China’s personal data regulation – Personal Information Protection Law (PIPL) explained

An analysis of PIPL the Chinese equivalent of the GDPR which applies to the processing of personal information within China and outside of China.

PIPL is broadly the equivalent of Europe’s GDPR. Crossing certain volume thresholds for processing personal data can lead to a requirement for storing that data in China.
Related laws and mechanisms required to permit full compliance with the PIPL continue to be a work in progress.

PIPL applies to the processing of:

  • personal information of natural persons within China;
  • such personal information outside of China;
    • To provide products or services to individuals in China;
    • To analyse and evaluate the behaviour of individuals in China;
    • In other circumstances prescribed by other laws and regulations.

PIPL, Article 3

Personal Information is defined as ‘All kinds of recorded information related to identified or identifiable natural persons’.

Anonymized information is specifically excluded.

The processing of personal information includes its:

  • Collection;
  • Storage;
  • Use;
  • Processing;
  • Transmission;
  • Provision;
  • Disclosure;
  • Deletion;
  • Etc.

PIPL, Article 4; Guidance

It is unclear whether an office in China would qualify as a China based representative. No guidance on how a China based representative or agency could be appointed or established could be found at the present time (March 2022).

Personal information can only be processed:

  • With the consent of the individual
  • Without their consent where it is necessary for the:
    • performance or conclusion of a contract to which an individual is a party;
    • implementation of human resources management in accordance with labor rules and collective contracts;
    • performance of legal duties or legal obligations.

A personal information processor is defined as:

  • the organization or individual who independently decides the purpose and method of processing in personal information processing activities

PIPL, Article 73

Personal information processors are responsible for information they process and its security. A personal information processor can entrust the processing of personal information to a ‘trustee’, ‘trusted-party’ or ‘sub-processor’ (the translation of this varies) with whom it must agree on the:

  • purpose;
  • time limit;
  • processing method;
  • type of information;
  • protection measures;
  • as well as the rights and obligations of both parties.

The trustee must process the personal information in accordance with the agreement and not beyond the agreed processing purpose and method.

The personal information must either be deleted by the trustee or returned to the information processor upon the revocation or termination of the agreement.

PIPL, Article 21; Guidance

Article 21 is a simplified equivalent of GDPR Article 28 and reinforces the identification of personal information processor under PIPL with a data controller under GDPR.

Personal information processors who exceed a certain threshold of personal information are required to store personal information in China.

At the present moment this threshold is stipulated in a draft version of the Measures for Data Security Assessment and applies to personal information processors that:

  • Process personal information of 1 million individuals or above and move any personal information outside of China
  • Move personal information of more than 100,000 individuals outside of China
  • Move sensitive personal information of more than 10,000 individuals outside of China

If the thresholds are exceeded and it is still necessary to move information outside of China the personal information processor must pass a security assessment organised by the Cyberspace Administration of China (CAC).

PIPL, Article 38 and Article 40; Guidance

The personal information processor must determine whether it exceeds any of these thresholds. If so engagement with the CAC in order to conduct a security assessment will be required.

If the personal information processor has not exceeded the thresholds outlined in Article 40, but where, as a result of business requirements, personal information processors move personal information outside of China they need to meet one of the following conditions:

  1. undergo certification conducted by a professional organization
  2. enter into a contract with the overseas recipient in accordance with the standard contract formulated by CAC
  3. Other conditions stipulated by laws, administrative regulations or the CAC.

PIPL, Article 38; Guidance

No list of or information on the professional organisations that are approved by the CAC to certify personal information processors appears to have yet been released (March 2022).

The standard contractual clauses approach appears to be modelled on GDPR, but it does not appear that the CAC has published its own standard contractual language at this point in time (March 2022).

The language here, indicating that only one of a list of conditions needs to be met requires further investigation. It would follow that it would be possible to meet the requirements stipulated by Article 38 by simply meeting one of the ‘other conditions’, which does not feel right.

Personal information processors are required to take the following measures to prevent alteration, unauthorized access, leak or loss of personal information:

  1. Formulate internal management systems and operating procedures
  2. Implement classified management of personal information
  3. Adopting technical security measures such as encryption and de-identification
  4. Putting in place reasonable operational safeguards to access and providing regular security education and training to operational staff
  5. Formulating and organising the implementation of emergency plans for personal information security incidents
  6. Other measures prescribed by laws and regulations

PIPL, Article 51

Personal information processors outside of China are required to establish specialized agencies or appoint designated representatives within China to be responsible for the handling of personal information protection-related affairs.

PIPL, Article 53; Guidance

It is unclear whether an office in China would qualify as a China based representative. No guidance on how a China based representative or agency could be appointed or established could be found at the present time (March 2022).

Personal information processors are required to conduct regular compliance audits on the handling of personal information.

PIPL, Article 54

Where personal information is sent outside of China the personal information processor must conduct an impact assessment on personal information protection and record the results in advance.

PIPL, Article 55

The impact assessment of personal information protection must include:

  1. Whether the purpose and method of processing personal information is legal, legitimate and necessary
  2. Impact on personal rights and security risks
  3. Whether the protective measures taken are legal, effective and commensurate with the degree of risk

The record/results of the assessment must be kept for three years.

PIPL, Article 56

Also worth noting in connection with Article 56 is that the CAC Measures for Data Security Assessment Article 5 also requires a data processor (the terminology used in that piece of draft regulation) to conduct a self-assessment of data export risk before sending ‘data’ outside of China which focuses on:

  1. The legitimacy, necessity, purpose, scope and method of the data export
  2. The quantity, scope, type and sensitivity of the data being exported, the risks of the data being exported to national security and public interest and the legitimate rights and interests of individuals or organizations
  3. Whether the management, technical measures and capabilities of the data processor in the data transfer process can prevent risks such as data leaks or damage
  4. The responsibilities and obligations undertaken by the recipient of the data outside of China and whether their management, technical measures and capabilities can ensure  the security of the data
  5. Risks of leakage, damage tampering, abuse after the date leaves China and whether the channels of individuals in China to safeguard their personal information rights and interests remain unobstructed
  6. Whether the data export contract with the recipient outside of China fully stipulates the responsibility and obligation for the protection of data