The Personal Information Protection Law of the People's Republic of China (PIPL) comes into force on November 1, 2021. Its goal is to protect personal data belonging to the people of China, and to empower individuals to take charge of their own data privacy.
There's a translation of the text available through Stanford's DigiChina Project, which is committed to translating Chinese primary sources to make them more accessible.
If you're a business with any clients or customers in China, or you plan on targeting a Chinese audience, here's how the Law works and how you can ensure compliance.
- 1. How China's PIPL Defines "Personal Information"
- 2. What "Processing of Personal Information" Means Under PIPL
- 3. When Does PIPL Apply?
- 4. Rights of the Individual Under China's PIPL
- 4.1. Article 15: Right to Withdraw Consent
- 4.2. Article 16: Right to Non-Discrimination
- 4.3. Article 17: Right to Be Informed
- 4.4. Article 24: Right to Refuse Automatic Decision Making
- 4.5. Article 44: Right to Make Decisions Regarding Personal Information
- 4.6. Article 45: Right to Data Portability
- 4.7. Article 46: Right to Amend
- 4.8. Article 47: Right to Request Deletion
- 4.9. How to Present User Rights
- 5. The PIPL and Lawful Basis for Processing
- 6. Article 55 Impact Assessments
- 7. Transferring Personal Data Overseas Under the PIPL
- 8. Reporting Data Breaches
- 9. Obligations for Personal Data Processors
- 10. Penalties for Breaching the PIPL
- 11. Conclusion
How China's PIPL Defines "Personal Information"
As set out in Article 4, personal data is any information of any sort which relates to an identifiable person, but it doesn't include anonymized data:
This is a broad definition, so it's best to assume any data could be personal information unless proven otherwise.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
Sensitive information is defined in Article 28 as data which could harm the individual if it falls into the wrong hands e.g. location tracking data, medical status, or financial information:
You can't handle sensitive data unless there's a clearly indicated purpose. You should also be very cautious if you process data belonging to minors e.g. if you run an app or website aimed at teenagers.
What "Processing of Personal Information" Means Under PIPL
You are "processing" or "handling" personal data under the PIPL if you do any of the following when it comes to data:
- Transmitting or transferring
When it comes to personal data processing, a few rules apply.
- You can't handle personal data in a misleading or fraudulent manner (Article 5).
- It's only permissible to collect data for a specified purpose, and you should minimize the amount of data you need to capture (Article 6).
- You must clearly disclose why you need personal data, how you process it, and who you share it with (Article 7).
- Businesses must implement safeguards to protect data which falls under their responsibility (Article 9).
In many ways, these rules are similar to those found in the GDPR.
When Does PIPL Apply?
The PIPL applies if you process any personal data belonging to residents of China. So, even if you're not physically based in China, any Chinese individuals you target for the sale of goods and services are protected by the Law.
This is all set out in more detail in Article 3 of the PIPL.
Rights of the Individual Under China's PIPL
The Personal Information Protection Law gives individuals a whole host of rights over their personal data and how it's used by organizations. If you're handling personal or sensitive data, you must comply with these rights at all times.
Article 15: Right to Withdraw Consent
If someone consents to a business capturing their personal data, they have the right to withdraw that consent at any time.
Article 16: Right to Non-Discrimination
Businesses can't discriminate against a customer for exercising their right to withdraw consent.
Meaning, unless you need the data to perform a contract e.g. a contract of sale, you can't withhold services from someone just because they're preventing you from capturing their data.
Article 17: Right to Be Informed
Before someone gives you their data, they have the right to know:
- Why you collect the data
- How long you retain the data
- How people can exercise their data privacy rights
- How they can contact you
Article 24: Right to Refuse Automatic Decision Making
People have the right to opt out of automated decision making based on personal data.
If you use personal data or automated decision making in your marketing, then you must give people the choice to reject being part of this.
Article 44: Right to Make Decisions Regarding Personal Information
People should know they have control over their personal data. They are able to decide who accesses and/or handles their data.
Article 45: Right to Data Portability
People can request a copy of their personal data in a portable format e.g. by email, PDF, or another method which suits them. You should provide the data in a timely manner, but what's "timely" isn't specifically defined.
Article 46: Right to Amend
You must let people amend their personal data if they discover it's inaccurate or incomplete in some way. If someone asks you to correct their data, again, you should do this in a timely manner so you're not acting on outdated information.
Article 47: Right to Request Deletion
Finally, people have the right to request that you delete their data. You should comply unless there's a justifiable reason why you can't e.g. you need the data to comply with other legal obligations:
How to Present User Rights
The PIPL and Lawful Basis for Processing
Under the PIPL, a company must have a lawful basis for processing personal data. The grounds are set out in Article 13. In short, a company can't process personal data unless one of the following grounds apply:
- The individual consents
- A contract can't be performed without the data e.g. a contract of sale
- The company needs the data to perform a statutory obligation
- It's essential for protecting life
- The data is necessary for reporting news, within reasonable grounds
- The company is processing data which the individual has already disclosed lawfully to them
If you plan on relying on individual consent, you must ensure that consent is clear and freely given as set out in Article 14:
You must also get separate consent if you want to process sensitive data, or share personal data with other companies.
Finally, if you know or should reasonably know that you're handling data belonging to under-14s, you must get parental or guardian consent to processing.
Article 55 Impact Assessments
Under Article 55, companies must perform "personal information protection impact assessments" if they:
- Process sensitive data
- Transfer any personal data overseas
- Share personal data with other companies or entities, or
- Perform any other act which may significantly affect an individual's privacy rights
So, if for example you're processing religious or political data, or you're transferring data to a processor based in another country, you must perform an impact assessment.
Article 56 covers what must be considered as part of your assessment. You should consider:
- The impact of your activities on individual privacy rights
- What steps you can take to protect the data. Steps must be proportionate to the level of risk involved.
- Whether it's reasonable and proportionate to process data in this way
In other words, if you can't justify the need for processing personal data in a certain way, or if you can't safeguard the information effectively, you shouldn't perform the action. You must also keep a record of the impact assessment for three or more years:
Transferring Personal Data Overseas Under the PIPL
While it's fine to send personal data overseas, you must comply with certain rules to do so.
Most importantly, you can't transfer personal data outside China unless you have a lawful basis for sharing the data and you get an individual's specific, informed consent to the transfer.
- There should be sufficient security measures in place to protect any data before, during, and after the transfer
- You must keep a clear record of any overseas data transfers you make
- Before you make the transfer, you should conduct an impact assessment to consider any risks involved in sharing the data
You should check for additional guidance from the Cyberspace Administration of China (CAC) before making any overseas transfers.
Reporting Data Breaches
The rules for data breach reporting can be found in Article 57.
In summary, you must inform the department performing data protection duties if you know or suspect that personal data has been lost, leaked, or compromised in some way. You should set out:
- What information was (or may) have been compromised
- Any steps you took to limit the damage or remedy the situation e.g. fixing a security malfunction
- How the department can contact you to discuss the breach further
You don't need to inform individuals unless actual harm has been caused, or the relevant department believes that harm will be caused.
Obligations for Personal Data Processors
As a company processing personal data, you have certain obligations under PIPL which can be summarised as follows:
- You must implement a secure system for processing and managing personal information
- You can't process personal data without appropriate security safeguards in place e.g. encryption and de-identification
- It's crucial that you provide regular training and cybersecurity guidance to staff
- Compliance audits must be completed at regular intervals
- You must abide by any other security requirements introduced by the PIPL
And, finally, you must remember that you need a lawful basis for processing personal data. Your responsibilities are set out in more detail in Article 51 of the Law:
Penalties for Breaching the PIPL
The financial penalties for breaching the PIPL can be steep, and they apply if you break the law or fail to take sufficient steps to protect personal data in your possession. You might also face a court action from affected individuals if you fail to let them exercise their privacy rights under the PIPL.
- You will normally be contacted by a regulatory body and given the chance to fix the problem before fines apply
- If you fail to fix the problem, you could be fined up to RMB 1 million (approx. $154,000)
- Individuals can also be held personally liable, depending on the nature of the breach
If the breach is sufficiently serious, then you might face additional sanctions, such as:
- Seizure of income
- Business closure
- Fines of up to 5% of your annual revenue
Given how severe these penalties can be, you should get legal advice if you're worried about meeting your PIPL compliance obligations.
China's Personal Information Protection Law (PIPL) is a huge step forward for Chinese privacy law. The law is designed to help people protect their personal and sensitive data, and to ensure companies take appropriate steps to safeguard any data provided to them.
- Companies need a lawful basis for processing any personal data.
- Individuals can sue companies who refuse to let them exercise their privacy rights.
- You need additional consent for processing sensitive data or sharing it with external entities.
- It's a breach of the law to send data overseas without performing an impact assessment.
- Data breaches must be reported to the appropriate authorities and, where appropriate, affected individuals.
- Failing to fix any data breaches flagged by regulatory bodies could result in steep financial penalties.
Ensure compliance by:
- Obtaining clear, free, and informed consent wherever necessary
- Report data breaches as soon as you're aware of them, and take steps to mitigate damage
- Comply with any orders set out by the regulatory bodies
- Keep an eye on the law for any changes or updates. It's relatively new, so further guidance will likely appear as time goes on.