China - Personal Information Protection Law (“PIPL”) to be effective from November 1, 2021 and Shenzhen’s Data Regulation to be effective from January 1, 2022

National People's Congress of China, after three deliberations, adopted the Personal Information Protection Law on (‘PILP’) August 20, 2021, which will become effective from November 1, 2021.

The principle of PIPL

PIPL establishes the principle of personal information protection, and the core rule is to use informed consent as a basis to decide on the processing of personal information. The processing of personal information is required to have a clear and reasonable purpose and it shall be directly related to the purpose of processing, in a manner that has minimal impact on the rights and interests of individuals.

Obligations of personal information processor

Personal information processors are required to formulate internal management system and operating procedures in accordance with the law. They are required to take appropriate security measures, conduct regular compliance audits of the personal information activities and conduct automated decision-making concerning the processing of sensitive personal information, the use of personal information. They should conduct prior impact assessment of high-risk processing activities such as the provision or disclosure of personal information and fulfill the obligations of personal information disclosure notification and remediation.

Special attention to cross-border personal information delivery

Personal information processors may provide personal information to a recipient outside China due to business necessity after satisfying at least one of the following conditions:

• A security assessment organized by the national cyberspace authority has been passed.
• Certification of personal information protection has been given by a professional institution.
• A contract has been concluded with the overseas recipient based on the standard contract provided by the national cyberspace authority, specifying the rights and obligations of both parties.

When personal information is provided abroad, the person handling the personal information shall take the necessary measures to ensure that the activities of the overseas recipient in processing personal information meet the standards for the protection of personal information stipulated in this Law.

Supervisory authorities and legal liabilities for non-compliance

The personal information protection law does not provide for a single supervisory authority in charge of personal information protection matters. Specifically, the Cyberspace Administration of China is responsible for the overall coordination of personal information protection as well as relevant supervision and regulatory issue. The relevant authorities at the different level are responsible for personal information protection and the supervision thereof within their respective scopes of duties.

The law establishes rigorous punitive measures for violation of personal information protection. Violators may be subject to confiscation of illegal gains, a fine up to RMB 50 million or 5% of the its turnover for previous year, business suspension or revocation of Business License. Any person with direct responsibility will be fined up to RMB 1 million and may also be banned from serving as a director, supervisor, senior officer, or personal information protection officer of the relevant company for a certain period of time.

Shenzhen regional data protection law

Further, Shenzhen Municipal People’s Congress has approved regional data protection law, 'Data Regulation of the Shenzhen Special Economic Zone' (“Shenzhen Data Regulations”) on June 29, 2021, and it will be effective from January 1, 2022.

Some highlights of the regulations are as follows:

• Shenzhen Data Regulations have the same set of rules for data processing as mentioned in PIPL.
• Violation of the personal data protection and data security rules could attract fines up to 5% of turnover but not more than CNY 50 million.
• Similar to PIPL, Shenzhen Data Regulations restrict discriminatory treatment to customers by using data profiling.
• Shenzhen Data Regulations provide a Five Data Minimization Tests that personal data shall have a direct relation with the processing purpose, the amount and frequency of data processing shall be minimum, time of personal data storage shall be the minimum and only the authorized person shall be allowed to access the minimum amount of personal data information.

Implication