On August 20, China’s Standing Committee of National People’s Congress passed the nation’s first Personal Information Protection Law (个人信息法) (PIPL) (informal English version here). It is modeled after the Europe Union's General Data Protection Regulation, and has been called by some western media “one of the strictest data-privacy laws.” This new law came at a time when Chinese society is experiencing growing frustration with online data misuse and data theft, and a couple of months after Shenzhen announced its local-level data regulations, which also has a chapter for personal data protection. The PIPL will take effect on November 1.
The PIPL has 74 provisions in 7 chapters, including personal data processing, cross-border flows of personal data, individual rights in data processing, obligations on data processors, government obligations in protecting personal data, and penalties for non-compliance. China released the first draft of the PIPL in 2020 and then the second draft in early 2021. Compared to the two drafts, the final version adds (link in Chinese) more details on discriminatory pricing, protection of minors, and cross-border data flows. Some main takeaways include:
- It clarifies individuals’ rights on personal data, including the right to make decisions on the data.
- It reins in tech companies' access to, processing of, and use of personal data, including setting forth the "notification and consent" principle and the ban on discriminatory pricing against recurring consumers.
- It applies to overseas data activities related to Chinese individuals, if such activities are for the purpose of cross-border provision of goods or services in China, or analysis on Chinese consumers behavior.
- Sensitive personal data, including data of minors, are subject to more stringent rules.
- It sets out rules for data flows, leaving the door open for China to make special data flow commitments in international agreements.
- It sets forth the government's authority to take retaliatory measures on international data flows.
- It shifts the burden of proof in tort litigation related to personal data.
- It establishes a basis for the prosecutors to take up a larger role in personal data protection to bring civil public-interest lawsuits.
Henry Gao, a law professor at Singapore Management University, told China Trade Monitor that PIPL “provides significant enhancement to China’s privacy protection regime. For example, in addition to the existing principles of lawfulness, fairness, necessity, the new law also adds a principle of good faith for the processing of personal information.” Chinese experts also applauded (link in Chinese) the law for setting out the basic requirements of notification and consent as well as the principles of collecting personal data to the minimum extent possible.
The PIPL, along with the Data Security Law, will become a tool to regulate the activities of tech companies, which now possess large amounts of personal data. Earlier this year, China initiated investigations on ride-hailing company Didi for both misuse of personal data and data security risks.
“The biggest impact of the law,” Gao said, “is on the big platform companies, which are subject to additional obligations such as the establishment of independent bodies composed of mainly outsiders to monitor their protection of personal information. This is in some ways similar to the regulation of the ‘gatekeepers’ under the EU’s proposed Digital Markets Act. In addition, there is the provision on data portability, which means that the big platform companies can’t just keep the consumers’ data as their own and greatly reduce their competitive advantages.”
Alexa Lee, senior manager of policy at the Information Technology Industry Council, said that, in practice, compliance with the GDPR is sufficient to achieve compliance with the Chinese law. While there are similar rules in the PIPL and Europe’s GDPR, some European experts believe (link in Chinese) that the data protection in the China and EU regimes is not comparable because data protection in China is tied to national security.
Personal data protection
The PIPL clarifies that “personal data” refers to various information stored by electronic or other means that are related to identified or identifiable natural persons. It does not include anonymized information.
“Personal data processing” means the collection, storage, use, alteration, transmission, provision, publication or deletion of personal data.
The PIPL requires the data processor to notify its own information and the method of data processing to the individual of which personal data will be processed (Article 17), and obtain consent before processing the data (Article 13). At the same time, the PIPL sets out several exceptions for this consent requirement, including when implementing legal obligations, necessary in public emergencies, or for the purpose of public interests. (Article 13)
Consumers may revoke their consent. If that happens, service providers/data processors may not terminate their service, unless consent is necessary for such service or products. (Article 16)
Targeting a notorious practice of discriminatory pricing, which means service providers discriminate against recurring consumers by using user profiling, the PIPL requires “transparency of decision-making and the fairness and impartiality of the results” if data processors use personal information to make automated decisions, and they “shall not impose unreasonable differential treatment on individuals in terms of prices and other transaction conditions.” (Article 24) The PIPL does not explain what “unreasonable differential treatment” is. However, the State Administration for Market Regulation (SAMR) antitrust guideline (link in Chinese) illustrates what would be considered a differential treatment in Article 17. The data regulations issued by Shenzhen also offer some details. Article 69 of the regulations prohibits using data analysis and user profiles to discriminate during a transaction if there is no substantial difference in costs, safety level, credit level of transactions. Both can be used as references to interpret the PIPL, until it is further clarified by implementing regulations at the national level.
Public surveillance shall only be carried out for public safety purposes and must be indicated with prominent notices. The collected data cannot be used for other purposes. (Article 26) This provision will likely apply to both businesses and government agencies. Zhou Hanhua, a law professor at the Chinese Academy of Social Sciences who participated in the drafting of the PIPL, said during an April online interview (link in Chinese) that it is legal for government and law enforcement to install public surveillance for public safety purposes after notifying the public.
Sensitive personal data is subject to stricter rules. Sensitive personal information, according to the law, is personal information that, once leaked or illegally used, can easily lead to a negative impact on personal dignity, personal safety or property. Sensitive personal data includes biometrics, ethnicities, religious beliefs, specific identities, medical health, financial accounts, whereabouts and others. Personal information of minors under the age of fourteen is also considered sensitive personal data. (Article 28)
The process of sensitive personal information shall obtain separate consent, or in written format, if required by law. (Article 29)
Last year, a Tesla owner protested during a Tesla auto show that she was not able to obtain her vehicle’s driving data from the auto company after a crash. Eventually, Tesla shared the data, but it generated discussions (link in Chinese) in China on who has the rights over driving data: consumers or automakers. Some Chinese lawyers believe that the PIPL clarifies (link in Chinese) that individuals have ultimate control over their data, including driving information.
Article 44 gives individuals the right to know and make decisions about processing their personal information, and the right to restrict or refuse such data processing. Other rights of consumers include reviewing, copying, transferring, correcting and deleting their data. (Articles 45-47)
The PIPL also requires data processors to establish a mechanism to handle individuals' requests related to personal data. If the data processor rejects such a request, it shall explain the reasons for rejection. The decision may be challenged in court. (Article 50) That means that, in the future, Tesla and other automakers will have to provide data upon the requests of car owners or their close relatives. Automakers’ decisions to decline such requests can be reviewed by court.
Outflows of personal data
The PIPL has a whole chapter about cross-border flows of personal data, outlining six provisions on data flows.
Article 40 requires all data collected by critical information infrastructure operators or large amounts of personal data to be stored within China. Export of such data shall pass security assessment by the government agencies, unless exempted by law.
Other businesses that do not fall into the two above-mentioned categories may export data abroad on one of the following conditions:
- Obtain personal information protection certification in accordance with the regulations of the national cyberspace agencies;
- Use the standard contract formulated by the national cyberspace agencies with the overseas data recipients;
- Other conditions stipulated by laws, administrative regulations or other requirements formulated by cyberspace administration agencies. (Article 38)
Special rules may apply where the international treaties and agreements that China has concluded or participated in have provisions on personal data flows. (Article 38) This provision allows China to comply with rules in the international agreements it has joined, such as the RCEP, which was signed but has not taken effect, and leaves the door open for China to join more international agreements in the future.
Exporters of individuals’ personal data shall disclose details of the transaction and the recipients to the consumers and obtain consent before the exportation. (Article 39)
In all cases, personal information processors shall take necessary measures to ensure that the overseas data recipients meet the personal information protection standards stipulated in this law. (Article 38)
Overseas entities or individuals that infringe Chinese citizens' personal data or endanger national security or public interests may be restricted or banned from receiving Chinese personal data. Such a decision shall be publicly notified. (Article 42)
Article 43 allows the government to take reciprocal measures if any country or region takes discriminatory restrictions on China with regard to personal data protection.
Personal data can be provided to foreign juridical systems or law enforcement, in accordance with international treaties and agreements China concluded or acceded to, or in accordance with the principle of reciprocity. Otherwise, personal data stored in China shall not be provided to foreign law enforcement unless approved by the Chinese government. (Article 41)
Data processors’ obligations
Data processors have the obligation to take measures to ensure the safety of personal data, including
- Stipulating internal rules for data protection;
- Implementing classified management of personal data;
- Carrying out encryption and anonymization;
- Providing personnel training with regard to personal data protection;
- Developing emergency plans;
- Conducting regular assessments of its compliance. (Articles 51, 54)
Before they export personal data, transfer the data to a third party, or use the data to generate automated user profiles, they shall assess the impact on personal data safety, and keep the results in their records for at least three years. (Articles 55, 56)
Such assessment shall include:
- Whether the purpose and processing method are legal, proper and necessary;
- The impact on personal rights and security risks;
- Whether the protective measures adopted are legal, effective and commensurate with the level of risk. (Article 56)
For data processors that are located overseas, they shall set up dedicated agencies or representatives in charge of personal data protection located in China, and file the names and contact information with the government agency. (Article 53)
Once data is compromised, data processors shall notify related agencies and individuals, and take immediate remedial measures. (Article 57)
The PIPL has more specific rules for data processors that provide internet platform services or handle large amounts of user data. (Article 58)
The law has some language that requires government agencies to collect and process personal information in accordance with law, and makes clear that such data processing shall not exceed the scope and extent needed to perform statutory duties. (Article 34) In most cases, the government shall notify individuals about such data processing. (Article 35) The data collected by the government shall be stored within China. If the data has to be transferred abroad, it shall undergo a security review first. (Article 36)
Although the Cyberspace Administration of China underscored (link in Chinese) the government obligations as one of the ten highlights of the PIPL, the law does not, as Karman Lucero, a fellow at the Yale Law School Paul Tsai China Center, told the Wall Street Journal, seem to have “anything resembling legal limits on government surveillance.”
Other provisions seem to focus on agencies’ role as an administrator. According to the PIPL, agencies have obligations to protect personal data, including:
- supervising data processors,
- handling complaints related to personal data protection,
- punishing any violations of data protection. (Article 61)
Both local and national level cyberspace agencies as well as other relevant agencies bear such obligations. (Article 60)
The national-level agencies shall also establish new implementing rules and standards for personal data protection, and special rules for sensitive data, facial recognition, AI and other new technology. They shall also improve the working mechanism to protect whistleblowers. (Article 62)
Data processors that violate legal obligations will be fined up to 50 million yuan (7.7 million USD) or 5 percent of the company’s turnover in the previous year. There will be other administrative punishments, such as the seizure of illegal income, suspension of business, or revocation of business license. Responsible personnel will also face up to a 1 million yuan fine (154 thousand USD) as well as other punishment. (Article 66)
The PIPL requires a shift of burden in data infringement cases. Article 69 states that if data processing causes damages to personal rights and interests, data processors shall bear the liability for such damage unless they can prove they are not at fault.
Consistent with an ongoing trend that the procuratorate, which is an agency charged with both the investigation and prosecution of crime, is taking up a larger role in personal data litigations, the PIPL states that the procuratorate, consumer associations and other entities may bring lawsuits in cases where numerous persons’ interests are damaged. (Article 70)
Some supporting rules
The PIPL, as a basic law, offers general language without providing many details. As a result, interpretation and implementation of the law will rely on supporting regulations. It will take some time for China to issue all relevant regulations, but a couple of recent rules are worth noting.
On August 17, China’s State Administration for Market Regulation released proposed rules to rein in tech companies’ data practice. The draft (禁止网络不正当竞争行为规定) (link in Chinese) prohibits tech companies from using data in a way that damages users’ interests or restricts competition. Compared to the SAMR’s antitrust guideline, which also outlines some antitrust practices, the proposed rules will be legally binding and have a broader scope of application. The proposal came at a time when there is a long list of misconduct related to personal data. As illustrated in a Financial Times report, the misconduct includes “exploiting users’ data to put them off competitors’ products or services, limiting traffic to other platforms by practices such as blocking hyperlinks, false advertising, fraudulent online reviews and consumer privacy abuses.” The draft is open for public comments until September 15.
A couple days later, on August 20, China issued provisional rules for auto data, which will take effect on October 1. The new rules (汽车数据安全管理若干规定(试行))(link in Chinese), which were issued by the Cyberspace Administration of China and four other agencies, set forth responsibilities of auto data processors to protect data security and protect personal information collected from vehicles. It also requires important data, including sensitive military and large amounts of personal data, to be stored in China. In this regard, Tesla already announced in May that it stores Chinese data within China.
Also in August, the State Council issued special rules for the critical information infrastructure industry (关键信息基础设施安全保护条例) to protect personal information and data security. The rules will take effect on September 1.