How does China’s Privacy Law impact your Organization?

What is the Personal Information Protection Law (“PIPL”)?

As of November 1, 2021, the PIPL has been effective and has changed the privacy landscape within the People’s Republic of China. The previous privacy environment was made up of the Cybersecurity Law (“CSL”) and the Data Security Law (“DSL”). This regulation can be seen as China’s response to the European Union’s General Data Protection Regulation (GDPR). While this regulation follows the converging trends in international data privacy it also aims to influence privacy norms. 

Who Does it Apply To?

Similar to the GDPR, the PIPL not only applies to personal information processing carried out within its territorial borders, it also includes an extraterritorial component. This creates circumstances in which organizations that process the personal information of people in China, regardless of their location, subject to this law. As stated in Article 3 of the PIPL, the following circumstances require organizations to comply with the PIPL:

• If an organization is providing a good or service to natural persons located within China
• If an organization is analyzing or assessing the behavior of natural persons located within China
• If an organization falls within any of the other circumstances as provided by other laws or regulations

What are the Key Requirements for the Law?

Foreign companies that are applicable to any of the circumstances above and do not currently have a physical presence in China must establish a representative within their borders. This representative is responsible for all matters related to the personal information their organization handles.

Chapter V of the PIPL establishes the duties of personal information handlers as the following:

1. They must formulate the internal management structures and operating rules of their organization.
2. They must implement formal management systems of personal information.
3. They must oversee the adoption of relevant technical security measures such as encryption, de-identification, and all other necessary measures.
4. They must reasonably determine the operational limits for personal information handling, and regularly conduct security education and training for employees.
5. They must aid in formulating and organizing the implementation of personal information security incident response plans.
6. They must aid in all other measures provided in other laws or administrative regulations.

What are the Penalties for Violations? 

This portion of the PIPL creates and leaves open the most questions about compliance. Article 42 creates two criteria for violation of this regulation for foreign organization who engages in personal information. 

• The organization violates the personal information rights and interests of citizens of China, or
• The organization harms the national security or public interest of China.

Organizations that find themselves in this gray zone of violation may be subject to being limited or prohibit their organization from receiving personal information. While the PIPL does not provide specifics on how foreign organizations would commit these types of violations, implementing the privacy and security standards set out by this law are the best way to navigate this gray area. 

These are the penalties for companies operating in the territorial boarders of the Peoples Republic:

General Violations: Occur when personal information is handled in violation of this Law or when personal information is handled without fulfilling the organization’s personal information protection duties. 

The immediate response of the government is to:

• confiscate unlawful income
• provisional suspension or termination of service for processing personal information

If correction fails or is refused these violations can result in the following penalties:

• An organizational fine of no more than 1 million Yuan ($156,438.21)
• Individuals within the organization are to be fined between 10,000 and 100,000 Yuan ($1,543.81 to $15,438.05)

‘Grave’ Violations: The PIPL does not define what constitutes ‘grave’ unlawful actions, but provides the following penalties for this type of violation:

• 50 million Yuan ($7,719,027.00) or 5% of annual revenue
• Individuals within the organization are to be fined between 100,000 and 1 million Yuan ($15,438.29 to $154,382.93)
• the suspension or cessation of related business activities 
• Cancellation of corresponding administrative and business licenses
• Individuals responsible may be prohibited from holding certain positions related to personal information handling

New Definitions Introduced by PIPL

Personal Information: According to Article 4 of the PIPL, “all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons” is personal information. Except for anonymized data. 

Sensitive Personal Information: Article 28 of the PIPL defines this as “personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security”, including:  

• biometric characteristics, 
• religious beliefs, 
• specially designated status, 
• medical health, 
• financial accounts, 
• individual location tracking
• any personal information of minors under the age of 14

Sensitive personal information may only be processed when there is a specific purpose and need to fulfill, and under circumstances of strict protection measures.

Personal Information Handler (Processer): A processor is anyone who independently decides the purpose and the method of processing personal information. 

• Which includes “collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information”

What Processing Requirements Do We Need to Comply With?

Article 13 of the PIPL creates new rules for personal information handlers. Processing of personal data must be conducted in the context of at least one of the following circumstances:

• Processing is allowed when concluding or performing a contract or to “carry out human resource management”.
• Processing is allowed when performing statutory responsibilities and obligations.
• Processing is allowed when responding to a public health emergency or protecting an individual’s interest or safety in an emergency.
• Processing is allowed when carrying out activities in the public interest.
• Processing is allowed is allowed when the PI is disclosed in a legal fashion and within a reasonable scope according to law; and
  • All other circumstances as provided by other laws or administrative regulations.

We Can Help

If you need help meeting and understanding the PIPL requirements, Tevora’s team of security experts has got you covered. We are continually helping companies from every industry achieve compliance with new and emerging privacy laws. We would welcome the chance to do this for you.

Additional Resources

• Translation of the Personal Information Protection Law

Talk to an Expert 

If you have questions about PIPL or would like help implementing changes in your environment to ensure PIPL compliance, Tevora’s team of data privacy and security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com. Take a look at our Privacy Tracker that helps you stay up to date with every privacy regulation.