The ‘Chinese GDPR’ – China passes its new Privacy Law.
Carina Schalhofer
Sep 2, 2021 5:00:00 AM
China has passed its ‘Personal Information Protection Law’ (PIPL).
The 20th of August 2021 marks a milestone for Chinese data protection. The People’s Republic of China has passed its ‘Personal Information Protection Law’ (PIPL).
An English translation of its latest draft can be found here.
https://digichina.stanford.edu/news/translation-personal-information-protection-law-peoples-republic-china-draft-second-review
From not having had a comprehensive data protection framework, the PIPL responds to increasing concerns about the integrity of Chinese citizens’ personal data. It is especially welcomed as a means to ensure that the growing Big Tech Industry is subject to high data protection standards.
Next to the PIPL, the legislator has recently adopted the ‘Data Security Law’ and a new Civil Code containing a chapter on privacy and personal data. Without doubt, the People’s Republic of China intends to immensely improve data privacy and security.
We will have a closer look at the new law, its application to businesses and the Chinese government.
The Law’s scope of application
Art. 3 lays out the Law’s scope. It applies to organizations and individuals handling personal information of individuals within the borders of China. Extensive protection is guaranteed via the Law’s extraterritorial application. It is triggered if products or services are provided to individuals within China, activities of natural persons within China are analysed or assessed or specific laws so provide. Art. 33 specifies that the law’s application extends to personal information handling activities by state organs.
Ordinary & Sensitive personal information
The new Law prescribes exhaustive legal bases for the handling of personal information. The terms ‘personal information handlers’ and ‘personal information handling’ roughly correspond to the use of ‘controller’ and ‘processing’ under the EU GDPR. As most new privacy regulations, the Law distinguishes between ordinary and sensitive personal information.
Art 13 PIPL covers the handling of ordinary personal information. Processing is prohibited unless based on individual consent or necessary for the conclusion or fulfilment of a contract, statutory duties, public health incidents, protection of natural persons’ lives, health or property, news reporting, public opinion supervision and other activities for the public interest or circumstances expressly authorized by law.
Article 21 PIPL contains a remarkably broad definition of sensitive personal information. It extends to all ‘personal information that, once leaked or illegally used, may cause discrimination against individuals or grave harm to personal or property security, including information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts and individual location tracking’. For such processing, personal information handlers require a specific purpose. Moreover, sufficient necessity and a separate consent for each activity (Art. 30 PIPL) as well as a prior risk assessment are needed (Art. 54 PIPL).
In addition to these general legal bases, art. 27 PIPL expressly steps up protection regarding ‘the installation of image collection or personal identity recognition equipment in public venues’. Following recent debates about intrusive face recognition systems in public areas, the law provides additional safeguards for such processing. It is only permitted in so far as safeguarding public security and in line with relevant state regulations. Clear indicating signs must be installed and information so contained cannot be published or forwarded without consent.
Rights & Duties
Just like its European and US counterparts, the Law imposes extensive duties on ‘personal information handlers’. They must respect the principles of purpose limitation, data minimisation, data accuracy, fairness and transparency (Arts. 6-8 PIPL). Information duties demand the provision of detailed information on the information handling and the entity conducting the activities (Art. 18).
Data can only be retained for the shortest period necessary (Art. 20 PIPL) and transparency, fairness and reasonableness must be especially observed in the context of automated decision-making (Art 25 PIPL). Personal information handlers must adopt necessary measures to ensure that information handling conforms to laws and regulations (Art. 51 PIPL).
Additionally, the handling of much personal information demands the appointment of specific responsible persons (Art. 52 PIPL) and personal information handlers established outside China must appoint a representative (Art. 53 PIPL). Certain activities further require a prior risk assessment including the handling of sensitive information, conducting automated decision-making or data transfers (Art. 55 PIPL).
Article 57 PIPL imposes even stricter rules on ‘Internet platform services, who have a large number of users, and whose business models are complex’ . To account for higher privacy risks, such personal information handlers must establish an independent supervision body, cease to provide services to platform users violating provisions protecting privacy and publish ‘personal information protection social responsibility reports’.
The Law further strengthens the position of data subjects by granting them a set of rights. Chapter IV provides for the rights to object the processing, to access the data, to have it corrected or erased and to request an explanation of personal information handling rules.
Hence, extensive rights and duties in combination with a broad definition of sensitive information and additional safeguards for specific, high-risk processing afford individuals’ personal data increasing protection.
The law will certainly be a gamechanger for the processing of personal data by many businesses.
Information handling by State authorities
The Chinese state itself is the Chinese entity processing most personal data. A recent data leak revealed more than 2.5 million government records on Chinese citizens including their ID number, address, birthday and location data obtained through facial recognition.
The PIPL’s explicit application to personal information handling by State authorities displays the legislator’s intention to also step-up protection in the public sector. Hence, the State itself underlies all privacy duties and principles. However, the Law’s application to State authorities is not without limit.
The Law’s third section contains specific provisions solely applying to state organs. These function as lex specialis over the general provisions. Art. 34 PIPL allows state organs to handle personal information where necessary to fulfil their statutory duties and responsibilities provided for by law. Individuals must be notified of such processing and their consent obtained. However, this can be avoided where secrecy must be protected, or the fulfilment of the duties would be impeded (Art. 35 PIPL). Similarly, personal information so obtained cannot be published without consent unless provided for by law.
These provisions leave certain loopholes for state authorities to circumvent the legal bases requirement where other laws or administrative regulations so allow. Arguably, exceptions applicable to public authorities are not as broad under for instance the EU GDPR. Nevertheless, even under the GDPR, governments can make use of wide public interest grounds. Processing of ordinary data is e.g. allowed where necessary ‘for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ (Art. 6 (f) GDPR).
Sensitive data can be processed ‘for reasons of substantial public interest’ if proportionate and providing for sufficient safeguards, for public health grounds or for archiving purposes in the public interest (Art. 9 (2) GDPR). Moreover, Member States can provide for restrictions of the rights and obligations under the GDPR to safeguard national security, defence, public security, the prevention, investigation, detection or prosecution of criminal offences and other exhaustive grounds (Art. 23 GDPR).
Conclusion
The passing of the new PIPL definitely marks the beginning of heavily increased data protection and privacy within the People’s Republic of China. Individuals are granted extensive rights and entities conducting business in China should ensure to get compliant with the Law’s duties before its entry into force. Whether the Law further meaningfully restricts personal information handling activities by the State itself, remains to be seen.
We are obviously very interested in the Chinese PIPL, the beauty of our software service is that we have designed it to be multi-lingual and multi-regulation. It would however be rash to do the work of creating a PIPL instance without having the correct partners to take it to market in China.