This document is not intended to be, norshould it be construed to be a document offering legal advice. Instead, it should be reviewed as a summary of the current Toluna Group view on the China personal data protection laws. Separate legal advice should be sought by the reviewers of this document to ensure that the interpretations are appropriate to the use case and context of the parties involved in the relevant research project or activity.
What just happened?
On 20 August 2021, the Standing Committee of the National People’s Congress, China voted to adopt a new national privacy law (the Personal Information Protection Law (“PIPL”) at a meeting in Beijing.
A new PRC Data Security law (“DSL”) has come into effect which, provides that data collected and generated by critical information infrastructure operators must be stored in China. A critical information infrastructure operators (“CIIO”) is defined as being infrastructure from important industries and sectors, including public communication and information services, energy, transportation, water conservancy, finance, public service, and e-government, as well as other industries and sectors that may pose severe threat to national security, people’s livelihood, and public interests if their data is damaged or disabled or leaked. A CIIO includes a business where the personal data being transferred relates to a ‘large amount of data’. It is expected that what constitutes a large amount of data will be clarified in the next year. The PRC authorities have the authority to formulate future additional and specific obligations on a CIIO.
When do they come into force?
The PIPL will be in force on 1 November 2021 and the DSL is in force from 1 September 2021.
Who is the relevant authority in China?
The Cyberspace Administration of China (“CAC”) is responsible for the overall planning and coordination of the PIPL. The relevant departments of the State Council are also responsible for various specified duties (See Chapter VI).
Is it similar to the GDPR?
Yes – however there are some differences as outlined in these FAQ’s.
Do the laws have extra-territorial effect?
The PIPL and the DSL apply to those who process personal information about Chinese citizens inside China as well as those who process personal information about Chinese citizens outside China.
Are there any rules on cross-border transfers?
The rules for cross border transfers are set out in Chapter III of the PIPL and Art 30 DSL. Personal data can be transferred overseas if the processor (processor is similar to a controller under the GDPR):
What the principles for processing personal data?
What are the legal bases for processing personal data?
There are 7 legal bases:
(1) Obtain personal consent from the individual;
(2) Necessary for the conclusion and performance of a contract in which an individual is a party, or necessary for the implementation of human resource management in accordance with the labour rules and regulations established in accordance with the law and the collective contract signed in accordance with the law;
(3) It is necessary to perform statutory duties or statutory obligations;
(4) It is necessary to respond to public health emergencies, or to protect life, health and property safety of natural persons in an emergency;
(5) Carry out news reports, public opinion supervision and other acts for the public interest and handle personal information within a reasonable range;
(6) Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope in accordance with the provisions of this law;
(7) Other circumstances stipulated by laws and administrative regulations.
What is consent?
The use of the personal information must be explicit, specific and relevant and limited in scope to the purpose for which the ‘processor’ (controller under the GDPR) gains that consent. There is no ability to process personal data for ‘legitimate interest’. The individual has the right to withdraw their consent and should not be discriminated against (in terms of services and products) for refusing to give their consent for processing their personal information.
What is personal information?
All kinds of information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymised information.
What is anonymisation?
Anonymisation is a process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing (Arts 4 and 73).
What is sensitive personal information?
Sensitive personal information is a little wider than under the GDPR and defined as data that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal and property safety, including biometrics, religious beliefs, specific identities, medical health, financial accounts, Information such as whereabouts, as well as personal information of minors under the age of fourteen. So, location data, financial information and information about children under 14 are additionally included.
What additional rules are in place when processing sensitive personal information?
Aside from the consent requirements and the obligation to provide a notice on the treatment of the individual’s data, the processing of sensitive personal information must only be carried out for a specific purpose, where it is necessary and where strict security measures on the protection is applied.
What is handling (processing)?
The handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information, but excludes activities conducted by natural persons due to their personal or family affairs.
Does a record of all the processing need to be kept and do I need to perform a data protection impact assessment?
Article 55: In any of the following circumstances, the personal information processor shall conduct a personal information protection impact assessment in advance and record the processing situation:
(1) Processing sensitive personal information;
(2) Using personal information to make automated decision-making;
(3) Entrust the processing of personal information, provide personal information to other personal information processors and disclose personal information;
(4) Providing personal information abroad;
(5) Other personal information processing activities that have a significant impact on personal rights and interests.
Article 56: Personal information protection impact assessment shall include the following contents:
(1) Whether the processing purpose and processing method of personal information are legal, proper and necessary;
(2) Impact on personal rights and security risks;
(3) Whether the protective measures adopted are legal, effective and compatible with the degree of risk.
The personal information protection impact assessment report and processing record shall be kept for at least three years.
Do Chinese individuals have the rights given to them under the GDPR?
A Chinese citizen has the right to:
There are no time limits set out to adhere to the requests, they must be dealt with in a timely manner.
If the processor fails to comply with the request, the individual may file a lawsuit in a people’s court. (The GDPR allows the individual to make a complaint to a regulator as well as taking legal action).
What are the penalties for failing to comply with the DSL?
What are the penalties for failing to comply with the PIPL?
Do the authorities have any other powers?
Article 42: Where foreign organisations and individuals engage in personal information processing activities that infringe upon the personal information rights of citizens of the People’s Republic of China or endanger the national security and public interests of the People’s Republic of China, the CAC may restrict or prohibit them. The list of personal information provided shall be announced and measures such as restricting or prohibiting the provision of personal information shall be taken.
Article 43: Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the People’s Republic of China in terms of personal information protection, the People’s Republic of China may take corresponding measures against the country or region based on actual conditions.