National People's Congress of China, after three deliberations, adopted the Personal Information Protection Law on (‘PILP’) August 20, 2021, which will become effective from November 1, 2021.
The principle of PIPL
PIPL establishes the principle of personal information protection, and the core rule is to use informed consent as a basis to decide on the processing of personal information. The processing of personal information is required to have a clear and reasonable purpose and it shall be directly related to the purpose of processing, in a manner that has minimal impact on the rights and interests of individuals.
Obligations of personal information processor
Personal information processors are required to formulate internal management system and operating procedures in accordance with the law. They are required to take appropriate security measures, conduct regular compliance audits of the personal information activities and conduct automated decision-making concerning the processing of sensitive personal information, the use of personal information. They should conduct prior impact assessment of high-risk processing activities such as the provision or disclosure of personal information and fulfill the obligations of personal information disclosure notification and remediation.
Special attention to cross-border personal information delivery
Personal information processors may provide personal information to a recipient outside China due to business necessity after satisfying at least one of the following conditions:
When personal information is provided abroad, the person handling the personal information shall take the necessary measures to ensure that the activities of the overseas recipient in processing personal information meet the standards for the protection of personal information stipulated in this Law.
Supervisory authorities and legal liabilities for non-compliance
The personal information protection law does not provide for a single supervisory authority in charge of personal information protection matters. Specifically, the Cyberspace Administration of China is responsible for the overall coordination of personal information protection as well as relevant supervision and regulatory issue. The relevant authorities at the different level are responsible for personal information protection and the supervision thereof within their respective scopes of duties.
The law establishes rigorous punitive measures for violation of personal information protection. Violators may be subject to confiscation of illegal gains, a fine up to RMB 50 million or 5% of the its turnover for previous year, business suspension or revocation of Business License. Any person with direct responsibility will be fined up to RMB 1 million and may also be banned from serving as a director, supervisor, senior officer, or personal information protection officer of the relevant company for a certain period of time.
Shenzhen regional data protection law
Further, Shenzhen Municipal People’s Congress has approved regional data protection law, 'Data Regulation of the Shenzhen Special Economic Zone' (“Shenzhen Data Regulations”) on June 29, 2021, and it will be effective from January 1, 2022.
Some highlights of the regulations are as follows:
Implication