This document is not intended to be, norshould it be construed to be a document offering legal advice. Instead, it should be reviewed as a summary of the current Toluna Group view on the China personal data protection laws. Separate legal advice should be sought by the reviewers of this document to ensure that the interpretations are appropriate to the use case and context of the parties involved in the relevant research project or activity.

What just happened?

On 20 August 2021, the Standing Committee of the National People’s Congress, China voted to adopt a new national privacy law (the Personal Information Protection Law (“PIPL”) at a meeting in Beijing.

A new PRC Data Security law (“DSL”) has come into effect which, provides that data collected and generated by critical information infrastructure operators must be stored in China. A critical information infrastructure operators (“CIIO”) is defined as being infrastructure from important industries and sectors, including public communication and information services, energy, transportation, water conservancy, finance, public service, and e-government, as well as other industries and sectors that may pose severe threat to national security, people’s livelihood, and public interests if their data is damaged or disabled or leaked. A CIIO includes a business where the personal data being transferred relates to a ‘large amount of data’. It is expected that what constitutes a large amount of data will be clarified in the next year. The PRC authorities have the authority to formulate future additional and specific obligations on a CIIO.

When do they come into force?

The PIPL will be in force on 1 November 2021 and the DSL is in force from 1 September 2021.

Who is the relevant authority in China?

The Cyberspace Administration of China (“CAC”) is responsible for the overall planning and coordination of the PIPL. The relevant departments of the State Council are also responsible for various specified duties (See Chapter VI).

Is it similar to the GDPR?

Yes – however there are some differences as outlined in these FAQ’s.

Do the laws have extra-territorial effect?

The PIPL and the DSL apply to those who process personal information about Chinese citizens inside China as well as those who process personal information about Chinese citizens outside China.

Are there any rules on cross-border transfers?

The rules for cross border transfers are set out in Chapter III of the PIPL and Art 30 DSL. Personal data can be transferred overseas if the processor (processor is similar to a controller under the GDPR):

• Obtains the individual’s prior consent; and
• They meet one of the following conditions:
  • Pass the security assessment organised by the CAC in accordance with the provisions of Article 40 of this Law;
  • Conduct personal information protection certification by professional institutions in accordance with the regulations of the CAC;
  • Enter into a contract with the overseas recipient in accordance with the standard contract formulated by the CAC stipulating the rights and obligations of both parties;
  • Other conditions stipulated by laws, administrative regulations or CAC.
  • Article 40 PIPL provides that if an organisation is assessed as being a CIIO under the DSL, the data must be stored, collected and generated in China, unless it is really necessary to provide to conduct cross border transfers, in which case, they must submit to a security assessment carried out by the CAC.

What the principles for processing personal data?

• Art 5 – in handling PI, the principles of legality, fairness, necessity and good faith must be observed
• Art 6 – The handling of PI shall have a clear, specific and reasonable purpose and should be directly relevant to the purpose of processing and adopt a method that has the least impact on personal rights and interests, be limited to the minimum scope for the purpose of processing and PI shall not be collected excessively.
• Art 7 – follow the principles of openness and transparency, disclose personal information processing rules and clearly indicate the purpose, method and scope of processing.
• Art 8 – the principles of integrity and accuracy shall be observed and the quality of personal information ensured so as to avoid any adverse effects on personal rights and interests due to inaccurate or incomplete handling of PI.
• Art 9 – PI processors shall abide by the principle of security guarantee and be responsible for their PI handling activities and take necessary measures to ensure the security of the PI handled.
• Art 10 – No organisation or individual may illegally collect, use, process, or transmit the personal information of others, or illegally trade, provide, or disclose the personal information of others; and must not engage in personal information processing activities that endanger national security or public interest.

What are the legal bases for processing personal data?

There are 7 legal bases:

(1) Obtain personal consent from the individual;

(2) Necessary for the conclusion and performance of a contract in which an individual is a party, or necessary for the implementation of human resource management in accordance with the labour rules and regulations established in accordance with the law and the collective contract signed in accordance with the law;

(3) It is necessary to perform statutory duties or statutory obligations;

(4) It is necessary to respond to public health emergencies, or to protect life, health and property safety of natural persons in an emergency;

(5) Carry out news reports, public opinion supervision and other acts for the public interest and handle personal information within a reasonable range;

(6) Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope in accordance with the provisions of this law;

(7) Other circumstances stipulated by laws and administrative regulations.

What is consent?

The use of the personal information must be explicit, specific and relevant and limited in scope to the purpose for which the ‘processor’ (controller under the GDPR) gains that consent. There is no ability to process personal data for ‘legitimate interest’. The individual has the right to withdraw their consent and should not be discriminated against (in terms of services and products) for refusing to give their consent for processing their personal information.

What is personal information?

All kinds of information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymised information.

What is anonymisation?

Anonymisation is a process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing (Arts 4 and 73).

What is sensitive personal information?

Sensitive personal information is a little wider than under the GDPR and defined as data that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, Information such as whereabouts, as well as personal information of minors under the age of fourteen. So, location data, financial information and information about children under 14 are additionally included.

What additional rules are in place when processing sensitive personal information?

Aside from the consent requirements and the obligation to provide a notice on the treatment of the individual’s data, the processing of sensitive personal information must only be carried out for a specific purpose, where it is necessary and where strict security measures on the protection is applied.

What is handling (processing)?

The handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information, but excludes activities conducted by natural persons due to their personal or family affairs.

Does a record of all the processing need to be kept and do I need to perform a data protection impact assessment?

Article 55: In any of the following circumstances, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing situation:

(1) Processing sensitive personal information;

(2) Using personal information to make automated decision-making;

(3) Entrust the processing of personal information, provide personal information to other personal information processors and disclose personal information;

(4) Providing personal information abroad;

(5) Other personal information processing activities that have a significant impact on personal rights and interests.

Article 56: Personal information protection impact assessment shall include the following contents:

(1) Whether the processing purpose and processing method of personal information are legal, proper and necessary;

(2) Impact on personal rights and security risks;

(3) Whether the protective measures adopted are legal, effective and compatible with the degree of risk.

The personal information protection impact assessment report and processing record shall be kept for at least three years.

Do Chinese individuals have the rights given to them under the GDPR?

A Chinese citizen has the right to:

• Opt-out of the processing.
• Request access to their personal data.
• Understand what decisions are made about them when processing their personal information.
• Have their personal data erased, corrected or restricted
• Object to the processing your personal data if the processor is using their personal data for other purposes.
• have their personal data transferred to them or to a third party in a structured, commonly used, machine-readable format.
• Make requests to the processor about the treatment of their personal information.
• Make a complaint at any time to the processor
• If the individual dies, then their close relatives may ‘for their own lawful and legitimate interests’ exercise any of the rights above.

There are no time limits set out to adhere to the requests, they must be dealt with in a timely manner.

If the processor fails to comply with the request, the individual may file a lawsuit in a people’s court. (The GDPR allows the individual to make a complaint to a regulator as well as taking legal action).

What are the penalties for failing to comply with the DSL?

• Business license may be revoked; and/or
• The authorities may close down the business; and/or
• There is a prescriptive tariff on fines imposed, but for CIIO’s the fines are up to 2 RMB million; and/or
• Persons directly responsible for breaches may also be subject to personal fines of up to RMB200,000; and/or
• Criminal sanctions imposed on responsible persons (may include jail) and/or
• Individual rights to sue in the courts.
• Reputational damage.

What are the penalties for failing to comply with the PIPL?

• Up to RMB 50 million, or 5% annual global turnover; and/or
• Business license may be revoked and/or;
• persons directly responsible for breaches may also be subject to personal fines between RMB100,000 to 1 million AND may be prohibited from assuming managerial positions in relevant organisations for a specified period; and/or
• Individual rights to sue in the courts.
• Reputational damage

Do the authorities have any other powers?

Article 42: Where foreign organisations and individuals engage in personal information processing activities that infringe upon the personal information rights of citizens of the People’s Republic of China or endanger the national security and public interests of the People’s Republic of China, the CAC may restrict or prohibit them. The list of personal information provided shall be announced and measures such as restricting or prohibiting the provision of personal information shall be taken.

Article 43: Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People’s Republic of China in terms of personal information protection, the People’s Republic of China may take corresponding measures against the country or region based on actual conditions.