Article
Analysis of the Highlights of the Personal Information Protection Law
The Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the "PIPL") is adopted at the 30th Session of the Standing Committee of the 13th National People's Congress of the People's Republic of China on 20 August 2021, and will be effective from 1 November 2021. As a special legislation on personal information protection, the PIPL contains the basic principles, requirements and related systems for the protection of personal information. In previous articles, we shared the original text of the PIPL (approved draft) and its similarities and differences with the second draft for review. In this article, we will provide additional insights into the legislative intent and implications of the highlight provisions of the PIPL (including conflicts and compatibility within the data protection legislative system, differences with other data protection legislation (e.g., GDPR), legislative intent and reservation provisions), and the implication recommendations of these provisions for corporate privacy governance.
1. Legislative Positioning of the PIPL
(1) Basic legislative positioning
First, in terms of the level of effectiveness, the PIPL is a legal code enacted by the Standing Committee of the National People's Congress, which is effective throughout the country and is at the top of our country's legal hierarchy. The effectiveness of the PIPL is higher than that of the State Council’s departmental rules, national standards, local laws and regulations and industry-related self-discipline norms formulated by the State Council. This shows that the state attaches great importance to the protection of citizens' personal information.
Second, in terms of the regulated object, the PIPL is a special law on the protection of personal information. Although there are provisions for personal information protection in China's basic laws such as the Civil Law and the Criminal Law, most of the provisions are scattered and do not provide a complete and systematic protection of personal information. However, these scattered regulations have laid a legal and rational basis for the specific personal information protection legislation. On the basis of these regulations, the PIPL has formed a complete system of systematic, targeted, and operable specialized regulations.
Therefore, the PIPL is a special personal information protection legislation with high levels of effectiveness. It solves the problem of inadequate and scattered personal information protection legislation, and opens a new chapter of personal information protection for citizens in China.
(2) Connection and coordination with other data and personal information legislation
- The Data Security Law
The Data Security Law, which will enter into force on 1 September 2021, is recognized as the general and basic law in the field of data protection in China. In terms of the regulated object, according to Article 3 of this law, "For the purpose of this Law, data shall refer to any record of information in electronic or other form". The connotation of "data" under this law includes personal information and all other types of information.I In terms of regulatory contents, the provisions of this law are macro and fundamental in nature and establish a number of basic systems for national data security management. Therefore, from the perspective of legislative intent, the Data Security Law is the basic law in the field of data in China. The PIPL, as a law that specifically regulates the protection of personal information, is essentially an extension of the principles of the Data Security Law in the field of personal information protection.
- The Cybersecurity Law
According to Article 76 of the Cybersecurity Law, "network data" is "all kinds of electronic data collected, stored, transmitted, processed and generated through the network", and its regulated object is limited to all electronic data generated in cyberspace, without distinguishing whether it has the attributes of personal information. The PIPL breaks through the spatial limitation and expands the object of regulation to all data in all carriers, and limits its attributes to the scope of personal information. The two laws have different but complementary objects of regulation and impose requirements on network security and information protection from different perspectives.
2. Legislative Value of the PIPL
In addition to the principles prevailing in data protection legislation in countries around the world, the provisions of the PIPL reflect a number of additional considerations that differ from the prevailing principles. An understanding of these value considerations is fundamental to a full comprehension of the provisions of the PIPL.
(1) Seek a delicate balance between national data security and digital dividends
With the rapid development of digital industry, big data, and cloud computing technology in countries around the world, the effective use of data will have a more profound impact on the global economy, and the resulting contradiction between data dividend and data security will also significantly affect the future direction of the digital economy. In order to balance the contradiction between the two and seize the advantages for the new round of economic competition, countries around the world have established and improved domestic rules on personal information protection, and actively promoted and participated in the formulation of international rules.
The PIPL fully reflects China's balance between data dividend and data security. For example, the PIPL clarifies the legal basis applicable in the employment scenario, greatly reducing the burden of compliance management of personal information protection within enterprises. In respect of cross-border rules, the PIPL establishes a graded management strategy based on different subjects and the degree of risk of data, which is conducive to the promotion of enterprise development while ensuring security.
(2) Promote differentiated design based on China's national conditions and seek to clarify the ambiguity of international privacy protection legislation
In the current context of the rapid development of deeply integrated information technologies such as big data and cloud computing, it can be said that the timing is just right to promote personal information protection legislation in China. According to Deloitte statistics, as of June 2021, more than 80% of countries around the world have or are in the process of enacting PIPL. On the one hand, PIPL provides China's legislators with some basic principles and ideas, and on the other hand exposes some problems that have not yet been clearly defined.
Based on this, on the one hand, China can base on the existing ideas and take into account China's national conditions to achieve differentiated system design, such as a multi-level regulatory agency system and strong regulation of rules on transferring personal information overseas. On the other hand, with respect to the current prevailing ambiguity, China strives to clarify the definition on automated decision-making and the joint and several liability of controllers and processors.
(3) Continuously focus on law enforcement crackdowns and the industry's hot topics
In recent years, there have been frequent data and privacy protection-related legislation and enforcement activities in China. As many high-risk industries and scenarios were exposed, crackdowns were conducted in respect of such scenarios on an ongoing basis. In line with the priorities of enforcement activities, the PIPL incorporates these scenarios and hot topics and seeks to prevent high-risk violations. For example, the PIPL sets a high threshold for processing sensitive information: Personal information processors may process sensitive personal information only when there is a "specified purpose" and "sufficient necessity" and there are "strict measures adopted for its protection". Such provision directly targets the misuse of facial biometric information. Moreover, the PIPL incorporates platform responsibility, and puts forward higher compliance requirements for internet platforms who have relatively large quantities of user access points, and involve large numbers of subjects and complex data processing activities.
3. Twelve Highlights of the PIPL
From the basic principles of personal information processing, to the rules of cross-border provision of personal information, to the rights of individual data subjects, and finally down to the duties and legal responsibilities of the regulator, the PIPL has the following system highlights:
(1) Clarify extraterritorial effects and applicable objects
Topic |
Summary of relevant articles |
Scope of application |
Article 3 The PIPL applies to any activity of processing of personal information that is carried out within the territory of China, and has extraterritorial effects under certain conditions |
Regulated object |
Article 4 Definition of personal information + definition of data processing activities |
There is an international consensus to go beyond the territoriality principle of traditional law and strengthen the extraterritorial effects of data law. The PIPL also adopts a scope of application where there is a combination of the territoriality principle and the personality principle, and establishes extraterritorial effects under its miscellaneous provisions and the circumstances where the purpose of the activity is to provide a product or service to that natural person located within China, or where the purpose of the activity is to analyze or assess the behavior of that natural person located within China. Moreover, Article 53 requires that personal information processors outside the territory of China shall establish a special agency or appoint a representative within the territory of China to be responsible for personal information protection-related affairs, which on the one hand facilitates the implementation of the relevant requirements of the PIPL, and on the other hand facilitates the investigation of liability in respect of the domestic subjects based on judicial sovereignty, so as to effectively realize the supervision of the overseas subjects.
Regarding the object of regulation, the definition of personal information and data processing activities is clarified. The PIPL adopts the concept of "identified" and "identifiable" without further interpretation. Along with a consideration of the definition of "any information that can be used, either alone or in combination with other information, to identify a specific natural person" in Article 1034(2) of the Civil Code and the Cybersecurity Law, the two concepts can be interpreted as follows: "identified" corresponds to "directly located", and "identifiable" corresponds to "identifiable when combined with other information". From this point of view, the PIPL is consistent with the common practice in respect of this core concept. In addition, this article explicitly excludes "anonymized" data from the scope of regulation, but only if the definition in Article 73(4) is met. Anonymized information that is processed to the extent that it cannot identify a specific natural person and cannot be restored to its original state is not personal information, and therefore is not subject to the PIPL.
(2) Expand the legal basis for processing personal information and clarify the effective standards for informing and consent
Topic |
Summary of relevant articles |
Lawful basis |
Article 13 Consent, performance (or human resources management under an employment policy or a collective contract), statutory responsibility or obligation, public health emergency, news reporting for public interest purposes, disclosed information within a reasonable scope, and other circumstances as provided by law. |
Conditions for consent |
Article 14 Consent shall be a voluntary and explicit indication of intent given. Written consent shall be obtained if necessary. In the event of any change of elements, personal consent shall be reobtained. |
Article 15 For the processing of personal information of a minor, personal information processors shall obtain the consent of a guardian of the minor. |
|
Article 16 Users shall have the right to withdraw their consent. |
|
Article 17 A personal information processor shall inform the individual of the matters in a clear, accurate and easy-to-understand manner. Rules of processing of personal information shall be made available to the public and easy to access and store. |
|
Exceptions |
Article 19 Exemption from informing is applicable as provided by law, and informing can be postponed in case of emergencies. |
The PIPL expands the lawful basis for processing personal information, includes other conditions such as performance of agreements and statutory duty into the scope of lawful basis, retains miscellaneous provisions, puts an end to the situation established by the Cybersecurity Law where consent is the only lawful basis for the collection and use of personal information, and echoes Article 1035 of the Civil Code: "Consent shall be obtained from such natural person or his or her guardian, unless otherwise stipulated in laws or administrative regulations". In addition, the PIPL does not include the ambiguous bases of "rights and interests of data subjects" and "legitimate interests of controllers" in the scope of articles in order to avoid expanded interpretation, and on the other hand, it retains flexibility through miscellaneous provisions.
In addition, there are two distinctive lawful bases in the PIPL: "Where it is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded", and "Where the personal information, which has already been disclosed by the individual or otherwise legally disclosed, is processed within a reasonable scope and in accordance with this Law". The determination of the lawful basis in the employment scenario and the questioning of the validity of consent have been a focus of discussion in the industry. Some conservative companies have conducted a great deal of redundant work in human resources management, which has greatly increased the burden of internal management. As a result of thorough consideration of the specificity of the employment scenario and controversial issues, and precise balancing of efficiency and order, the PIPL, for the first time in a forwarding-looking move, establishes employment policies or collective contracts in the employment scenario as lawful bases. In addition, the explicit exclusion of public information from the object of regulation of the PIPL is also a reflection of the above balancing move.
Meanwhile, the PIPL makes clear provisions on the content of informing, with special emphasis on the way and procedure for the individual to exercise his/her rights and the requirement to make rules of processing available to the public. In addition, this article establishes specific conditions for exemptions or postponement of informing as provided by law or in case of emergencies.
(3) Clarify legal liabilities under different external transmission scenarios
Topic |
Summary of relevant articles |
Liability on joint processing |
Article 20 Joint controllers shall agree on their respective rights and obligations, and shall be liable jointly and severally under the law for any infringement of personal rights and interests. |
Liability on contracted processing |
Article 21 The contracted party shall process personal information and accept supervision as agreed. |
Liability on transmission to third party |
Article 23 A personal information processor who is to provide any personal information of an individual processed to a third party shall inform the individual, and obtain consent from the individual. The third party shall process the personal information within the scope of original purpose, method of processing as well as type of personal information. For any change, the third party shall obtain consent from the individual. |
The PIPL divides the sharing of personal information into three scenarios: the joint control scenario, the contracted processing scenario, and the provision-to-third-party scenario.PIPL sets forth different compliance requirements for different scenarios.
Compared to other personal information protection legislation, one of the major innovations of the PIPL is the clarification of the joint and several liability of joint processors, while the attribution of liability is lacking in most of other legislations. Article 20 of the PIPL first defines joint processors as "two or more personal information processors who jointly decide on the purpose and method of the processing of personal information". Meanwhile, based on China's practical needs and the basic position of promoting the legal flow of information, this Article then clearly stipulates that "Personal information processors who jointly process personal information shall be liable jointly and severally under the law for any infringement of personal rights and interests in their joint processing of personal information", which provides a basis for claiming compensation for infringement of rights and interests in the ubiquitous scenario of joint processing.
For the contracted processing scenario, for example the scenario where the "data processor" replaces the "data controller" to carry out part of the data processing in other legislative contexts, and the compliance requirements are consistent with the mainstream legislation. However, it is particularly emphasized that without the prior approval of the contracting personal information processor, the contracted party shall not subcontract the contracted processing of personal information to any other person. Even if the processing of personal information is subcontracted to related companies such as parent company or subsidiary, such case still constitutes a subcontracting event and requires the performance of the obligation to obtain approval.
For the provision-to-third-party scenario, the PIPL clearly stipulates the scope where a personal information processor who is to provide any personal information of an individual processed to a third party shall disclose to the individual, and the provisions of this article are of great practical guidance. In practice, due to the multi-dimensional and intersectional nature of the supply chain, it is extremely difficult to examine, reorganize and disclose the transmission of third-party data assets, and therefore there is a lack of information disclosure. This requirement will force enterprises to examine and reorganize the third-party transmission of data assets, which will be of great benefit to the construction of data asset management system for enterprises.
(4) Establish rules for automated decision-making
Topic |
Summary of relevant articles |
Rules for automated decision-making |
Article 24 Transparency and fairness shall be ensured; individuals shall have the right to refuse; an option not targeting at personal characteristics of the individual shall be provided |
Like other personal information protection legislations, instead of prohibiting automated decision-making, the PIPL sets rules for transparency, fairness and the right to refuse, emphasizing that "no unreasonable differential treatment of individuals in terms of transaction prices or other transaction terms may be implemented", which is directly linked to the crackdown against profiteering on big data. Meanwhile, Article 73 specifies the definition of automated decision-making. Moreover, for marketing and push-based advertising scenarios, the PIPL requires processors to provide an option of "not targeting at personal characteristics of the individual", and the requirement to provide users with the right to refuse targeted push-based advertising. Therefore, in practice product developers are required to establish a mechanism for users to set up personal tags and user profiles at their will, so as to ensure that individuals have absolute control over the use of their information.
(5) Processing of sensitive personal information requires informing the individual of such necessity
Topic |
Summary of relevant articles |
Definition of sensitive data |
Article 28 Race, religious belief, health, financial account, personal location tracking, and information of minors. |
Rules of processing of sensitive data |
Article 29 Specific consent shall be obtained from the individual, and written consent shall be obtained as provided by law or regulations. |
Article 30 Individuals shall be informed of the necessity and the impact on the individual of such processing. |
|
Article 31 The consent of a guardian shall be obtained for processing information of minors. |
|
Article 32 Where such processing is subject to relevant administrative licensing or any more stringent restriction, such provisions shall prevail. |
The PIPL specifies the prerequisites for the processing of sensitive personal information, stipulating that personal information processors may process sensitive personal information only when there is a "specified purpose" and "sufficient necessity" and there are "strict measures adopted for its protection". Under this provision, legal processors of sensitive personal information will be greatly reduced, and a large number of scenarios using facial information, such as facial recognition check-in/check-out and payment, are likely to lose legitimacy.
With regard to the concept of sensitive personal information, the PIPL clarifies its boundaries by integrating general description and open-ended listing, and catches all using miscellaneous provisions. Moreover, the PIPL explicitly includes "personal location tracking" into the scope of sensitive personal information, imposing great burden of proof for subject eligibility and necessity of processing on processors of personal location information.
In addition to informing of general matters, the processing of sensitive data requires informing of contents including the necessity of processing and possible adverse effects, and obtaining specific consent from the individual. Therefore, the common practice of presenting a pop-up window with a bunch of privacy clauses for authorization will lose legitimacy. Instead, the processor shall present a separate pop-up window for specific privacy authorization regarding the use of sensitive information, where the necessity and possible negative impact are clearly and thoroughly explained.
(6) Processing of personal information by State agencies shall comply with requirements on localization
Topic |
Summary of relevant articles |
Rules on processing of personal information by State agencies |
Article 34 The processing of personal information by any State agency shall be carried out in accordance with the authority and procedure prescribed, and shall not exceed the scope or limit necessary for the performance of its statutory duty. |
Article 35 A State agency to process personal information shall perform the obligation of informing, except where such informing will hinder the State agency from performing its statutory duty. |
|
Article 36 Personal information processed by a State agency shall be stored within the territory of the People's Republic of China; where it is necessary to provide such information to an overseas recipient, a security assessment shall be conducted. |
The requirements on localized processing of personal information and provision to an overseas recipient by State agencies are different from other scenarios. The PIPL only puts forward requirements on localization under two special circumstances rather than in general conditions, and stipulates that the personal information processed by "State agencies" as stipulated in this article. "Critical information infrastructure operators, or personal information processors whose processing of personal information reaches the threshold amount prescribed by national cyberspace authority" as stipulated in Article 40 shall be stored within the territory of China. Meanwhile, necessary provision of personal information to an overseas recipient is subject to a "security assessment", which is an extremely high requirement. From the perspective of legislative interpretation, the regulation reflects the hierarchical management strategy of "localization of high-risk subjects and scenarios + strict approval for overseas storage, non-localization of general subjects and scenarios + flexible approval for overseas storage", which is a balanced decision made by legislators between national data security and data resources utilization. In order to realize local storage of data, enterprises engaged in multinational services will need to incur tremendous costs with respect to server renovation and deployment. Therefore, it is necessary for the legislative authorities to provide further interpretation and addition to the concepts related to the execution subjects of data localization.
(7) Establish rules of cross-border provision of personal information
Topic |
Summary of relevant articles |
Rules of cross-border provision |
Article 38: Prerequisites: passing security assessment, obtaining relevant certifications, and entering into agreements with equivalent level of protection. |
Article 39 Processors shall inform the individual of the relevant information and obtain their consent. |
|
Article 40 Critical information infrastructure operators or qualified personal information processors shall store information within the territory of China; a security assessment is required where it is necessary to provide such information to an overseas recipient. |
|
Article 41 The need for judicial assistance shall be assessed. |
|
Article 43 Any country or region that takes any discriminatory prohibition, restriction, or any other such measure against the People's Republic of China in respect of personal information protection may be subject to reciprocal measures taken by the People's Republic of China depending on the actual situation. |
The core principle of cross-border transfer in the PIPL is of Chinese characteristics. In other data protection legislations, such as the GDPR, the core basis for cross-border transfer is "an equivalent level of protection". Both the exemption mechanisms (such as whitelists, adequacy decisions and BCR) and protocol architecture mechanisms (such as SCC) are designed to confirm or ensure that the recipient offers security mechanisms of personal information protection are equivalent to those of the processor, and aimsto prevent information leakage, misuse and other incidents. However, the core basis for the PIPL is "passing the security assessment and obtaining a certification". Both "passing the security assessment organized by national cyberspace authorities" and "obtaining a certification of personal information protection by a professional institution in accordance with the regulations of the national cyberspace authorities" are to ensure the substantive security offered by the recipient. While this provision is derived from China's strong regulatory compliance context, this substantive assessment on the recipients is more reliable and more effective in ensuring user information security than equivalent requirements of compliance environment. Moreover, in order to make up for the shortcomings of the assessment and certification system and accommodate the needs of business operations, the PIPL creates a more solid lawful basis by adding a standard agreement as one of the conditions.
Unlike cross-border transfer provisions in other countries, there are "no derogation provisions specified" in the PIPL. Most of other data protection legislations include derogation provisions for safeguards, such as "consent" and "necessary for the performance of the contract". Therefore, in the absence of appropriate safeguards, it is still possible to carry out a transfer with explicit consent from the individual if there are binding corporate rules. Under the PIPL, there are no derogations for cross-border transfers regardless of the lawful basis, so the transfer shall meet all corresponding preconditions, reflecting China's legislative principle of prioritizing national data security.
(8) Individuals have rights in activities of processing of their personal information
Topic |
Summary of relevant articles |
Rights of data subjects |
Article 44 Right to be informed, right to decide and right to restrict/deny |
Article 45 Right to access or copy |
|
Article 46 Right of correct or complete |
|
Article 47 Right to request deletion in case of purpose achieved, service ceased, consent withdrawn, or violation of any law or agreement. |
|
Article 48 Right to demand explanation. |
|
Article 49 Rights of the deceased. |
|
Article 50 The processors shall establish a mechanism for receiving and processing requests from individuals to exercise their rights. |
The PIPL clearly defines the rights of individuals in their information activities, and right types do not differ significantly from those in other countries' legislations. In particular, it emphasizes the obligation of information processors to delete information on their own initiative under specific conditions and the obligation to establish a mechanism for receiving and processing requests from individuals to exercise their rights. This part of legislation is clear, and therefore requires no further interpretation at the moment. It should be highlighted that the PIPL, keeping up with the trending topics of the industry, also provides protection for the rights of the deceased.
(9) Data processors shall fulfill various information protection obligations
Topic |
Summary of relevant articles |
Develop internal management system |
Article 51 management system + operating procedures + classification + encryption / de-identification + reasonable authorization + regular training + emergency plan |
Appoint a responsible officer |
Article 52 Personal information processors whose processing of personal information reaches the threshold amount shall appoint a responsible officer. |
Article 53 Personal information processors outside the territory of China shall appoint a representative within the territory of China. |
|
Regular compliance auditing |
Article 54 Processors shall organize compliance auditing on a regular basis. |
Risk assessment in advance |
Article 55 Processors shall conduct assessment under the following circumstances: processing of sensitive information, automated decision-making, contracted processing / provision to a third party, provision to an overseas recipient, and activities with significant impact. The assessment reports and processing records shall be retained for at least three years. |
Response to information leakage |
Article 57 Processors shall notify the individual of the cause and possible harm of the leakage, remedial measures taken by the processor, measures that can be taken by the individual and contact information of the processor. The processor may be allowed not to notify the individual if the processor can take measures to effectively avoid harm caused. |
The various obligations stipulated for personal information processors is another highlight of the PIPL. On the one hand, it builds the fundamental framework of personal information protection and empowers enterprises engaged in personal information processing, which is enlightening at the current stage when the awareness of personal information protection is rather insufficient in China. On the other hand, it clarifies specific legal standards and provides relatively clear measurement of legal liability and punishment.
First, Article 51 clearly stipulates the security obligations of processors. The internal management system requires processors to establish operating management procedures covering the whole data processing lifecycle. The personal information classification management system requires processors to examine and reorganize all of the personal information and develop classification standards in line with the internal business ecology of the enterprise according to the level of information sensitivity while consulting the Information Security Technology – Guidelines for the Category and Classification of Information Security Incidents. The reasonable security measures require processors to adopt corresponding security measures according to the classification.
Second, Article 52 stipulates that a personal information protection officer in charge of relevant matters shall be appointed by personal information processors who meet certain conditions. The specific threshold amount of information processing is subject to further interpretation or regulation.
Third, Article 54 specifies requirements for security auditing of activities performed by personal information processors.
Fourth, Article 55 and 56 stipulate the conditions and necessary contents of the risk assessment by processors, and specifically point out that the risk assessment reports and processing records shall be retained for at least three years, providing guidance for personal information processors on risk assessment in advance.
At last, Article 57 specifies the remedial and notification obligations of processors in case of leakage of personal information. In particular, it specifies situations where individuals may not be notified, i.e., where the processor can take measures to effectively avoid harm caused by the leakage. This alleviates the obligation of notification of the processor without compromising the rights of the individual.
(10) Clarify responsibilities of the platform
Topic |
Summary of relevant articles |
Main obligations |
Article 58 Establish a personal information protection compliance system, set up an independent body for supervision, develop platform rules, cease the provision of any service to parties committing serious violations, and publish social responsibility reports. |
Clear definition of the responsibility of platforms is another highlight of the PIPL. Internet platform service providers have a large user base and relatively large numbers of access points, operate under complex business scenarios, involve multiple subjects, and often face high risks regarding personal information protection. Meanwhile, they also play a regulating and guiding role for product service providers. Therefore, clear regulations of platform responsibility with special provisions can greatly facilitate risk control and education of product service providers. Moreover, it is necessary to further define the relevant standards of platform rules and compliance system of privacy protection for better implementation of the PIPL.
(11) Define diversified duty performance system of personal information protection
Topic |
Summary of relevant articles |
Responsible authorities |
Article 60 National cyberspace authorities + relevant authorities under the State Council or local governments |
Performance of Duties |
Article 63 Questioning and investigation, accessing and copying, on-site inspection and equipment check. |
Article 64 Authorities may conduct a talk with the legal representative or a head of the personal information processors for any considerable risk found. |
The PIPL clarifies the responsible authority system for personal information protection. Unlike the centralized regulation in most countries, China adopts an overall planning and coordination system for personal information protection regulation. While national cyberspace authorities serve as the general coordinator, the relevant authorities under the State Council are responsible for personal information protection and supervision within their statutory functions, demonstrating a balanced consideration of industry differences. The relevant authorities of local governments at the county level or above serve as the supervisor of specific implementation, and are responsible for personal information protection and supervision management, demonstrating a balanced consideration of local differences. The integrated supervision system combining industry supervision and local supervision will facilitate the thorough implementation of the PIPL.
(12) Clarify classification of legal liability
Topic |
Summary of relevant articles |
Legal liability |
Article 66 General violations: Processors in violation of the PIPL will be ordered to make corrections, confiscated of any illegal gains, given a warning; and if the required correction is not made, a fine of up to CNY1 million will be imposed on the violator; and any person in charge or any other individual directly liable for the violation will be fined between CNY 10,000 and CNY 100,000. Serious violations: Processors in serious violation of the PIPL will be ordered to make corrections and fined; and may also be ordered to suspend any related activity or to suspend business for rectification, and revoked of the related business permit or the business license. Any person in charge or any other individual directly liable for the violation will be fined. |
Article 67 Illegal activities shall be entered into credit files and disclosed to the public. |
|
Article 68 Responsibilities of relevant State agencies. |
|
Determination of liability |
Article 69 Personal information processors bear the presumption of fault; the liability for damages is determined within the limits of the losses incurred or the gains derived; damages that are difficult to be ascertained shall be determined by the Court. |
Public interest lawsuits |
Article 70 People's Procuratorate and related authorities may file public interest lawsuits. |
Administrative & criminal liability |
Article 71 Any violation of public security administration shall be subject to penalty under public security administration rules in accordance with the law; and any such violation that constitutes a criminal offense shall be investigated for criminal liability in accordance with the law. |
In terms of legal liability, the PIPL borrowed regulatory inspiration from the GDPR. By introducing heavy punishment, it significantly increases the cost of illegal activities for personal information processors. Moreover, the provisions of the PIPL have their unique features.
First, the PIPL develops diversified punishment measures for different levels of violations (including warning, correction order, confiscation of illegal gains, revocation of business license, fine, etc.), which facilitates reasonable and accurate punishment determination and converges with the punishments for violations under the existing context of commercial law and administrative law in China. The PIPL also distinguishes general violations from serious violations, which is consistent with the basic principle that legal liability shall correlate with the degree of harm committed.
Second, the PIPL specifies personal liabilities. Any person in charge or any other individual directly liable for the violation are subject to fines, which promotes the implementation of the PIPL with clear allocation of liabilities.
Third, the PIPL provides specific methods to determine tort liabilities. Considering the difficulty in producing proof for individuals in connection with personal information, it establishes the principle of presumption of fault to determine the liability for damages. If the information processors cannot prove that they are not at fault, they are liable for the damages.
At last, the PIPL includes personal information into the scope of public interest lawsuits, which greatly increases the litigation risk of processors.
With nearly 20 years of efforts, the PIPL, as the most important part of China's network data regulation system, has finally been promulgated for implementation. The PIPL has laid a solid foundation for the development of China's digital economy and established a fundamental system that matches the digital development of China as a digital powerhouse. Meanwhile, with the integrated development of regulatory system, citizen awareness and industry development, the establishment of system will further drive industry development and enhance citizen awareness, creating a healthy multi-dimensional ecosystem for the development of China's digital economy. Furthermore, the PIPL brings impact to the whole world. Adopting internationally accepted principles and systems for personal information protection, the PIPL integrates China's personal information protection rules into the global system of cross-border data transfer. It has also achieved a balanced integration of system innovation, security and development, contributing to the global cross-border data transfer system. We are expecting to see the PIPL plays a major role in the development of digital economy in both China and the world.
Authors
Frank Xiao
Deloitte China Risk Advisory
Partner, Cyber
Tel: +86 10 85125858
Email: frankxiao@deloitte.com.cn
Ruby Shen
Deloitte China Risk Advisory
Specialist, Data Protection and Privacy Compliance
Tel: +86 10 85125731
Email: rubshen@deloitte.com.cn
Recommendations
保障个人信息,规范数字化经济
个人信息保护法深度解读