Knowledgebase: Important laws in China

China's GDPR: Personal Information Protection Law (PIPL)

Posted by Marc Füßlein, Last modified by Marc Füßlein on 07 March 2024 17:06

In response to the GDPR, the Personal Information Protection Law (中华人民共和国个人信息保护法), commonly abbreviated as PIPL, came into force in China in November 2021. The law builds on the Cybersecurity Law of the People's Republic of China as well as China's Data Security Law and specifies the legal framework for the collection and handling of personal data.

How does the PIPL define personal data?

Personal data is any information that can be used to identify a person and is stored in electronic or other form. It is not necessary for the information to be sufficient to identify a specific person. The law remains vague in its definition and, in contrast to the GDPR, does not give any specific examples such as email addresses and driver's licenses. Irrevocably anonymous data are exempt from the law.

In addition, the law defines sensitive personal data as data that could seriously jeopardize personal well-being and property, if it falls into the wrong hands. Biometric data, religion, disabilities, health, financial data and place of residence are given as examples. In addition, all personal data of minors under the age of 14 falls into this category.

Who is affected by the Personal Information Protection Law?

The focus of the PIPL is to protect the privacy and personal information of Chinese citizens. Consequently, the law is relevant for all companies in China that work with personal data.

Under certain conditions, the scope of the law extends beyond the national borders of China. If a company processes personal data of Chinese citizens, evaluates the behavior of Chinese citizens or offers products and services in China, the requirements of the law must also be complied with; even if the company is not based in China. In this case, the company is obliged to appoint a data protection officer in China and to communicate his contact information to the responsible authorities in China.

Important deviations from the GDPR

In many aspects, the law is based on the framework of the GDPR. However, there are certain differences that affected companies should be aware of.

Consent

Identical to the GDPR, the consent of the user is required for the collection and processing of personal data. This consent must be given explicitly and voluntarily, and the user must be informed about what their data is used for. The user must also be able to revoke his consent at any time. However, the PIPL defines the following exceptions in which personal data may be used without prior consent:

  • Fulfillment of contractual or legal obligations
  • In emergencies, to protect the health or life of a person or to protect property
  • To an appropriate extent for news reporting that is in the public interest
  • When processing personal data that has already been obtained legally or was provided voluntarily

However, there is no exception for the processing of personal data in the context of legitimate interest. The criteria for re-obtaining consent are also much stricter: If the purpose of use, the method of analysis or the categorization of the personal data changes, consent must be obtained again, and the person must be informed of the changes.

Transferring data to third parties

The regulations for the transfer of personal data to third parties are an important and very detailed part of the PIPL and have been further specified since it came into force. It is also crucial whether the data leaves the Chinese national borders when exported to a third party.

In principle, the user must give their explicit consent before their personal data is transferred to a third party. It must be disclosed who the third party is and what exactly the data is used for. At the same time, the website operator must ensure that the data is only used by the third party to the extent that the user has consented to.

If the data is sent to a third party outside of China, further rules must be observed. It must be ensured that the recipient of the data takes appropriate data protection precautions that at least meet all the legal requirements of the PIPL. The law lists three possible ways of doing this.

1. Security Audit

The procedure for a security audit by the "Cyberspace Administration of China" (CAC) was defined by it in July 2022 as part of the "Measures for Security Assessment of Outbound Data Transfers" (数据出境安全评估办法). These stipulate that such a security audit is mandatory if the operator

  • passes on important data, as defined in the Data Security Law, to the third party,
  • falls into the category of critical information infrastructure as defined in the Cybersecurity Law,
  • processes the personal data of more than 1,000,000 people (without a time limit),
  • or has transferred personal data of more than 100,000 persons or sensitive personal data of more than 10,000 persons to third parties outside of China in the last calendar year.

If one of these conditions applies to the operator, the security audit is the only way to obtain approval for the transfer of personal data to a third party outside of China.

The first step of the security audit is a detailed self-assessment by the operator and the creation of an associated report, which is then submitted to the CAC. This examination must take into account the following aspects:

  • An assessment of the need for the transfer of personal data to a third party outside of China, as well as its legality and legitimacy.
  • The manner in which the data will be processed by the third party.
  • Information about the data that is transmitted to the third party, including its volume and sensitivity.
  • The measures taken by the third party to secure the data.
  • Conducting a Privacy Impact Assessment.
  • Definitions of different channels through which data subjects can exercise their rights in relation to their own data.
  • An assessment of the contractual arrangements between the operator and the third party with regard to the processing of personal data.

After completion of the self-assessment, the associated report and the relevant contractual documents between the operator and the third party must first be submitted to the provincial authority of the CAC. There the documents are checked within a few days and, if they are in order, passed on to the national level of the CAC. After checking the documents again, the CAC initiates a security audit within a few weeks.

If the results of this security audit are also positive, the operator receives permission to export personal data to the third party. This permit is valid for two years. For an extension, the steps of the security audit must be run through again. Likewise, the security audit must be repeated in advance if there are significant changes in connection with the export of the data to the third party.

2. Standard Contract

At first glance, the conclusion of a contract between the website operator and the third party that is to receive the personal data sounds relatively straightforward - especially since it is a standard document provided directly by the Chinese Cyberspace Authority. In February 2023, the latter described the procedure for this in more detail in the "Measures for Standard Contracts for the Outbound Transfer of Personal Data" (个人信息出境标准合同办法). On closer inspection, the first impression is deceptive and there is much more complexity behind this option.

First of all, there are several requirements that the website operator must meet in order to be able to conclude such a standard contract at all. In many respects, these are the opposite of the conditions under which a security audit must be carried out. For the standard contract, the website operator

  • cannot fall into the category of critical information infrastructure as defined in the Cybersecurity Law,
  • must not process the personal data of fewer than 1,000,000 people,
  • and did not transfer less than 100,000 individuals' personal information and less than 10,000 individuals' sensitive personal information to third parties outside of China in the last calendar year.

The associated contractual document is attached to the measures on standard contracts for the export of personal data published by the CAC and can be obtained online. As expected, the contract defines the rights and obligations of both parties with regard to the protection and processing of the personal data. Likewise, the rights of Chinese citizens whose data is processed are described and contact options that must be provided are specified.

However, some of the obligations that the third party must fulfill should be highlighted. The personal data may only be stored for the duration of the processing and must then be deleted. At the same time, the third party agrees that it will be supervised by the Chinese authorities, in particular the CAC, with regard to its obligations under the contract and must disclose relevant information to the authorities in China upon request and fight possible legal disputes related to the contract in China's courts.

However, the standard contract is not the only document required for this process. In addition, a data protection impact assessment must be carried out and a comprehensive report must be submitted to the authorities in China together with the contract document. As part of this impact assessment, specific company processes in which personal data is transmitted to a third party must be examined according to specified criteria. This includes, for example, the legal basis for processing the data and obtaining the necessary consent from the user.

It should also not be underestimated that the report expects an assessment of the data protection rules in the country of the third party with regard to the fulfillment of the standard contract. The data protection impact assessment therefore requires legal analysis by both parties, which is why the support of data protection experts or legal advice on both sides is recommended.

3. Data Protection Certification

Data protection certification is the third option mentioned in the PIPL for the legal transfer of personal data. The exact definition of this certification was specified in December 2022 by the Chinese authorities as part of the Implementation Rules for Personal Information Protection Certification (个人信息保护认证实施规则). These implementing rules are simultaneously closely aligned with the Security Certification Specifications for Cross-Border Processing of Personal Information (个人信息跨境处理活动安全认证规范) and the Information Security Technology Personal Information Security Specifications 信息安全技术 个人信息安全规范).

The basic requirements of the data protection certification are identical to the standard contract. This means that the parties concerned

  • cannot fall into the category of critical information infrastructure as defined in the Cybersecurity Law,
  • must not process the personal data of fewer than 1,000,000 people,
  • and did not transfer less than 100,000 individuals' personal information and less than 10,000 individuals' sensitive personal information to third parties outside of China in the last calendar year.

In the first version of the provisions on data protection certification, their application was implicitly only intended for affiliated companies, e.g. between the headquarters in Europe and a subsidiary in China. Meanwhile, the regulations have been further updated and with the second version, the data protection certification can be applied to any transfer of personal data across Chinese national borders.

In particular, the data protection certification is used for foreign companies that do not have a subsidiary or office in China, but evaluate data from Chinese citizens or offer corresponding services in China. In this case, the company can appoint a data protection officer in China, through whom the certification process can be carried out. Going forward, however, we will focus on data protection certification between a company in China and a third party outside of China.

When personal data is exchanged between a Chinese company and a foreign party, the privacy certification can be handled through the company in China, which takes responsibility for both parties. However, branch offices in China or representative offices of foreign (region) enterprise are explicitly excluded. In particular, the Chinese company must be under "normal operations" and have "good credit and reputation", although criteria for this are not specified in more detail. In preparation for the certification process, there are three key points to be noted:

  • A contract must be drawn up between both parties, which describes the necessity of the data transfer and defines various rights and obligations of the parties and the data subjects whose data is transferred and processed. The scope is similar to the self-assessment as part of the security audit.
  • Both parties must define a data protection officer and implement their own data protection department. This is a crucial difference to analog certification processes within the framework of the GDPR, which only requires the implementation of such a department above certain thresholds.
  • A data protection impact assessment must be carried out.

Once these preparations have been made, the certification process can be initiated with approved authorities in China. As of July 2023, the only authority that has been approved for data protection certification is the China Cybersecurity Review Technology and Certification Center (CCRC), which provides a corresponding online portal for the process. It is currently unclear whether there will be other authorities in the future that will be approved for data protection certification.

The application for data protection certification must include the following documents and information:

  • A business license or business certification from both parties
  • The above mentioned contract between both parties and the data protection impact assessment
  • An organizational chart of both parties, describing the function of all departments
  • A completed self-assessment form, which is not yet specified
  • An explanation of the planned data transfer and the type and categorization of the data
  • Evidence that neither party has had a data breach in the past 12 months

After the application has been submitted, the competent authority first carries out a technical analysis and verification before an on-site inspection takes place at the company in China. If this inspection is successful, the results will be processed further by the authorities and, in the best case, the certification will be issued, after which the authority will continue to supervise. The data protection certification is then valid for 3 years and must be renewed within the last 6 months. Due to the scope of the inspection and approval process, it can take several months between the application and the issuance of the certification.

After the data protection certification has been issued, the parties also receive a corresponding seal that proves the certification. This seal contains three pieces of information:

  • PIP: Stands for "Personal Information Processor" and indicates that it is a certified processor of personal data.
  • CB: Stands for "Cross Border" and specifies that the certification covers the transfer of personal data beyond Chinese national borders.
  • ABCD: This is the abbreviation of the Chinese authority that issued the certification. As of July 2023, this is exclusively the China Cybersecurity Review Technology and Certification Center (CCRC).

Which approach is recommended in practice?

Since the data protection regulations in China are still very young and there is no case law, it is still very difficult to assess the three processes mentioned above.

Of course, if your company meets one of the criteria under which a security audit is mandatory, you have no choice and must go through this process. The standard contract is similar in many respects to the Standard Contractual Clauses of the GDPR, but with the crucial difference that this contract has to be submitted to the authorities in China, while the submission of the Standard Contractual Clauses to the competent authorities under the GDPR only becomes necessary when a relevant situation arises in which these arrangements need to be scrutinized.

The data protection certification is also similar to the certification scheme and the Binding Corporate Rules of the GDPR. However, these procedures are almost never used in practice within the framework of the GDPR. Since the data protection certification is significantly more complex than the standard contract, the standard contract could turn out to be the preferred approach, similar to the standard contractual clauses.

For the data transfer between a Chinese and a European company, a conceivable option is currently that both the standard contract and the standard contractual clauses are concluded in order to cover both sides (GDPR and PIPL). The extent to which this proves itself in practice remains to be seen in the future.

Planned mitigations for the transfer of personal data

With the definition of the Standard Contract in February 2023, the last pillar of the PIPL was created and the data protection regulations came into full force on June 1, 2023, with a period of 6 months being allowed to go through one of the three processes. But at the end of September 2023, before this deadline had expired, the "Cyberspace Administration of China" (CAC) published a new draft that aims to soften the rules again and create exceptions.

The Provisions on Regulating and Promoting Cross-border Data Flows (规范和促进数据跨境流动规定) are currently still in the draft stage. If they come into force in their current form, the exceptions defined therein would offer great relief for many international companies with locations in China. Companies that transfer personal data of fewer than 10,000 Chinese citizens abroad per year would be exempt from the three data protection procedures described above. The user would simply have to be informed that their data will be transferred abroad and their explicit consent would have to be obtained.

The draft also stipulates that the various free trade zones in China can create further exceptions, although it is not defined whether these necessarily have to be relaxations or whether the free trade zones could tighten the rules again. However, it can be assumed that the rules in free trade zones will be relaxed even further.

In their current form, data protection regulations in China represent a major hurdle for international companies. The fact that China is already considering easing them is a positive development and should make it much easier for many international companies to comply with data protection laws.

Fines

If a company violates the provisions of the Personal Information Protection Law, fines of up to RMB 50 million (about US$ 7 million) or up to 5% of the company's annual turnover, as well as confiscation of all illegally generated turnover, are possible. In severe cases, the Chinese company license can be revoked or an entry in China's social credit system is possible - both for the Chinese company and for the responsible persons within the company. Those responsible can also be sentenced to between three and seven years in prison.

It is therefore important to note that penalties can not only be imposed on the company itself, but also on the people responsible. If a company is accused of violating the Chinese data protection law, the burden of proof is reversed. This means that the Chinese company has to prove that data protection regulations have not been violated.


Unsure how China's Personal Data Protection Law affects you?

With several years of experience in hosting a wide variety of websites, web shops and web applications, including booking platforms or online expos, in China, weber.cloud China will be happy to help you with your questions. Our experts will be happy to advise you on operating your website in China and all related topics. If you have more in-depth legal questions, we can also put you in touch with our English-speaking partner lawyers in China.

Sounds exciting? Simply get in touch with us.


The contents of this article have been compiled with the greatest possible care and to the best of our knowledge. However, weber.digital GmbH does not assume any liability for the topicality, correctness, completeness or quality of the information provided. Any liability for damages arising directly or indirectly from the use of our knowledgebase is excluded, unless caused by intent or gross negligence.

Our knowledgebase contains external links to other websites over whose content we have no influence. For this reason, weber.digital GmbH cannot accept any liability for these contents. The respective provider of the linked website is responsible for the content and correctness of the information provided. At the time of linking, no legal violations were recognizable. If such an infringement becomes known, the link will be removed immediately.

(9 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please complete the below captcha challenge (we use this to prevent automated submissions).

© Copyright weber.digital GmbH · Address & Imprint · GTCs · Privacy policy