15 Points You Need to Know about China's Personal Information Protection Law

avatar

It may be one of the strictest personal information protection legislation worldwide.

China’s first Personal Information Protection Law (“PIPL”) was promulgated on 21 Aug. 2021 and will be in effect since 1 Nov. 2021.

The law has 74 articles in total. The 15 Key points of the law that are most worth noticing are as follows.

1. Does China’s PIPA apply to foreign companies?

As long as you handle the personal information of natural persons within China, you need to comply with PIPA. (Article 3)

The law also applies to activities outside China that handle the personal information of natural persons who are in China under any of the following circumstances

(1) the activities are to provide products or services to natural persons in China.

(2) the activities are to analyze and evaluate the behavior of natural persons in China.

(3) other circumstances specified by other Chinese laws and administrative regulations.

2. Can personal information in China be transferred outside of China?

Yes, provided that the following two prerequisites are met.

First, the transfer has been approved by the Chinese regulatory authorities. (Article 38)

Second, the processor of the personal information has obtained the separate consent of that person for this purpose. (Article 39)

3. Can personal information collected and generated in China be stored outside of China?

In principle, no. (Article 40)

Firstly, operators of critical information infrastructure can only store personal information within China.

Secondly, if a personal information processor handles personal information up to the amount specified by the regulatory authorities, it can only store personal information within China.

4. Will foreign entities be punished for violating China’s PIPA?

Yes.

The Chinese regulatory authorities may include them in the list of restricted or prohibited personal information, and restrict or prohibit other subjects from providing personal information to them. (Article 42)

5. Can foreign judicial organs and law enforcement agencies request access to personal information stored in China?

Foreign judicial organs can only obtain such personal information through judicial assistance. (Article 41)

The processor of personal information shall not provide such personal information to foreign judicial or law enforcement agencies without the approval of the competent Chinese authorities.

6. How does China resolve conflicts with foreign personal information protection rules?

If any country or region takes discriminatory prohibitions, restrictions, or other similar measures against China in the protection of personal information, China may take reciprocal measures against such country or region in accordance with the actual situation. (Article 43)

7. What kind of information does China’s PIPA regulate?

Personal information. If the information can be identified as relating to a specific natural person, then it is personal information. (Article 4)

8. What kind of activities does China’s PIPA regulate?

The handling of personal information includes collection, restoration, usage, process, transmission, provision, disclosure, and deletion of personal information. (Article 4)

9. Under what circumstances can personal information be processed?

The processor of personal information may process personal information in two cases: where the consent of the individual concerned has been obtained; or where the consent of the individual is not required for the processing of the information.

Cases, where individual consent is not required, include:

(1) The processor of personal information concludes a contract with a natural person and the collection of personal information is necessary for the performance of a contract;

(2) A company collects necessary employee information for human resources management.

(3) Personal information is collected in order to respond to a health emergency.

(4) Personal information is collected for press coverage for the public interest.

(5) Personal information that has been made public (limited to a specific purpose).

10. How does a personal information processor obtain the consent of an individual?

Before handling personal information, the personal information processor shall inform the individual of the following information faithfully, accurately, and completely, in a prominent manner and in clear and understandable language:

(1) The identity of the personal information processor.

(2) How the personal information will be processed.

(3) How the individual will exercise his/her rights with respect to personal information.

11. What rights does an individual have with respect to his or her personal information?

Individuals have the right to know and decide on the handling of their personal information. (Article 44)

To be specific,

(1) Individuals have the right to inspect and copy their personal information from the person handling their personal information; (Article 45)

(2) Individuals have the right to request the personal information processor to correct or supplement their personal information if they find the information inaccurate or incomplete; (Article 46)

(3) The individuals have the right to withdraw their consent at any time (Article 15)

(4) The individuals have the right to request the personal information processor to explain and clarify the rules for handling their personal information. (Article 48)

12. How do state organs handle personal information?

State organs may handle personal information for the purpose of performing their legal duties, but they must do so in accordance with statutory authority and procedures. (Article 34)

State organs shall inform individuals about the handling of their personal information. However, the state organs may not inform the individuals if the law provides that such handling shall be kept confidential. (Article 35, Article 18)

13. Can personal information processors collect personal information in public places?

Yes, they can, provided that the following requirements must be met (Article 26):

(1) the collection is necessary for public security;

(2) the collection complies with the relevant legal provisions;

(3) the collection sets up a prominent reminder.

14. Can a processor of personal information use personal information to make business decisions?

Yes, but they shall ensure the transparency of the decision and the fairness and impartiality of the results. (Article 24)

To be specific:

(1) Personal information processors shall not offer personalized trading conditions to individuals, such as price discrimination.

(2) Individuals may refuse personalized information pushing and commercial marketing by personal information processors to them.

(3) Individuals may refuse automated decisions made by personal information processors to them.

15. who is the regulatory authority for personal information protection in China?