On August 20, 2021, China’s 13th Standing Committee of the National People’s Congress passed the country’s first comprehensive data protection law, the Personal Information Protection Law (the “PIPL”). The law is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”).
When it comes into effect on November 1, 2021, The PIPL will govern personal information processing activities carried out by companies or individuals within China. Like the GDPR, the PIPL also will apply to a company’s processing activities conducted outside of China. A company not established in China is also covered by the law if it processes personal information about individuals located in China to (1) offer goods or services to individuals in China, or (2) analyze and evaluate the behavior of individuals in China.
The PIPL establishes a comprehensive framework to govern the processing of personal information. As is the case with the GDPR the PIPL, for example, states that personal data must be handled pursuant to a reasonable purpose and shall be limited to the minimum scope necessary to achieve the goals of that handling. It also requires companies to provide notice to data subjects that includes elements specified in the law.
Like the GDPR, the PIPL requires a company to establish a legal basis to process personal information. Under the PIPL “notice and consent” is the primary legal basis for lawful processing. The law carves out exceptions to the notice and consent requirement based on the complexity and circumstances of the personal information processing activity.
Regardless of the available legal basis for processing, companies must obtain consent in the following instances when:
The PIPL also specifies rules regulating specific types of processing activities (e.g., joint processing, data processing by third parties such as vendors, data sharing, the publication of personal information, and automated decision-making), as well as rules applicable to different types of data, such as “sensitive” personal information. In addition, the PIPL prohibits data-enabled price discrimination against existing customers.
In addition to providing for data minimization and purpose specification, the PIPL provides for data subject rights, including rights of access, correction, and deletion of personal information.
Various authorities, including the CAC, relevant departments of the State Council, and local government departments at or above the county level, will have supervisory, planning, coordinating, and administrative responsibilities under the PIPL. Penalties for serious violations of the PIPL include fines for just under 50 million RMB or 5% of an entity’s revenue in the prior year.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.