China Passes the Personal Information Protection Law

Written by: Brett Lawrence, Esq.

On August 20, 2021, China passed its Personal Information Protection Law (“PIPL”). This is China’s first general and broadly sweeping privacy law regulating the collection, processing, and transferring of personal information, similar to the European Union’s General Data Protection Regulation (“GDPR”). PIPL takes effect on November 1, 2021, less than three (3) months after its promulgation.

We highlight the key areas of PIPL below:

1. PIPL Application

Like GDPR, PIPL applies to personal information processing activities executed by “personal information processing entities” either inside or outside China. PIPL applies processing activities performed outside China if the processing is: (1) to provide products or services to individuals, (2) analyze or assess the behavior of individuals, or (3) for other purposes specified by laws and regulations. Importantly, foreign entities must establish a dedicated office or appoint a designated representative in China for personal information protection purposes.

“Personal information processing entities” is defined as “organization or individual that independently determines the purposes and means for processing of personal information.” This is similar to the definition of “data controller” under GDPR.

2. Basis for Processing Personal Information

PIPL requires that all personal information processing entities have a lawful basis to process personal information. The following are PIPL’s listed bases for processing personal information:

• • Obtaining revocable, voluntary, and informed consent;
  • Necessary to execute or perform a contract where the individual is a party;
  • Necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts;
  • Necessary to perform legal responsibilities or obligations;
  • Necessary to respond to a public health emergency, or to protect the safety of an individual’s health or property;
  • Reasonable to carry out news reports, public opinion supervision, or other acts of public interest;
  • Personal information is already disclosed, within a reasonable scope in accordance with PIPL;
  • Other circumstances as outlined by laws and regulation.

3. Cross-Border Transfers of Personal Information

If the personal information processing entity intends to transfer any personal information outside China, the following must occur:

• • Separate consent must be received beforehand. This requirement applies whether or not prior consent or another legal basis for processing has been received;
  • The processing entity must adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under PIPL;
  • The processing entity must perform a “personal information protection impact assessment.”

A “personal information protection impact assessment” highlights the legality of the processing, any impact on individual rights or security, and the quality of the protective measures adopted. This is similar to GDPR’s “data protection impact assessment.”

4. Localization Requirements

PIPL requires all personal information be stored inside China if the processing is conducted by (1) critical information infrastructure (“CII”) operators or (2) entities that process a certain volume of personal information. The volume threshold will be determined at a later time by the Cyberspace Administration of China. If a CII operator or entity processing personal information over the threshold wants to transfer personal information overseas, those entities need to pass a China‑provided security assessment.

A CII operator is a defined term from another China law as a business engaged in important industries or fields, such as energy, transport, finance, national defense, and any other important network facilities or information system that could seriously harm China’s nationals security, economy, of people’s livelihoods.

5. Personal Information Rights

Individuals within China have the following rights with respect to the processing of their personal information:

• • Right to know and make decisions about the processing of their personal information;
  • Right to restrict or refuse processing;
  • Right to access and inspect the personal information being processed;
  • Right to transfer their personal information;
  • Right to correct any inaccurate personal information;
  • Right to have their personal information deleted;
  • Right to file a lawsuit in China if their request to exercise any of their rights is denied.