China PIPL
China’s data protection law.
What is PIPL?
The Personal Information Protection Law (PIPL) is China’s data protection law that came into effect on November 1, 2021. According to the text of the law, its intended purpose is “protecting the rights and interests of personal information, regulating personal information processing activities, and promoting reasonable use of personal information.”
The law bears many similarities to the EU’s GDPR but it stands out in that it works alongside two other laws to regulate data privacy, namely the Cybersecurity Law and the Data Security Law, and the greatest impact of this will be observed in the case of cross border data transfers, or the individuals’ right to data portability.
One other difference is that this law protects the personal information of deceased persons as well, stating that the close relatives of a deceased individual may exercise data subject access rights on said personal information of the deceased individual “such as consultation, duplication, rectification, and deletion,” even if only “for their own legal and legitimate interests,” except in cases where the deceased individual made other arrangements before death.
What is Personal Information and what are other key definitions?
Similar to the GDPR, under PIPL ‘personal information’ is defined as “various information related to an identified or identifiable natural person recorded electronically or by other means, but does not include anonymized information,” while ‘sensitive personal information’ is “personal information that once leaked or illegally used, may easily lead to the infringement of the personal dignity of a natural person or may endanger his personal safety or property, including information such as biometrics, religious belief, specific identity, medical health status, financial accounts, and the person's whereabouts, as well as the personal information of a minor under the age of 14 years.”
Thus a child is anyone under the age of 14, and anonymized data is not seen as personal information. The process of anonymization is here “the process of processing personal information to make it impossible to identify specific natural persons and impossible to restore.”
Although there is no official definition for ‘data processor,’ the text of the law does refer to “the party entrusted with the processing of personal information,” meaning it does not exclude processors, whereas Article 73 offers the definition for ‘personal information processor,’ which seems to be the GDPR equivalent for ‘data collector’ as “an organization or individual that autonomously determines the purposes and means of personal information processing.”
Who has to comply with the PIPL?
PIPL applies to the processing of personal information of individuals located within the territory of China.
As regards personal information outside the country, PIPL applies here as well but only if the purpose for processing is
- to provide services or products to individuals in China;
- to assess the behaviors of individuals within the territory of China; or
- for any other purposes stated by Chinese laws and regulations.
Who is excluded from PIPL compliance?
According to Article 72 the PIPL does not apply to the processing of personal information by an individual for personal or household purposes.
Also, in the case of processing of personal information for statistical purposes or for archive management conducted by governmental entities, such processing is only covered by other laws, if any exist.
How can I keep my organization PIPL compliant?
PIPL, same as other data privacy laws across the world, comes with several principles that your organization has to follow in order to be compliant:
- Lawfulness: Art. 5 says that “personal information shall be processed according to law when it is necessary, with justified reason, and in good faith, and the processing may not involve misguidance, fraud, coercion, and the like.”
- Purpose limitation: according to Art. 6 “personal information processing shall be based on explicit and reasonable purposes and directly related to those purposes, and shall exert the minimum impacts on the rights and interests of individuals.”
- Data minimisation: the same article mandates that “the collection of personal information shall be limited to the minimum scope required by the purpose of processing, and personal information may not be collected excessively.”
- Openness and transparency: Art. 7 says that these principles will be observed if “the rules for processing personal information shall be disclosed, and the purposes, means, and scope of processing shall be explicitly indicated.”
- Accuracy: as detailed in Art. 8 your organization has to guarantee the quality of personal information in order “to avoid adverse impacts on the rights and interests of individuals caused by inaccurate and incomplete personal information.”
- Security: you are held responsible for your personal information processing activities and must take all necessary measures to ensure the security of the personal information you process, according to Art. 9.
- Data retention limitation: Art. 19 makes it clear that “except as otherwise provided by laws and administrative regulation,” the period allowed for storing of personal information has to be “the minimum time necessary to achieve the purpose of processing.”
There are a series of other obligations that the law establishes for organizations in order to become and remain compliant, throughout Articles 51 to 57, namely:
- you must implement a privacy program that ensures that your processing activities are in line with the laws and regulations in place, develop appropriate security measures, assess potential risks and prevent unauthorized access to personal information or any data breaches. To help achieve this, the law offers the following measures:
- “formulating internal management system and operational procedures;
- implementing classified management of personal information;
- adopting corresponding security technical measures such as encryption and de-identification;
- reasonably determining the operational authority of personal information processing, and regularly conducting safety education and training for practitioners;
- formulating contingent plans for personal information security emergencies and organizing the implementation of such plans; and
- other measures as provided by laws and administrative regulations;”
- you must appoint a Data Protection Officer (DPO) if you process personal information “up to the amount prescribed by the national cyberspace department,” an amount that is yet to be defined, and disclose the contact details of the person appointed to the enforcement authorities;
- if your organization falls within the extraterritorial scope of PIPL you are required to appoint a local representative or entity that will be responsible for the data protection practices, and to disclose the contact details of the person or entity to the regulatory authorities;
- you are required to conduct regular compliance audits of your organization’s data protect ion practices;
- you must also conduct DPIAs when any of the following circumstances apply:
- you are processing sensitive personal information;
- you are using personal information for the purpose of automated decision making;
- you intend to disclose personal information to data processors (“entrusted entities”);
- you are about to transfer personal information abroad; or
- you are engaging in activities that would have a significant impact over individuals whose personal information you process.
- in the event of an actual or potential data breach, you must immediately take “remedial measures” and notify both the relevant authorities and the affected individual(s);
- If your organization is a party to a data transfer from China, make sure you have implemented one of the required mechanisms for data transfer: security assessment, certification or SCCs.
What data access rights does PIPL grant?
Same as the GDPR, China’s PIPL grants individuals several data subject access rights:
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal data
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
However, the text of the law is not as precise as that of the GDPR and in the case of the Right to data portability there are additional requirements that have to be met which are established and regulated by the Cyberspace Administration of China, which may complicate matters.
One other difference is that Chinese individuals have a private right of action against your organization if you reject their data subject access request. Also, there is a mandated compensation granted to individuals based on the actual damage caused or the illegally obtained profit of your organization from fraudulent personal information processing.
PIPL compliant website with Clym
How to address data subject access requests under PIPL?
Under the PIPL, you are required to answer a data subject access request “in a timely manner” but there is no actual time frame given for what this means exactly and there is also no mention of any extension period possible.
In the case of a request for transfer of personal information, or data portability, if the designated personal information processor that is the intended recipient of the personal information meets the requirements of the national cyberspace department, you are required to “provide means for the transfer” but there is no mention as to who is responsible for ensuring that the recipient of the personal information meets the requirements mentioned above.
You are responsible for setting up “the mechanism for receiving and handling individuals' requests for exercising their rights” and where a request is rejected you must provide a reason for this, with the individual having the possibility to file a lawsuit against your organization.
Enforcement and penalties
If you are in violation of the PIPL, the regulating authority, Cyberspace Administration of China (CAC), can order you to make corrections, they may give you a warning, confiscate any illegal gains, or order the suspension or termination of provision of services by the applications that illegally process personal information.
If you refuse to take corrective measures following an order by the regulating authority, you may be fined with up to RMB 1,000,000 yuan (approx. 138,000 USD) and every directly liable person may be fined with an amount between RMB 10,000 yuan (approx. 1,380 USD) and RMB 100,000 yuan (approx. 13,800 USD).
For serious violations the fine imposed is up to RMB 50 million yuan (approx. 6,900,000 USD) or 5% of the previous year’s turnover, however it is not clear whether this refers to the worldwide turnover or the revenue that was generated in China.
Beside these penalties, violations of the PIPL may also be recorded into “the relevant credit record and be published in accordance with the provisions of the relevant laws and administrative regulations” and your organization is liable for tort damages if you infringe upon the rights and interests of personal information.
Data Subject Rights - GDPR vs. PIPL
GDPR
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
PIPL
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal data
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance™: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you.
Leave us a Message