Data Protection Academy » Data Protection News » The Chinese Data Protection Law PIPL

Data Protection Law China: Personal Information Protection Law (PIPL)

Data Protection Law China: Personal Information Protection Law (PIPL)

China adopted the Personal Information Protection Law (PIPL) on 20 August 2021. The new Personal Information Protection Law (PIPL) adopts various principles from the GDPR and is China's first comprehensive data protection law and will come into force on 1 November 2021.

PIPL is critical for any company with data or business in China. It will make compliance with China's security and data laws and regulations even more complex and is one of many laws passed in recent years, along with the Cybersecurity Law, the Data Security Law and the Cryptography Law. As is common with all Chinese laws, many of the concepts and requirements are very general. Experts expect more details to be laid down in regulations and practical guidance in the coming months. It is particularly exciting whether the Chinese level of data protection is comparable to the European standard of the GDPR.

The law regulates the processing of personal information by businesses, especially large internet companies. Government agencies remain largely exempt from the Personal Information Protection Law.

Key information about the Chinese Personal Information Protection Law

  • The Chinese data protection law is called the Personal Information Protection Law and is abbreviated as "PIPL".
  • PIPL comes into force as of 01 November 2021
  • The new law adopts principles from the European GDPR
  • PIPL regulates the processing of personal data in the economy
  • State agencies remain largely exempt from the Personal Information Protection Law

China Data Protection Law : Scope of Application of the PIPL

Regulations for China's big tech companies

After the law comes into force, Chinese tech companies will only be allowed to process personal data in certain cases. In order to stop the extensive collection of data, data is to be stored only for specific purposes, and the consent of those affected is also required. For several months now, Chinese authorities have been increasingly taking action against data protection violations.

Effects on German companies

Similar to the GDPR, the scope of application of the law is linked to a business activity in China in which personal data of citizens there are processed, so that European companies can also be affected. This then results in the obligation to appoint a local representative and to report to the Chinese supervisory authorities. Also known from the GDPR is the threat of fines in the event of violations of the law. In China, too, these can now run into the millions (of euros). The Chinese data protection law contains regulations for the transfer of personal data.At present, the transfer of data to the EU appears to be possible without restrictions due to the high level of data protection in force.

PIPL vs. GDPR

Common ground

Similar to the GDPR, PIPL also defines "personal data" as any type of information relating to identified or identifiable natural persons stored in electronic or other form, with the exception of anonymised information.

The Chinese data protection law also understands the "processing of personal data" the collection, storage, use, adaptation or alteration, transmission, making available, publication and deletion of personal data.

Similar to the GDPR, the PIPL imposes the obligation to have a local representative and to report to the Chinese supervisory authorities in the case of business activities and the processing of personal data of Chinese citizens.

Another common feature is the handling of fines and sanctions. Fines in the millions are also possible in China.

PIPL also contains a ban on the transfer of personal data. Chinese citizens in states with a lower level of data protection than in China.

Differences

A significant difference to the GDPR is that the People's Republic of China has a legally legitimated state monitoring practice. These practices are unlikely to change even after the PIPL comes into force. Unlike the European GDPR, the Chinese data protection law is directed against the widespread price discrimination in online trade in China. In terms of data protection, this is about profiling based on personal data and the resulting "personalised pricing". In China, for example, users of Apple smartphones are shown higher prices when buying travel tickets than users of other brands.

Contents Personal Information Protection Law

The PIPL consists of 74 articles in 8 chapters, namely:

  • General provisions;
  • Rules for the processing of personal data;
  • Rules for the cross-border provision of personal data;
  • Rights of the individual with regard to the processing of personal data;
  • Obligations of controllers when processing personal data;
  • Authorities responsible for the protection of personal data;
  • Legal liability; and
  • Other provisions.

Extraterritorial effect

The PIPL has extraterritorial effect and applies to the following processing activities:

  • the processing of personal data of natural persons within China; and
  • the processing outside China of personal data of natural persons residing in China, where such processing is involved:
    • for the purpose of providing products or services to natural persons in China;
    • to analyse/evaluate the behaviour of natural persons in China; or
    • other circumstances prescribed by laws and administrative regulations.

Competent authorities

The PIPL provides greater clarity in the division of responsibilities between authorities and designates the central and local authorities with responsibilities under the Act as the authorities performing personal data protection tasks and responsibilities (PI Protection Authorities). The division of responsibilities is as follows:

  • the national cyberspace administration (e.g. the Cyberspace Administration of China or CAC) is responsible for comprehensive planning and coordination of personal data protection and related supervisory and administrative work;
  • the relevant ministries and departments of the State are responsible for the protection of personal data and for supervision and administration within their respective jurisdictions; and
  • the relevant departments of local governments at county level or above will also perform certain duties and responsibilities in relation to the protection of personal data and related supervision and management in accordance with State regulations.

Basis for the processing

The PIPL provides for the following legal bases for the processing of personal data, at least one of which must be present for the processing to be lawful:

  • consent of the data subjects;
  • necessity for the conclusion or performance of contracts to which the data subject is party or necessity for the performance of personnel administration in accordance with the labour regulations and systems adopted by law and the collective agreements concluded by law;
  • the need to fulfil statutory tasks or legal obligations;
  • to respond to public health emergencies or to protect the life, health and safety of natural persons in emergencies;
  • the processing of personal data to a reasonable extent for the purpose of carrying out news reporting, monitoring public opinion and other acts in the public interest;
  • the processing of personal data disclosed by data subjects or otherwise lawfully, within the appropriate framework and in accordance with the PIPL; and
  • other circumstances specified by laws and administrative regulations.

Data transfer of personal data

The cross-border transfer of personal data may only take place for legitimate purposes, such as business needs, and the transferor is obliged to take the necessary measures to ensure that the recipient's processing activities abroad comply with the standards of protection set out in the PIPL.
Furthermore, both an appropriate legal basis and the consent of the data subjects are required for such a transfer to be lawful.

Legal basis

The legal basis for the cross-border transfer of personal data under the PIPL includes:

  • the existence of a security clearance organised by the Cyberspace Administration if the transmitter is a critical information infrastructure operator (CRIITIS) or the volume of personal data concerned reaches the threshold set by the CAC;
  • obtain personal data protection certification from a professional agency in accordance with the rules of the CAC;
  • conclusion of an agreement with the recipient abroad on the basis of a standard contract formulated by the CAC; or
  • other conditions provided for by law, administrative regulations or the CAC.

The implementation of the cross-border transfer regime will depend on further provisions of the CAC, including the development of a standard contract form.

Consent

Data subjects must be informed about and give their separate consent to the cross-border transfer of their personal data:

  • name and contact details of the overseas recipient;
  • the purposes and methods of the processing;
  • the types of personal data concerned; and
  • the methods and procedures for exercising the rights provided for in the PIPL with the foreign recipient.

Regardless of whether there is a legal basis and consent has been given, companies are strictly prohibited from disclosing personal data stored in China to foreign judicial or law enforcement authorities without the consent of the Chinese authorities. This is a difficult issue for international companies that have reporting obligations to regulators in their own countries.

Rights of data subjects

The PIPL gives data subjects various rights in relation to their personal data, including:

  • right to know and decide regarding their personal data;
  • the right to restrict or prohibit the processing of their personal data;
  • the right to access and copy their personal data held by the processors;
  • right to portability of their personal data;
  • the right to rectification and erasure of their personal data; and
  • the right to request an explanation of the processing rules from the processors.

The close relatives of a natural person may exercise these rights for their own legitimate and justifiable interests after the death of the natural person, unless the deceased person made other arrangements during his or her lifetime.

Duties of the responsible person

The PIPL imposes various obligations on processors of personal data, including the obligation to:

  • formulate internal management systems and operating procedures;
  • implement confidential management for personal data;
  • take appropriate technical security measures such as encryption and anonymisation;
  • adequately establish operational authorisation for personal data and provide regular security education and training for operational staff;
  • formulate and implement contingency plans for security incidents involving personal data;
  • conduct regular compliance audits; and
  • take other safety measures required by laws and regulations.

Certain companies (e.g. CRITIS operators, processors of sensitive personal data, companies providing major internet platforms with a large number of users, and complex types of businesses) are subject to stricter obligations such as appointing a data protection officer and/or an independent supervisory body, carrying out data protection impact assessments for processing activities and publishing regular social responsibility reports.

In the event of a data incident, processors are required to take "immediate" remedial action and notify data protection authorities and all data subjects.

Sanctions

Violations of the PIPL can result in an administrative fine of up to 50 million renminbi (RMB) or 5 % of the company's turnover from the previous year (it is unclear whether this is a local or global amount).

Other sanctions include a demand for rectification, a warning, confiscation of illegal profits, suspension or termination of service, cessation of operations for rectification and revocation of operating licences or business licences.

The responsible person or other directly liable persons may also be held individually liable and fined or prohibited from acting as a director, supervisor, officer or data protection officer.

If the processing activity violates the rights or interests of a large number of individuals, the public prosecutor's office (i.e. the authority responsible for law enforcement), consumer protection organisations or another organisation designated by the cyberspace administration may initiate a public interest complaint.

Conclusion on the China Data Protection Act

The new law will reshape the way personal data is handled in China. This includes introducing measures to deal with evolving technologies around facial recognition, AI and data analytics. Chinese citizens will be protected as consumers from large providers and data collection.

The basic idea of the Chinese law PIPL is thus quite comparable to the European GDPR. However, the state still reserves rights that legitimise the surveillance of Chinese citizens. PIPL also does not regulate the planned social credit system "Social Score". The Chinese government plans to use personal data of Chinese citizens to enforce data-based rewards or sanctions.

Organisations that regularly process data in China or from Chinese citizens should appoint a local representative who is the competent contact for Chinese authorities in relation to data processing operations. Similar to the European GDPR, the responsible contact person must be notified to the responsible authorities.

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Informational self-determination

The right to informational self-determination has increasing importance in the digital age and is directly related to data protection and the GDPR.

Data protection

Data protection is generally the protection of personal data of each individual against their unauthorised collection, processing and disclosure.

Data processing

All information on the legal situation and forms of data processing. Learn about lawful processing of personal data.