China has passed an expansive national privacy law which rivals the EU’s General Data Protection Regulation (“GDPR”) in scope and sanctions. Known as the Personal Information Protection Law (“PIPL”), this new law’s announced aim is to curb data collection from private tech firms operating in China. It will take effect on November 1, 2021.
According to the state-run Xinhua News Agency, the PIPL prohibits “illegally collecting, using processing, transmitting, disclosing and trading people’s personal information.” The Chinese law, like the EU’s, is a comprehensive legal framework on privacy and, among other things, requires companies to limit data collection and obtain user consent.
Applicability and Scope
The PIPL is aimed at regulating personal information processing activities by entities and individuals in China. Additionally, the PIPL applies outside of China if the entity is handling personal information about natural persons within China under the following circumstances: (1) “[f]or the purpose of providing products or services to natural persons in China”; (2) “[a]nalyzing and evaluating the conduct of natural persons in the territory”: and (3) “[o]ther circumstances as prescribed by laws and administrative regulations.” Notably, the PIPL does not prevent the central government from accessing data. The law gives Beijing broad access to user data through specific, required reporting and technical mechanisms.
Enforcement. Violations of the PIPL could result in a fine of up to 50 million RMB or up to 5% of the proceeding year’s business revenue.
Covered Data. The law primarily affects personal information which is defined as “information related to an identified or identifiable person”. The law also defines "sensitive personal data" which includes information that, once leaked or used illegally, can easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety. Examples of such sensitive personal data include biometrics, religious beliefs, specific identities, medical health, financial accounts, and whereabouts, as well as personal information of minors under the age of fourteen.
Data Minimization and Purpose Limitation. The retention of personal information “shall be the shortest time necessary to achieve the processing purpose.” The PIPL requires a legal basis to process personal information (“notice and consent” being the primary legal basis). Additionally, handling of personal data must “have a clear and reasonable purpose.”
User Consent. Users must consent to the data collection of their personal information and companies cannot refuse service to those who withhold consent (unless the company cannot provide its services without the data). Users can also withdraw their consent. Separate user consent is required in the following circumstances: (1) disclosure to a third party; (2) processing of “sensitive personal data”; and (3) transfer of personal information outside of China.
Transfer of Personal Data Outside the Country. The law provides guidelines for ensuring data protection outside of China including specific conditions that must be met before data transfer. Personal information may only be transferred outside of China if “necessary for business or other needs” and if one of these four conditions is met: (1) security assessment by the national cybersecurity and informatization department, in accordance with Article 40, which states that operators of Critical Information Infrastructure and entities that transfer a large volume of personal information must locally store personal information collected in China and undergo a further security assessment to transfer if necessary, has been passed; (2) a personal information protection certification from a professional agency has been obtained; (3) a standard data transfer agreement has been entered into between the data processor and the overseas recipient; or (4) other conditions prescribed by law. Personal data cannot be transferred to countries with lower standards of data security than China and cannot be transferred without specific user consent and without carrying out a personal information protection impact assessment.
Designated Persons. Companies must appoint an individual in charge of personal information protection who “supervises data processing” and conducts audits to ensure compliance with the new law. Additionally, a person handling information outside of China must set up a specialized agency or designated representative within China to handle “matters related to the protection of personal information…”
ConclusionThe PIPL has wide-ranging implications for companies doing business in China, collecting the personal information of Chinese residents and also for companies using hosted service providers based in China. Just as with any new consumer data privacy law or regulation that goes into effect, it will be important to update your data mapping to understand where your data practices intersect with this new law.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.