China Privacy Law

Personal Information Protection Law - China

Overview and Scope

The China Personal Information Protection Law (PIPL) is the new data privacy law in China, targeted at personal information protection and addressing the problems with personal data leakage. The PIPL is not only applicable to organizations and individuals who process personally identifiable information (PII) in China, but also those who process data of China citizens' PII outside of China. 

Does it require providing a privacy notice?

Yes, PIPL requires providing data subjects a privacy notice. It must inform them about the following:

• The purpose and method of collecting / processing the data subjects’ Personal Identifiable Information (PII)

• The rights of data subjects that they could request to: inquire, access, edit, delete, restrict or refuse, withdraw consent, etc.

• The transfer of data subjects’ PII to Cloud Service Providers, any third parties processing the PII on behalf of the organization, or recipients outside of the country (i.e. Cross-border data transfer).

Does it require obtaining data subject consent?

Before collecting and processing data subjects’ PII, consent must be obtained from the data subjects for:

• Transferring data subject’s PII to Cloud Service Providers, any third parties processing the PII on behalf of the organization, or recipients outside of the country (i.e. Cross-border data transfer).

• Processing of PII of data subjects (e.g. analytics, internal data related assessments, potential job opportunities, etc.)

What are the categories of sensitive personal data?

Special categories of nformation are defined as that, once leaked or illegally used, may lead to personal discrimination or material harm to personal or property security, including race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking and other information.

What exemptions, if any, are there for academic research?

For academic research, if data will be de-identified/anonymized, PIPL is unlikely to apply. If data is identified, a research contract may include components of PIPL compliance such as the privacy notice, consent and data subject rights.

Does it require a data protection impact assessment or other category of risk assessment?

Under Article 55 of the PIPL, a personal information handler must conduct a personal information protection impact assessment if it:

  • Handles sensitive personal information.

  • Uses personal information for automated decision-making.

  • Entrusts personal information handling, provides personal information to other personal information handlers, or discloses personal information.

  • Provides personal information abroad.

  • Engages in other personal information handling activities that have a "major influence" on individuals.

The personal information protection impact assessment shall determine:

  • Whether the personal information handling purpose and method are lawful, legitimate and necessary.

  • What is the influence of the information handling on individuals' rights and interests, and what are the security risks involved?

  • Whether the protective measures undertaken by the handler are legal, effective and appropriate given the risks.

Note: Handlers should preserve reports and status records generated through personal information protection impact assessments for at least three years.

Does it require appointing representative in China?

The data handler must appoint a local representative or entity to be responsible for data protection practices if the handler operates outside the PRC and falls within the extra-territorial reach of the PIPL. The handler must disclose the name and contact information of that representative or entity to the relevant enforcement authorities. 

How is it enforced?

Under the PIPL, the regulators in charge of the protection of personal information include the Cyberspace Administration of China (CAC), the relevant cyberspace administration at provincial level, relevant State Council departments, and relevant departments of local governments at county-level and higher. In practice, the public security authority (police) is in charge of practical enforcement, administrative penalties, and crimes relating to infringement of privacy.

What are the potential penalties?

In the case of a minor violation, authorities may impose:

  • An order requiring correction, confiscation of illegal gains, or provisional suspension or termination of improper practices.

  • A fine of up to CNY 1 million against wrongdoers who refuse to correct their behaviors.

  • A fine of between CNY 10,000 and CNY 100,000 against a directly responsible person. PIPL Art. 66.

In the case of a serious violation, provincial or higher-level authorities may impose:

  • An order requiring correction, confiscation of illegal gains, suspension or closure of the relevant business, or revocation of the business license.

  • A fine of up to CNY 50 million or 5% of the turnover in the previous year.

  • A fine of between CNY 100,000 and CNY 1 million against a directly responsible person.

  • A prohibition against directly responsible persons from holding senior management positions and roles for a certain period. PIPL Art. 66.

  • In both cases, such illegal acts will be included in credit records and be publicly disclosed. PIPL Art. 67.