China’s long-awaited Personal Information Protection Law (PIPL), after two rounds of draft versions, was finally passed by the Standing Committee of the National People's Congress on August 20, 2021, with the law effective beginning November 1, 2021. The PIPL, regarded as China’s version of the EU General Data Protection Regulation (GDPR), lays out a comprehensive set of rules for how business operators should collect, use, process, share, and transfer personal information in China. The PIPL further supplements the existing data protection regime previously established by the Cybersecurity Law (CSL) and national guidelines, and it provides another pillar in China’s efforts to regulate how companies use data and to further protect the personal data of its citizens.
This LawFlash highlights the key provisions in the PIPL and their implication for business operators in China. Among others, the PIPL requires companies as data controllers to obtain informed and separate consents from the data subjects for the collection, processing, and cross-border transfer of their personal data (limited exceptions apply), and to store personal data on servers physically located in China if the company is certified as a critical information infrastructure operator (CIIO), or processing personal data exceeding a certain volume threshold, which the regulator has yet to publish. The law grants statutory rights to data subjects, such as the right to withdraw and modify consents, the right of data portability, and the right to refuse automated decision-making. The PIPL also imposes a number of new administrative requirements on the data controllers, including, among others, designating a data protection officer, signing data processing agreements with data processors, preparing data breach notices, conducting a personal information impact assessment (PIIA) or in some cases obtaining regulatory approval for certain data processing transfer activities. Employers qualify as data controllers, so every company will need to ensure that they understand the new requirements that cover the collection and processing of their employees’ personal data, in addition to other types of personal data, as part of their routine employee management functions. Companies in violation of the PIPL may be subject to severe penalties, including a fine of up to 5% of the last year's turnover of the company, revocation of the company’s license to do business in China, and personal liabilities for company executives. In light of the US-China trade tensions and the Chinese government’s heightened focus on national security risks related to the cross-border transfer of sensitive data, the new law is another regulatory tool that the Chinese government can use in addressing corporate behavior it deems at odds with national interests.
In addition to activities within China, the PIPL exerts certain exterritorial jurisdiction over data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviors of individuals located in China. Overseas companies caught by the exterritorial jurisdiction of the PIPL should establish a dedicated entity or appoint a representative in China to handle matters in relation to the protection of personal information they collect, and to file the information of the entity or the representative with competent government authorities. Foreign organizations or individuals may be put on a "blacklist" that would restrict or prohibit them from receiving personal information from China if they infringe the personal information rights and interests of Chinese citizens, or harm the national security or public interest of China.
Previously, exterritorial jurisdiction was only provided in draft regulations and national guidelines did not have a binding effect. For the first time, the PIPL explicitly specifies the broad reach of its purported exterritorial jurisdiction. The impact on foreign companies and overseas parent companies of Chinese subsidiaries that process personal information collected from the Chinese market will be significant, as the data collected in China will now be subject to the various personal information protection requirements under the PIPL.
In the past, consent was the only requisite for the processing of personal information, and other lawful bases were provided in national guidelines, which were not legally binding. The PIPL for the first time specifies additional lawful bases as binding law and provides that consent is not required for
Notably, business operators should pay particular attention to the following key changes:
With this provision in place, in case of any change of control in merger and acquisition (M&A) deals, data compliance due diligence may become a prerequisite for closing the deal to avoid any data compliance risks. Sellers should inform the data subjects before the transfer of personal information, and buyers should obtain consent if the original processing purpose is changed.
The CSL, which took effect in 2017, provides that only CIIOs should store personal information in China and undergo security assessments approved by the Cyberspace Administration of China (CAC) for cross-border data transfers. However, the PIPL extends the application scope beyond just CIIOs to those companies that process personal information that exceeds an amount threshold designated by the CAC, but the specific amount threshold has not been published yet.
For other general companies that do not fall under the categories above, they can transfer the personal information outside China by doing one of the following:
This provision allows general companies to be exempted from the more onerous procedure of conducting government security assessments. This exemption represents a substantial change from the previous requirements under the draft cross-border data transfer regulations, which imposed data localization on all network operators in China. The standard contract is similar to the Standard Contractual Clauses (SCC) under the GDPR, but the CAC has not yet published the full text of the standard contract. Once the standard contract is published, business operators that have a need to transfer personal information outside China should review and revise their existing data transfer agreement to make it consistent with the official template.
In addition, the PIPL enhances the informed consent requirements for cross-border data transfers. Specifically, Article 39 requires that when a personal information processor (a term under the PIPL that is similar to “data controller” under the GDPR, hereinafter referred as “Data Controller” to avoid any doubts) provides personal information outside China, it shall inform the data subjects of the name of the overseas recipient, contact information, processing purpose, processing method, and types of personal information, as well as ways and procedures for data subjects to exercise the rights provided under the PIPL with the overseas recipients, and it shall obtain the data subjects’ separate consent.
Similar to the GDPR, the PIPL grants data subjects with various rights to their personal information, including the rights to access, copy, correct, modify, and delete their personal information. In addition, the PIPL emphasizes the right of data subjects to withdraw their consent and the right to restrict or refuse the processing of their personal information, and the relevant rights to refuse automated decisionmaking. The PIPL also clearly requires the Data Controller to provide a convenient mechanism for data subjects to exercise their rights.
Notably, on the basis of the second draft of the PIPL, the finalized version adds a new right—the right to portability—which resembles that under the GDPR. Specifically, Article 45 stipulates that when data subjects request a transfer of their personal information to other Data Controllers that they designate, and such requests conform with the conditions set by the CAC, the Data Controller shall provide the methods for the transfer. This data portability right may break the monopoly in the data field from the perspective of industry development. For business operators, however, this may require improved technical capabilities and increased costs for data compliance.
Previously, the PIIA requirement was scattered across various draft regulations and national guidelines with no binding effect. The PIPL for the first time provides the PIIA requirements as binding law. Under the PIPL, companies should conduct a PIIA before the following data processing activities:
The PIPL affirms the previous approach under the nonbinding national guideline and requires certain companies to designate a person who will be responsible for personal information protection matters, which is similar to the requirements under the GDPR to designate a Data Protection Officer (DPO). In contrast to the DPO requirement under the GDPR, the PIPL restricts the application scope only to certain companies—i.e., those that will process personal information exceeding a yet-to-be-announced amount threshold designated by the CAC.
Given the technology innovation and significant growth of tech giants in China, the PIPL imposes the following additional requirements for certain types of internet-related businesses/technology:
The PIPL creates an additional obligation on the entrusted data processor. Article 59 provides that an entrusted data processor that accepts an entrustment to process personal information shall, in accordance with the provisions of the PIPL and relevant laws and administrative regulations, take necessary measures to ensure the security of the personal information processed, and assist the Data Controller in performing the obligations under the PIPL.
The PIPL categorizes the personal information of children under the age of 14 as sensitive personal information and requires the Data Controller to formulate specific personal information protection rules for children. This is not a new requirement because the CAC has already stipulated similar requirements in the Regulation on the Cyber Protection of Children's Personal Information in 2019. However, this CAC regulation is only a low-level ministry regulation while the PIPL lifts the importance of these requirements to the highest level of law.
Article 69 creates a presumption of liability on the Data Controller. If the processing of personal information infringes the rights and interests of personal information and causes damages and the Data Controller cannot prove that it is not at fault, the Data Controller shall be liable for damages and compensation. This requires business operators to keep proper records and evidence to prove that they have taken proper measures with respect to data compliance, which further reflects the importance of business operators’ implementation of the PIIA in advance to ensure that personal information processing activities by business operators are legally compliant.
Article 57 of the PIPL provides the notification obligations of the Data Controller after a data breach. On such an occasion, the Data Controller should “immediately” take remedial measures and notify the personal information protection authority and data subjects. This notification should include the following details: (1) types, reasons, and possible harms from the personal information leakage, tampering, or loss that occurred or may occur; (2) remedial measures taken by the Data Controller and measures that data subjects can take to reduce harm; and (3) contact information of the Data Controller.
However, while notifying the authority is required, notification to data subjects is not mandatory if the Data Controller is able to take measures to effectively avoid damage caused by the data leakage, tampering, or loss. If the authority believes that it may cause harm, it still can request the Data Controller to notify the data subjects.
Other than the general requirement of “immediate” notification, the PIPL does not provide specific timing for notifying the authority or data subjects.
The PIPL increases the penalties from the capped amount of RMB 1 million (approx. $149,000) under the CSL to RMB 50 million (approx. $7,456,000) or 5% of the last year's turnover of the company. The company’s business license may also be revoked. For the directly responsible persons of the company, the government authority could impose a fine of up to RMB 1 million and may prohibit them from serving as directors, supervisors, senior managers, or DPOs of related companies within a certain period of time.
In conclusion, as the PIPL provides a grace period of less than three months before it takes effect, business operators in China should, as soon as possible, fully understand the legal requirements therein, conduct compliance reviews for their existing data processing practices, and upgrade and implement robust privacy protection mechanisms for data compliance, including establishing, reviewing and/or updating their data consent form to be signed by their employees to meet the requirements under the PIPL.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Gregory T. Parks
* A director of Morgan Lewis Stamford LLC, a Singapore law corporation affiliated with Morgan, Lewis & Bockius LLP