Global menu

Our global pages

Close

Arrival of the PIPL: Consolidating the personal information regime in the PRC 《中华人民共和国个人信息保护法》的落实:将巩固中华人民共和国的个人信息保护制度

  • China
  • Hong Kong
  • Privacy, data protection and cybersecurity

30-08-2021

 

The People’s Republic of China (“PRC”) Personal Information Protection Law (“PIPL”) was finally passed on 20 August 2021, and will come into effect on 1 November 2021.

Since the draft was first published in 2020, the PIPL has attracted a lot of attention from the public. Importantly, non-compliance with the PIPL may attract a fine at 5% of the annual turnover of an organisation. If you would like to understand in detail how PIPL affects your organisation and/or your data processing activities in the PRC, please let us know. There are just under 60 days to go!

1.    What is the PIPL?

The PIPL is the primary data privacy legislation in the PRC relating to how personal information should be collected, used, processed, kept and transferred. That is, it is the first cross-sector data privacy regime to be announced in the PRC.  The PIPL can be found here (in Chinese).

That said, it is important to understand that the PRC has a complicated data privacy and cybersecurity framework. As such, organisations are still required to comply with other laws and regulations relating to the wider cybersecurity framework (including the PRC Cybersecurity Law and the PRC Data Security Law (which became effective on 1 September 2021)). We anticipate that additional guidelines will soon be published by the PRC regulatory authorities which shall provide further guidance on how the PIPL principles should be implemented. Accordingly, we strongly recommend all organisations should continue to closely monitor any latest developments in this regard.

2.    Does the PIPL apply only to personal information processing within the PRC?

The PIPL applies to data processing activities within the PRC. Importantly (and perhaps unsurprising given the general direction of travel of other major data privacy reforms taking place around the world), it also has extra-territorial effect. Specifically, the PIPL also applies to the processing of PRC residents’ data outside of the territory of the PRC:

  • For the purposes of providing services or products to PRC residents;
  • To analyse or assess behaviour of PRC residents; or
  • For any reasons as required by law.

3.    What are “personal information” and “sensitive personal information”?

Personal information refers to any kind of information relating to an identified or identifiable natural person (whether electronically recorded or otherwise). The PIPL officially clarifies in the form of legislation that anonymised data does not constitute “personal information”.

Sensitive personal information refers to personal information which, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person. Some examples of sensitive personal information include (but not limited to) biometric data, health information, financial account information, location data and minors’ data (i.e. those aged 14 or below) etc.

4.    How can we process personal information lawfully?

Generally, express notice and consent is still required for processing personal information. That being said, the PIPL provides alternative legal bases for processing personal information as follows:

  • Necessary to conclude or perform a contract to which the individual is a contracting party or carry out human resources management under an employment policy legally established or a collective contract legally concluded (in particular, we note that the latter is newly added in the final draft of the PIPL. The current wording of the PIPL is broad and the scope of “necessity for carrying out human resource management” will likely be subject to more clarification from the authorities after the PIPL becomes effective);
  • Necessary for statutory duties and responsibilities;
  • Necessary to respond to public health emergencies or to protect natural person’ lives and health, or their property in an emergency;
  • Processing personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interests;
  • Processing personal information legally disclosed within a reasonable scope in accordance with the PIPL; and
  • Other circumstances as required by laws and regulations.

“Separate” specific consent is also a new concept introduced by the PIPL which is required for the following types of processing. Nevertheless, there is still some uncertainty as to precisely what “separate” specific consent means in practice.  As mentioned above, we anticipate this will be a matter to be clarified in the upcoming guidance.

  • Processing sensitive personal information;
  • Overseas transfers of personal information;
  • Disclosure of personal information to the public;
  • Provision of data to another data controller for processing; and 
  • Use of any data collected through image or identification device in public for purposes and else from maintaining public security.

5.    Do we need to keep personal information within the PRC?

Although the PIPL introduces a robust cross-border data transfer restriction, overseas data transfers may be permitted if:

  • Notice is given, and “separate” specific consent is obtained from the data subject (see above);
  • The organisation has satisfactorily undertaken a personal information impact assessment (“PIIA”);
  • Necessary measures are adopted to ensure the data recipient’s data processing activities comply with the standards comparable to the PIPL (e.g. adequate contractual assurances, due diligence on the data recipient); and
  • At least one of the following has to be fulfilled before the transfer:
    • The Cyberspace Administration of China (“CAC”) security assessment has been passed (this is a mandatory requirement for critical information infrastructure operators (“CIIOs”) and network operators who process personal data with a volume exceeding a certain threshold (undefined at this stage));
    • Certification from a CAC-accredited agency has been given;
    • The organisation has adopted a set of model clauses approved by CAC with the data recipient to facilitate overseas data transfers (though these model clauses have yet been published); or
    • Transfer is required to comply with laws and regulations or other requirements imposed by CAC.

6.    What are the security requirements?

Personal information must be kept confidential. Security measures should be deployed in accordance with the technical standards as required under the PRC Cybersecurity Law and PRC Data Security Law. In practice, organisations should monitor technical standards published by the PRC regulators, particularly the National Information Security Standardisation Technical Committee of China (“TC260”) and any sector-specific regulators, such as the People’s Bank of China for financial services.

If an organisation is a CIIO, the PIPL requires the organisation to implement additional safeguards for the processing of sensitive personal information.

7.    What is “Right of Portability”?

Similar to the data subject right of the same name introduced under the GDPR, PIPL now gives data subjects the right of portability. This means individuals may obtain their information held by data controllers, and request that it be transferred for their own purposes.

That said, the PIPL has yet outlined the conditions required for individuals to exercise this right. We anticipate further guidelines will be published to clarify on this point.

8.    What are the requirements for processing personal information of minors?

Organisations that process minors (i.e. 14 years old or younger)’ personal information must have in place specific policies and regulations dealing with minors’ personal information. This appears aligned with the existing minors’ data regulations (including the Regulation on Cyber Protection of Children’s Personal Information, which was published by the CAC in 2019).

9.    Are there any other new requirements for processing personal information?

Organisations that are: (i) “important internet platform operators”; (ii) data controllers processing data of a “large volume of users”; or (iii) complex businesses” are required to comply with the following additional measures:

  • establishing a sound personal information protection compliance system and set up an independent supervisory body mostly composed of external members;
  • developing platform rules in accordance with the principles of openness, fairness, and impartiality, specifying the standards for personal information processing and protection;
  • ceasing the provision of services to any product or service provider which violated the law or administrative regulation; and
  • publishing social responsibility report on personal information protection from time to time, and to be supervised by the public.

10. Does the PIPL require a uniform application to all organisations?

The PIPL has now introduced a concept of “small personal information processors”, which appears to be designed to address the regulatory compliance concerns (and associated costs) of smaller processors. That said, the PIPL has not provided any further guidance on this, and we expect the CAC will develop further rules and standards for these smaller processors. 


《中华人民共和国个人信息保护法》(“《个人信息保护法》”)最终于2021年8月20日通过,并将于2021年11月1日起生效。

自《个人信息保护法》草案于2020年首次发布以来,该法一直引起公众的广泛关注。重要的是,违反《个人信息保护法》,罚款可达相等于组织营业额百分之五的金额。如欲了解更多关于《个人信息保护法》可能会为您的组织,以及您的组织在中华人民共和国(“中国”)的数据处理活动带来的影响,请与我们联系。该法还有不到60天就会生效!

1.什么是《个人信息保护法》?

《个人信息保护法》是中国关于如何收集、使用、处理、保存和传输个人信息的主要数据隐私法规。也就是说,这是中国第一个跨行业领域的数据隐私制度。请按阅览《个人信息保护法》(仅有中文版本)。

然而,中国的数据隐私和网络安全框架是更为复杂的。因此,组织仍需遵守其他更广泛的网络安全框架相关的法律法规(包括《中华人民共和国网络安全法》 以及于 2021 年 9 月 1 日起生效的《中华人民共和国数据安全法》)。我们预计中国有关监管机构将很快会发布更多指引,就如何实施 《个人信息保护法》的原则提供进一步指导。因此,我们强烈建议所有组织应继续密切关注在这方面的最新发展。

2. 《个人信息保护法》是否仅适用于中国境内的个人信息处理?

《个人信息保护法》适用于中国境内的个人信息处理活动。更重要的是,它同时具有域外效力 (鉴于世界各地的主要数据隐私改革的大方向,这也是意料之内)。具体来说,在中国境外处理中国境内自然人个人信息的活动,有下列情形之一的,也适用《个人信息保护法》:

  • 以向境内自然人提供产品或者服务为目的;
  • 分析、评估境内自然人的行为;或
  • 法律、行政法规规定的其他情形。

3. 什么是“个人信息”和 “敏感个人信息”?

个人信息是指(以电子或者其他方式记录的)与已识别或者可识别的自然人有关的各种信息。《个人信息保护法》正式澄清匿名化的信息并不构成“个人信息”。

敏感个人信息是指一旦泄露或者非法使用,容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害的个人信息。这包括(但不限于)生物识别、医疗健康、金融账户、行踪轨迹,以及未成年人(即不满十四周岁)等信息。

4. 我们可以如何合法地处理个人信息?

一般而言,处理个人信息前,仍需明确预先通知个人,并取得个人明示同意。话虽如此,《个人信息保护法》 另为处理个人信息提供了替代法律依据,包括:

  • 为订立、履行个人作为一方当事人的合同所必需,或者按照依法制定的劳动规章制度和依法签订的集体合同实施人力资源管理所必需(尤其是,我们注意到后者是在《个人信息保护法》的最终草案中新增的。《个人信息保护法》目前的措辞很宽泛。我们预计有关监管机构可能在《个人信息保护法》生效后,对“实施人力资源管理所必需”的范围作出更多澄清);
  • 为履行法定职责或者法定义务所必需;
  • 为应对突发公共卫生事件,或者紧急情况下为保护自然人的生命健康和财产安全所必需;
  • 为公共利益实施新闻报道、舆论监督等行为,在合理的范围内处理个人信息;
  • 依照《个人信息保护法》规定在合理的范围内处理已经合法公开的个人信息;及  
  • 法律、行政法规规定的其他情形。

“单独”特定同意是 《个人信息保护法》 引入的一个新概念。在以下情况下需要“单独”特定同意。尽管如此,关于“单独”特定同意在实践中的确切含义仍存在一些不确定性。如上所述,我们预计这事宜将在即将发布的指引中得到澄清。

  • 敏感个人信息的处理;
  • 个人信息跨境传输;
  • 将其处理的个人信息于公开渠道发布;
  • 个人信息处理者向其他个人信息处理者提供其处理的个人信息;及
  • 使用任何在公共场所安装图像采集、个人身份识别设备所收集,而用于除了维护公共安全以外的目的的信息。

5.  我是否需要将个人信息保存在中国境内?

虽然《个人信息保护法》引入了稳健的跨境数据传输限制,以下情况下可能允许个人信息的跨境传输:

  • 通知个人信息主体有关其个人信息跨境传输的事实,并从个人信息主体获得“单独”的特定同意(见上文);
  • 组织已进行个人信息安全影响评估(“安全影响评估”)并符合要求;
  • 采取必要措施,以确保个人信息接收方的个人信息处理活动符合与《个人信息保护法》相当的标准(例如充分的合同保证、对个人信息接收方的尽职调查);以及
  • 在个人信息的跨境提供前,必须至少满足以下其中一项:
    • 已通过国家互联网信息办公室的安全评估(这是对关键信息基础设施运营者和处理个人信息超过一定数量(此处未定义)的网络运营商的强制性要求);
    • 已获得按照国家互联网信息办公室的规定经专业机构进行个人信息保护认证;
    • 该组织按照国家互联网信息办公室制定的标准合同与境外接收方订立合同以便跨境提供个人信息(尽管这些标准合同尚未公布);或
    • 个人信息的跨境提供是为了遵从法律、行政法规或者国家互联网信息办公室规定的其他条件。 

6. 信息安全和保密要求有什么?

个人信息必须保密。组织应按照《中华人民共和国网络安全法》 和《中华人民共和国数据安全法》规定的技术标准部署安全措施。在实践中,组织应监控中国监管机构发布的技术标准,特别是全国信息安全标准化技术委员会(“信息安全标委会”)以及任何行业特定的监管机构,如中国人民银行对金融服务机构所发布的技术标准。

如果组织属于关键信息基础设施运营者,《个人信息保护法》要求其组织对敏感个人信息处理实施额外的安全保护措施。

7. 什么是个人信息可携带权

与欧盟《通用数据保护条例》(GDPR)引入的同名个人信息权利类似,《个人信息保护法》现在赋予个人信息主体可携带权。这意味着个人可以从个人信息控制者获取其持有他们自己的信息,并为自己的目的要求转移这些信息。

然而,《个人信息保护法》 尚未概述个人行使这一权利所需的条件。我们预计有关监管部门将会发布进一步的指引以澄清这一点。

8.未成年人个人信息的处理有哪些要求?

处理未成年人(即不满十四周岁)个人信息的组织必须制定处理未成年人个人信息的具体政策和法规。这似乎与现有的未成年人个人信息的法规一致(包括国家互联网信息办公室于 2019 年发布的《儿童个人信息网络保护规定》)。

9. 是否还有其他有关处理个人信息的新要求?

(一)提供“基础性互联网平台服务”的组织; (二)“用户数量巨大”的个人信息处理组织;或(三)“业务类型复杂”的个人信息处理组织均必须遵守额外义务:

  • 按照国家规定建立健全个人信息保护合规制度体系,成立主要由外部成员组成的独立机构对个人信息保护情况进行监督;
  • 遵循公开、公平、公正的原则,制定平台规则,明确平台内产品或者服务提供者处理个人信息的规范和保护个人信息的义务;
  • 对严重违反法律、行政法规处理个人信息的平台内的产品或者服务提供者,停止提供服务;以及
  • 定期发布个人信息保护社会责任报告,接受社会监督。

 

10.在《个人信息保护法》下,是否所有类型的组织都受同一标准的规管?

《个人信息保护法》现在引入了“小型个人信息处理者”的概念,似乎是旨在解决较小型个人信息处理者的监管合规顾虑(以及相关成本)。然而,《个人信息保护法》没有就此提供任何进一步的指引,我们预计国家互联网信息办公室将为这些较小型个人信息处理者制定进一步的规则和标准。

Scope of Application of PIPLScope of Application of PIPL