China’s Personal Information Protection Law (PIPL), which came into force on 1 November 2021 following approval by the country’s legislature on 20 August, 2021, stipulates how data can be collected and used in the country while also governing the actions of companies hoping to move data out of China.
The law regulates personal information processing activities in China, as well as any activities carried out by state agencies. The law describes a processor of personal information as any organisation or individual that is able to make its own decision on the purpose, means of processing, and other matters relating to the processing of personal information, according to Hong Kong’s Office of the Privacy Commissioner for Personal Data (PCPD).
It also applies to foreign organisations that process personal data overseas, for the purpose of providing products and services to Chinese consumers or analysing their behaviour. Under the new law, these businesses will have to establish designated agencies or appoint representatives based in the country to assume responsibility for matters related to personal data protection.
What counts as personal data under PIPL?
The law is fairly broad in its interpretation of personal information, which refers to any recorded information that relates to identified or identifiable natural persons, excluding anonymised information, whether recorded electronically or in other forms. The processing of personal information refers to its collection, retention, use, handling, transmission, and erasure.
A large part of this information belongs to China’s internet users, of which there were 989 million by the end of 2020, of whom 183 million were minors.
Why was the PIPL drafted?
RELATED RESOURCE
Modernise the data stack to transform the data experience
Next generation business intelligence and analytics
The Chinese government has said that the development of big data brings convenience to life, but also “breeds chaos”. It has said that some platforms over-collect personal information while some businesses install image acquisition equipment without permission from customers, allowing them to secretly record their faces.
"Currently, the whole society pays close attention to new technologies such as user profiling and recommendation algorithms, and problems including big data-enabled price discrimination have arisen," said Zang Tiewei, spokesperson for the Legislative Affairs Commission of the NPC Standing Committee, as reported by Xinhua News Agency, the state run news outlet.
What does PIPL do?
The law prohibits the excessive collection of personal information and the actions of companies using big-data to inform price discrimination against existing customers.
Processors of personal information using automated decision making need to ensure the decision-making processes are transparent, and the results are fair and impartial. If the automated decisions cause a significant impact on the individuals’ rights and interests, individuals will have the right to request the processors to provide an explanation and object to the decisions made solely by automated process.
Individuals also now have the right to access and obtain a copy of their personal information from the processors, who have to respond in a timely manner.
For tech giants, who process the personal information of millions of users, the new law asks them to establish an independent body made up of outsiders to supervise how the data is handled. They are also asked to create their own rules on personal information protection following the principles like “openness, fairness, and justice” and publish social responsibility reports on personal information protection regularly.
General Data Protection Regulation (GDPR) GDPR certification: What is it, and do you need it? DCMS lifts the lid on UK GDPR reforms, including ICO restructure
In public places, where image acquisition and personal identification equipment is installed, signs need to be set up to tell the public that the equipment is in use and why it is being used.
Lastly, the law strengthens data protection for minors, detailing that the personal information of anyone under 14 should be classed as sensitive, requiring processors to formulate special processing protocols for this group.
What happens if companies want to move data overseas?
For companies or processors of personal information who need to transfer data out of the country, a personal information protection impact assessment should be carried out first. Processors are required to gain consent from individuals affected and processors should inform them of the names of the receiving parties, their contact information, processing purposes, means of processing, categories of personal information involved, and the ways and procedures individuals can enforce their rights under PIPL.
Apart from this, processors will need to either pass a security assessment conducted by state cyberspace authorities, obtain certification in relation to personal information protection, or enter into a standard contract as prescribed by the cyberspace authorities.
What are the fines for breaches of PIPL?
If a data processor falls foul of the law, personal information protection authorities have the power to issue an order for rectification and even confiscate any income associated with that data processing activity. Organisations that refuse this will be liable for a fine of up to RMB 1,000,000 (£114,000).
The law also recognises individual responsibility, with the person directly in charge of the unlawful processing activity, and any other personnel who bear direct responsibility, also being liable for a fine between RMB 10,000 (£1,145) and RMB 100,000 (£11,454).
However, for cases that are deemed to be of a serious nature, personal information protection authorities may issue an order of rectification, confiscate unlawful income, and impose a fine of up to RMB 50,000,000 (£5.7 million) or 5% of annual turnover, whichever is higher for the previous year. Authorities could also suspend the business or operation and cancel its business permits or licenses.
The person in-charge, as well as other personnel, will be liable to a fine between RMB 100,000 (£11,454) and RMB 1,000,000 (£114,000), and may be barred from serving as directors, supervisors, senior officers, and company-appointed personal information protection officers for a set duration.
When did PIPL come into effect?
PIPL was approved by the Chinese legislature on 20 August, 2021, before being implemented a few months later on 1 November.
-
PowerEdge - Cyber resilient infrastructure for a Zero Trust worldWhitepaper Combat threats with an in-depth security stance focused on data security
-
Anticipate, prevent, and minimize the impact of business disruptionsWhitepaper Nine best practices for building operational resilience
-
Three steps to transforming security operationsWhitepaper How to be more agile, effective, collaborative, and scalable
-
Top ten ways to anticipate, eliminate, and defeat cyber threats like a bossWhitepaper Improve your cyber resilience and vulnerability management while speeding up response times
-
The complete SaaS backup buyer's guideWhitepaper Informing you about the realities of SaaS data protection and why an SaaS back up is essential
-
The 'cyber aSaaSin' manualWhitepaper Providing valuable insights to identify SaaS data enemies and win the battle against SaaS data threats
-
Best practices for Microsoft 365 business continuityWhitepaper Discover how to mitigate the effects of large-scale, high-cost data loss disasters
-
Latitude Financial's data policies questioned after more than 14 million records stolenNews Some of the data is from at least 2005 and includes customers’ name, address, and date of birth
