As the world continues to work from home in the wake of COVID-19 and companies rely on online technology to conduct business and serve customers, the People's Republic of China (the country with the most online users in the world) is one of the latest countries to pass new comprehensive privacy

As the world continues to work from home in the wake of COVID-19 and companies rely on online technology to conduct business and serve customers, the People's Republic of China (the country with the most online users in the world) is one of the latest countries to pass new comprehensive privacy laws. one. Effective November 1, 2021, the Personal Information Protection Law (PIPL) 1 is China's first comprehensive law aimed at regulating online data and protecting personal information , although there are many elements that are not yet defined.

China's Data Security Law , which came into effect earlier this year on September 1, 2021, applies to a wide range of data processing activities, including but not limited to processing personal information. These laws, with extraterritoriality and severe fines and penalties, will create an increasingly complex and comprehensive legal framework for handling personal information when doing business in China.

PIPL is implemented and managed by the Cyberspace Administration of China and relevant national and local government departments. The law, which draws on the EU's General Data Protection Regulation (GDPR), caps at 5% of the previous year's (possibly global) income or $7.7 million, whichever is higher. PIPL consists of more than 70 articles in 8 chapters. ( Read the unofficial translation of the full text .) A summary of our key points and key provisions of the law follows.

our view

Given the broad scope, extraterritorial applicability, and the potential for significant fines, organizations or individuals should assess their PIPL compliance obligations if they process personal information, provide products or services, or analyze or evaluate behavior within China if they process personal information within China individuals within the territory. These obligations may include:

• Adjusting public-facing documents such as privacy policies, data subject rights request procedures, and other user interfaces and user experiences (such as registration processes).

• Enforce upcoming standard contractual clauses in contracts involving transfers of personal information outside of China.

• Implement consent mechanisms, including multi-layered consent for certain processing activities or transfers (for example, transfers of personal information outside of China or to other personal information processors).

• Add PIPL data breach notification requirement to incident response plan.

• Assess the need to localize data in China and the possible impact on global operations.

Data mapping and other exercises related to compliance with GDPR, California Consumer Privacy Act (CCPA), and other regulations may be repurposed to reduce the burden of PIPL compliance, albeit with some customization. Overall, PIPL compliance efforts are likely to continue, given the uncertainty surrounding the interpretation and enforcement of the lengthy new law and pending implementing rules and regulations. As with the CCPA and GDPR, clients should continue to monitor revisions to the PIPL, its implementing regulations and related enforcement actions, and adjust their practices accordingly. Cooley's global team of privacy experts is working with a number of clients doing business in China to assess PIPL compliance obligations. Contact any of the contacts listed below to discuss your PIPL questions.

Who must comply with the PIPL?

Like the GDPR, the PIPL is designed to impose extraterritorial jurisdiction, arguably covering any company or individual (regardless of the individual's nationality or place of residence) that processes personal information in China. 2 In addition, PIPL requires personal information processors located outside of China (also referred to as personal information processors, or personal information processors) to establish dedicated entities or designate personal information processing representatives within China. 3 Such organizations or representatives are not required to have any employment relationship with or affiliation with foreign processors. Furthermore, similar to the concept of a data protection officer in the GDPR, personal information processors who process a certain threshold of personal information (although this threshold has not yet been determined) are required to designate and publish the contact information of the individuals responsible for processing and to protect personal information. 4

Does PIPL distinguish between "controllers" and "processors" of personal information?

In a name that is sure to cause confusion, according to the PIPL, "personal information processor" is similar to "controller" and "trustee" is similar to "processor" under the GDPR. Personal information processors are subject to the responsibilities and compliance requirements in the PIPL. At the same time, the joint personal information processor must sign an agreement to clarify the specific rights and obligations of each personal information processor, and to make it clear that the joint personal information processor bears joint and several liabilities. 5

In addition, if the processing of personal information is carried out by an entrusted party (such as a processor under the GDPR) on behalf of the personal information processor, the parties must enter into an agreement that clearly specifies the purpose, period, method, category, protection of personal information processing, rights and obligations . 6 In practice, the data processing agreement should  include the following in accordance with the requirements of PIPL 7 :

• The entrusting party is prohibited from processing personal information outside the agreement.

• Terms requiring the trustee to return or delete personal information upon completion, revocation, or expiration of this agreement.

• A requirement that the entrusted party must obtain the consent of the personal information processor before allowing the sub-processor to process personal information.

What types of data are covered by PIPL?

PIPL, like CCPA and GDPR, defines personal information as:

… various information recorded electronically or otherwise relating to an identified or identifiable natural person, excluding anonymous information . 8

PIPL also complies with CCPA and GDPR, and treats anonymous information as non-personal information and beyond the scope of the law. However, the definition of anonymity is strict and can be difficult to satisfy:

Anonymization is the irreversible and irreversible process of processing personal information so that it cannot identify a specific natural person . 9

Like the CCPA (as amended by the California Privacy Rights Act (CPRA)) and GDPR, PIPL's definition of "sensitive personal information" is vague:

Sensitive personal information refers to personal information that, once leaked or used illegally, can easily lead to the infringement of the dignity of a natural person or damage to personal and property safety, including biometrics, religious beliefs, specific identities, medical health and other information. , financial accounts and whereabouts, and personal information of minors under the age of 14 . 10

Sensitive personal information is subject to additional processing requirements, such as:

• Determine the specific purpose and sufficiency of the processing.

• Notify individuals of the impact that processing will have on their rights.

• Requires the use of "strict safeguards" (still not defined).

• Conduct privacy impact assessments and create processing records.

• Obtain separate individual consent (and possibly written consent required by unpublished regulations ) for processing.

PIPL also instructs the Cyberspace Administration of China to formulate special personal information protection rules and standards for handling sensitive personal information. 11

What is the legal basis for data processing under the PIPL?

According to the PIPL, personal information processors can only process personal information in the following cases:

1. Individual consent has been obtained, which must be informed, voluntary, and unequivocal (over thresholds yet to be determined), subject to the following conditions: 12

• Individuals must have the ability to withdraw consent by "convenient means" (not yet defined).

• The provision of products or services cannot be conditional on consent unless information is provided. Collection is necessary to provide a product or service (which appears to reflect the concept of "freely given" consent under the GDPR).

• Parental/guardian consent is required if processing personal information involving minors under the age of 14. 13

• If the purpose, method or category of processing information changes, a new consent must be obtained.

2. Necessary for the conclusion or performance of a contract in which an individual is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the provisions of collective contracts.

3. Necessary for the performance of a statutory duty or obligation.

4. Necessary to respond to a public health emergency or to protect personal life, health or property.

5. News reports, public opinion supervision and other actions are for the public interest, and the processing of personal information is within a reasonable range.

6. The personal information has been disclosed by the individual, or other legally disclosed personal information is processed within a reasonable scope in accordance with the provisions of this law.

7. Other circumstances stipulated by Chinese laws and regulations.

Notably, PIPL states that individual consent is the default legal basis for processing unless one of the other legal bases applies. Also of note is the lack of a "legitimate interest" basis for processing under the GDPR, which many EU data controllers have used as a more flexible means of establishing a legal basis for processing. However, it is still possible for Chinese authorities to expand the legal basis for processing available through regulation.

What types of notices are required by PIPL?

Privacy Statement

Before processing personal information, personal information processors must truthfully, accurately and completely inform individuals in “prominent, clear and understandable language”, including: 14

• The name and contact details of the personal information processor.

• The purposes and methods of processing personal information, as well as the types and retention periods of personal information processed.

• Methods and procedures for individuals to exercise their rights under the PIPL.

• Other matters stipulated by laws and administrative regulations shall be notified.

Furthermore, individuals must be notified of any changes to these key data processing elements.

Notice for Consent Purposes

Where the legal basis for processing personal information is consent, personal information processors must provide strong notice in clear and understandable language prior to processing personal information. 15

Business Transaction Personal Information Transfer Notice

Where personal information processors transfer personal information in the course of business transactions, they shall inform the individual of the recipient's name and contact information. PIPL also requires new consent if the recipient changes the purpose or method of processing personal information. 16

Notice Regarding the Transfer of Personal Information to Other Personal Information Processors

If a personal information processor transfers personal information to another personal information processor, the processor must:

• Notify individuals of the name and contact details of the new personal information processor.

• Notify individuals of the purposes and methods of processing and the types of personal information being processed by the new personal information processor.

• Obtain separate consent for this new processing.

New personal information processors must also adhere to the original scope of the manner, purpose and type of personal information communicated to individuals, or obtain new consent. 17

What individual rights does PIPL provide?

PIPL creates specific rights for individuals regarding the processing of their personal information, including the following rights18 :

• Understand, decide, restrict or object to the processing of personal information by others.

• Access and copy (including transfer) their information from personal information processors.

• Request correction or completion of their personal information.

• Removal or withdrawal of consent is required in certain circumstances.

Processors of personal information must establish a convenient but undefined mechanism for individuals to exercise these rights. 19  It is worth noting that relatives of deceased natural persons may access, copy, correct and delete the personal information of the deceased for their own legitimate and legitimate interests. 20

Does PIPL require a data privacy impact assessment?

Personal information processors and controllers are required to conduct and retain a three-year Personal Information Protection Impact Assessment (PIPIA) for certain processing of personal information, including:

1. Handling sensitive personal information.

2. Use personal information to make automated decisions.

3. Entrust others to process or otherwise share or disclose personal information.

4. Transfer personal information overseas.

5. Other processing activities that have a significant impact on the rights and interests of individuals. twenty one

The PIPIA must include 22 decisions:

• Whether the purpose and method of processing personal information is lawful, legitimate and necessary.

• Impact on personal rights, and security risks.

• Whether the security protection measures taken are legal, effective and appropriate to the degree of risk.

Does PIPL (or other Chinese data protection laws) enforce data localization and/or restrict cross-border data transfers?

23 In addition to providing transfer notices to relevant individuals and obtaining consent, personal information processors  must also conduct prior impact assessments on personal data protection and record processing, 24 and one of the following conditions can be met before personal information can be transferred overseas:  25

• Passed the security assessment organized by the Cyberspace Administration of China. 26

• Obtain a certificate issued by an organization authorized by the State Cyberspace Administration of China.

• According to the standard contract formulated by the Cyberspace Administration of China, sign a cross-border data transfer agreement with overseas data recipients to clarify the rights and obligations of both parties.

• Satisfy another mechanism that may be provided by other laws and regulations.

In addition, PIPL requires critical information infrastructure operators (CIIOs)  27 or personal information processors that handle large amounts of personal information (thresholds have not yet been determined) to store personal information locally in China. 28 Such CIIOs or bulk processors can only transfer personal information overseas when it is necessary to do so and pass an official security assessment. 29

PIPL did not elaborate, requiring personal information processors to take necessary measures to ensure that the processing of personal information by overseas recipients complies with the personal information protection standards stipulated by PIPL. 30

The personal information processor must also obtain the individual's consent for cross-border transfers after informing the individual of the following:

1) Contact information of supervisory recipients of their personal information.

2) The purpose, method and type of personal information being transferred are monitored.

3) Procedures for exercising your rights with respect to this data in accordance with the PIPL. 31

What are the potential penalties for not complying with the PIPL?

Penalties for PIPL depend on the severity of the violation, ranging from warnings and orders to correct violations, to orders to suspend services or revoke operating licenses or business licenses, to confiscation of illegal gains, to significant administrative fines. Company employees may also be held personally responsible and face fines or bans from serving as directors, supervisors, senior managers or persons in charge of personal information protection matters in relevant units.

In serious cases, the company and/or its employees may even face criminal liability. 32 For example, anyone illegally obtains, sells or provides to a third party more than 500 pieces of information (such as accommodation information, communication records, health and physical information, transaction information, etc.) that may affect citizens' personal and financial security. ) Violations of the PIPL may be punishable by imprisonment for up to three years. 33

The content of this blog is not intended to and does not constitute legal advice or the provision of legal services or the creation of an attorney-client relationship. Readers of this website should contact their attorneys for any legal advice or services on any particular legal matter.

notes

1. This blog post is based on the unofficial English translation of PIPL.

2. Article 3.

3. Article 53.

4. Article 52.

5. Article 20.

6. Article 21.

7. logo .

8. Article 4.

9. Section 73(IV).

10. Article 28.

11. Article 28, Article 29, Article 30, Article 31, Article 32, Article 55.

12. Article 14.

13. Article 31.

14. Article 17.

15. Article 14.

16. Article 22.

17. Article 23.

18. Chapter 4: The rights of individuals in the processing of personal information.

19. Article 50.

20. Article 49.

21. Article 55.

22. Article 56.

23. Article 39.

24. Article 55.

25. Article 38.

26. On October 29, 2021, the Cyberspace Administration of China released the "Draft Measures for the Security Review of Cross-border Data Transmission" for public comments. While still a draft, it clarifies when a security review is required, review standards and procedures, the terms of key data transfer agreements (although the draft standard contractual clauses are conspicuously absent) and review frequency.

27. Both the Cybersecurity Law and the Regulations on the Security Protection of Critical Information Infrastructure define "critical information infrastructure" as important network facilities and information systems in important industries and fields such as public communication and information services, energy, and transportation. , water affairs, finance, public services, e-government, national defense technology, etc., once the damage, function loss or data leakage occurs, it may seriously endanger national security, national economy and people's livelihood; public interests.

28. Article 40.

29. logo .

30. Article 38.

31. Article 39.

32. Article 71.

33. Article 253a of the Criminal Law of the People's Republic of China and Article 5.4 of the Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in Handling Criminal Cases of Infringement of Citizens' Personal Information.