A new Data Protection Law was passed in China
By Mariano Peruzzotti and Antonella Balbo.
On August 20, 2021, the People’s Republic of China Congress passed a new national personal data protection law.
The Personal Information Protection Law (“the PIPL”) establishes a set of rules on the collection and processing of personal information. Its main purpose is to protect personal information rights and interests, standardize personal information handling activities, safeguard the lawful, orderly, and free flow of personal information, and stimulate the reasonable use of personal information.
The spirit of the PIPL resembles the EU GDPR.
We summarize below some aspects of the law:
- Scope: The PIPL applies to organizations and individuals’ handling personal information activities of natural persons within the borders of China. It also applies in specific information processing activities conducted outside its borders.
- Definition of personal information: The term covers all kinds of information recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling.
- Legal basis: The PIPL recognizes several legal bases for the processing of personal information, such as the individuals’ consent, the existence of a contract, the necessity for performing legal duties or legal obligations, the necessity for dealing with public health emergencies or for the protection of the life, health, and property safety of a natural person; among others.
- Sensitive information: Sensitive personal information can only be processed for specific purposes and when sufficiently necessary. Sensitive personal information involves information that refers to the personal information that can easily lead to the infringement of the personal dignity or natural persons or the harm of personal or property safety once leaked or illegally used, including such information as biometrics, religious belief, specific identities, medical health, financial accounts, and whereabouts, and the personal information of minors under the age of 14.
- International information transfer: The PIPL provides restrictions on the cross-border transfer of personal information. It also rules that where any country or region adopts discriminatory prohibitions, limitations or other similar measures against China, China may adopt retaliatory measures against said country or region.
- Data subjects’ rights: Data subjects have the right to:
- know and decide relating to their personal information;
- restrict or prohibit the processing of their personal information;
- access to and copy their personal information;
- update or complete their personal information;
- erase their personal information;
- obtain information about the personal information handling rules.
- Data controllers’ obligations: Controllers shall meet the following obligations, among others:
- Implement security measures
- Appoint persons responsible for personal information protection,
- Conduct audits on proper compliance of the PIPL
- Conduct a risk assessment in advance of certain personal information processing activities.
- Sanctions: Breaches to the PIPL may be sanctioned with fines of up to CNY 50M (approximately USD 7,7M) or 5% of annual revenue.
As commented, the PIPL will have an extraterritorial effect and will apply to the following processing activities:
- processing, within China, of personal information of natural persons; and
- processing, outside of China, of personal information of natural persons who are in China, if such processing is:
- for the purpose of providing products or services to natural persons in China;
- to analyze/evaluate the behavior of natural persons in China; or
- other circumstances prescribed by laws and administrative regulations.
Companies handling personal information from outside of China and covered by any of the cases listed above must appoint a representative, who will be responsible for compliance with said regulation and for the protection of personal information. This is an obligation that companies doing business in China shall properly considered and address to fully comply with the provisions of PIPL.
The PIPL is to a great extent in line with the provisions of Argentine Personal Data Protection Law No. 25,326, in force in Argentina since 2000.
The PIPL takes effect on November 1st, 2021. The expected further regulations and decisions will shape the understanding of the scope, application and rules of the PIPL in the upcoming weeks.
For further information contact: mperuzzotti@ojambf.com.