What is PIPL?
China’s PIPL or Personal Information Protection Law officially took effect on November 1, 2021. China’s new data protection law will potentially have the greatest reach of global privacy laws, since it protects one of the world’s largest populations. Certainly, it deserves your attention if you conduct business in China. The consequences for failing to comply could include high penalties and even government redlisting and restriction of activities. So, let’s look at China’s data protection law and consider key points to keep in mind for PIPL compliance.
Who must comply with PIPL?
Besides regulating organisations’ and individuals’ handling of personal data belonging to natural persons within the jurisdiction of China, the PIPL is a data law that extends the territorial scope beyond China’s borders.
Data processing activities established outside of China are also covered if one of the following circumstances is present:
- The purpose is to provide products or services to natural persons inside China’s border
- Other circumstances provided in laws or administrative regulations
- Conducting analysis or assessment of activities of natural persons inside the borders
Therefore, all websites, companies and organisations in the world should comply with the PIPL if they offer goods or services to Chinese citizens.
What should I know about PIPL fines?
PIPL caps fines at 5% of a company’s annual revenue of the previous year or CNY 50 million(about €6.7 million). PIPL’s upper limit for fines is for “grave” violations (an undefined term). Chinese authorities may also: suspend offending business activities, stop business activities entirely, cancel administrative and business licences, or place offending organisations on a red list and restrict or prohibit them from collecting personal data.
Who enforces PIPL compliance?
The Cyberspace Administration of China is the primary body responsible for enforcing PIPL compliance. However, several other state council departments may also regulate the PIPL and issue implementing regulations.
What types of data does PIPL protect?
PIPL protects all kinds of information, whether recorded by electronic or other means, that relates to identified or identifiable natural persons (excluding anonymised data). The language allows Chinese authorities to take a broad approach when interpreting what constitutes personal information in practice.
Definition of sensitive data according to PIPL
PIPL gives special protection to personal information that, if you were to disclose it or use it illegally, may easily cause grave harm to the dignity, personal, or property security of natural persons. This includes, but is not limited to:
- Biometric characteristics
- Religious beliefs
- Specially designated status, medical health
- Financial accounts
- Individual location tracking
- Personal information of minors under the age of 14
This open list describes sensitive data that “may easily cause grave harm”. In this way, it allows the PIPL to consider some data as sensitive that the GDPR may not. To process this type of sensitive personal information, you should obtain a separate consent.
Consent and lawful basis of processing
The most common legal basis under PIPL is consent, which must be informed, voluntary and explicit. (Art. 13 lists other legal bases). If your processing purpose, processing method, or the type of personal information you process changes, you’ll need to get a new consent. Unlike GDPR, PIPL does not recognise “legitimate interests pursued by the controller” as a legal basis for personal information processing. This and other aspects of the PIPL put extra emphasis on obtaining consent.
Privacy notices for PIPL compliance
For PIPL compliance, you must provide consumers with a comprehensive description of your online and offline practices. For example, how you collect, use, disclose, or sell personal information. Additionally, you should list people’s data rights in clear and easy-to-understand language.
PIPL processing principles
PIPL emphasises the following principles for processing data:
- Legality
- Appropriateness
- Necessity and Good Faith
- Clear and Reasonable Purpose (includes data minimisation)
- Openness and Transparency
- Quality Assurance and Accountability (includes accuracy and security).
PIPL requires a “clear and reasonable purpose” for processing data, and that the collection of personal information be minimised and not excessive, along with the security of personal information. The PIPL requires companies to establish policies and procedures on personal information protection, implement technological solutions to ensure data security, and carry out risk assessments prior to engaging in certain processing activities.
Local representative
Offshore organisations that process data belonging to Chinese citizens must establish a dedicated office or appoint a representative in China to be responsible for personal information protection in China.
Data subject rights in PIPL
Specifically provides that organisations shall establish a mechanism for receiving and processing individuals’ rights requests. No specific timeline or extension period requirements. If an individual’s request for the exercise of their rights is rejected, the reasons shall also be explained. Individuals may in turn file a lawsuit with a People’s Court according to the law to challenge the rejection of their DSR requests.
Right to know and decide/be informed for PIPL
Individuals have ‘the right to know and the right to decide’ when it comes to their personal information; and request handlers explain their handling rules. The PIPL includes an additional requirement for personal information handlers to notify individuals of the name/personal name and contact method of the receiving party when sharing their data with third-parties.
Right to access
Individuals have the right to access and copy their personal information from the data controllers. Following are few exceptions to this right:
Where state organs process personal information for the purpose of fulfilling statutory duties and responsibilities.
Where laws or administrative regulations provide that confidentiality of personal information shall be preserved.
A unique characteristic of the PIPL is that all data rights extend beyond an individual’s death and can be exercised by close relatives of the deceased unless otherwise arranged by the decedent during their lifetime.
Right to deletion/blocking/restriction
Individuals have the right to deletion and requires a data controller to proactively delete personal information where one of the following circumstances occurs; if the personal information handler has not deleted their data in these circumstances, individuals have the right to request deletion when:
- The processing purpose has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the processing purpose
- Data controllers cease the provision of products or services, or the retention period has expired
- The individual rescinds consent
- The data controller processed the personal information in violation of laws, administrative regulations, or agreements
- Other circumstances provided by laws or administrative regulations
Where the retention period provided by laws or administrative regulations has not expired, or personal information deletion is technically hard to realise, data controllers shall cease personal information processing except for storage and taking necessary security protective measures. The PIPL also provides individuals the right to limit, or refuse the processing of their personal information by others, unless laws or administrative regulations stipulate otherwise.
Right to correct and amend
Individuals have the right to request personal information handlers correct or complete their personal information. Where individuals request to correct or complete their personal information, data controllers are required to verify the personal information and correct or complete it in a timely manner.
Right to data portability
Individuals have the right to request a data controller to transfer their personal information to another data controller. However, specific conditions for moving data will be determined by state cybersecurity and information departments.
Right to withdraw consent
In PIPL, individuals have the right to withdraw consent. However, PIPL states that withdrawal of an individual’s consent does not affect the effectiveness of the personal information processing activities that have been carried out based on the individual’s consent before the withdrawal.
Right to object to automated decision making
The PIPL does not provide an explicit right to object automated decision. However, it requires that if the data controller conducts information push delivery or commercial sales to individuals through automated decision-making methods, the data controller shall provide the option to not target an individual’s characteristics, or provide the individual with a convenient method to refuse to the automated decision-making processing.
Data protection impact assessment (DPIA)
Organisations should conduct risk assessments and record them before conducting “specific personal information processing activities” that have a significant impact on individuals, such as processing sensitive PI, automatic decision-making, entrusting processors, providing PI to third parties and so on. Even when the high-risk standard is not met, it is still prudent to conduct a DPIA to minimise liability and ensure best practices for data security and privacy are being followed in your organisation.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
Cross-border data transfer requirements
In PIPL, transferring personal information outside the territory of China should meet three necessary conditions: (1) obtaining the personal information subject’s separate and informed consent; (2) conducting personal information protection impact assessment and making record; and (3) adopting one of the measures set forth in the PIPL to ensure that adequate safeguards would be provided for the transfer.
For PIPL compliance, you must also ensure data protection standards are met after transfer. The PIPL stipulates that without the approval of the Chinese regulatory authority, personal information stored in China shall not be provided to judicial or law enforcement agencies outside China. This provision is in line with the newly enacted Data Security Law of China.
Security measures
According to PIPL, the data controller must have an internal management structure and operating rules, processing limits framework, and technical security measures such as encryption & de-identification. Data controllers should also have a mechanism for the categorised management of personal information. Data controllers should conduct audits of their processing activities and compliance with other laws; conduct security education and training of its employees; and implement additional safeguards for sensitive personal information and processing.
Do I need to report data breaches?
You must take immediate action and notify the relevant agency and affected individuals. When the measures taken can effectively avoid damages to personal information, you do not have to notify individuals.
Third-party processors
When engaging third parties to process people’s personal information, you must conclude an agreement that specifies:
- The purpose of processing
- A time limit for the third party to retain the data
- Their data-handling methods
- Categories of data they will access
- Their data protection measures
- The rights and duties of both sides
Further, you should supervise the entrusted party to make sure they handle the data properly. The entrusted party, in turn, must handle personal information according to the agreement. They should also take measures to safeguard the security of the personal information they handle and assist you in fulfilling your PIPL obligations.
Do I need a DPO?
You may need to appoint a Personal Information Protection Officer in specific situations, depending on the volume of personal information you process. China’s state cybersecurity and informatisation department will provide clarity on the volume threshold. Data controllers are also required to disclose the methods of contacting Personal Information Protection Officers and report the names of the officers and contact methods to the departments in charge of personal information protection duties and responsibilities.
Internet platform services obligations
For PIPL, data controllers that provide internet platform services to a large (undefined) number of users and have complex business models must:
- Establish and complete personal information protection compliance structures
- Establish an independent body to supervise personal information handling
- Follow the principles of openness, fairness, and justice
- Immediately cease their service offerings when in serious violation of the law
- Regularly publish reports on the social responsibility of personal information handling
Records and documentation
PIPL does not provide an explicit requirement for having a record of data processing activities. However, the PIPL compliance requires audits of their personal information activities and adherence to laws and administrative regulations. It also requires you to save personal information protection impact assessment reports and handling status records for at least three years.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Smarter PIPL compliance
In Safe Online, we create tools that comply with international data regulations such as PIPL.
DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily
Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →