where a PI Subject checks or clicks “agree”, “register”, “send”, etc., fills in a form or provides his/her PI of his/her own accord.

[7] Note the PI Protection Law requires “specific consent” for other activities as well, e.g., a processor providing its collected PI to third parties, publishing PI, installing image collection and personal identity recognition devices in public places, and transferring PI outside China.

[8]The Cybersecurity Law defines “critical information infrastructure” as infrastructure “used for public communications, information services, energy, transport, water conservancy, finance, public services, e-government affairs, and other important industries and fields and other critical information infrastructure that will result in serious damage to the national security, national economy, and people’s livelihood and public interests if they are destroyed, there are lost functions or they are subject to data leakage.” And the Regulations on the Security Protection of Critical Information Infrastructure (《关键信息基础设施安全保护条例》), issued by the State Council on 30 July 2021, effective as of 1 September 2021, has added “national defense technology industry” as one of the “critical information infrastructure” industries.

[9] According to the Inspection Guidance on National Network Security (《国家网络安全检查操作指南》), issued by the Office of the Central Cyberspace Affairs Commission on 1 June 2016 and effective as of the same date, online service providers meeting the following threshold might be deemed to be CIIOs by relevant authorities: (1) the service provider’s website’s registered users exceed 10 million, or the number of active users (logging in one time per day) exceeds 1 million; (2) if a security incident occurs, more than 1 million people’s PI will be leaked or 1 million people’s lives will be affected.

[10] The Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) (《个人信息出境安全评估办法（征求意见稿）》), released by CAC on 13 June 2019.

[11] Though not made clear in the PI Protection Law, the applicability of this circumstance should be limited to cases in which the PI was processed on the basis of consent, rather than on one of the other bases set out above.

[12] Article 73 of PI Protection Law defines “automated decision-making” as the activity of making any analysis, assessment, and decision concerning the behavior, habits, interests, hobbies, or financial, health, or credit status, or any other situation of the individual, automatically through a computer program.