China's GDPR: Personal Information Protection Law (PIPL)
Posted by Marc Füßlein, Last modified by Marc Füßlein on 04 July 2023 11:57
In response to the GDPR, the Personal Information Protection Law (中华人民共和国个人信息保护法), commonly abbreviated as PIPL, came into force in China in November 2021. The law builds on the Cybersecurity Law of the People's Republic of China as well as China's Data Security Law and specifies the legal framework for the collection and handling of personal data.
How does the PIPL define personal data?
Personal data is any information that can be used to identify a person and is stored in electronic or other form. It is not necessary for the information to be sufficient to identify a specific person. The law remains vague in its definition and, in contrast to the GDPR, does not give any specific examples such as email addresses and driver's licenses. Irrevocably anonymous data are exempt from the law.
In addition, the law defines sensitive personal data as data that could seriously jeopardize personal well-being and property, if it falls into the wrong hands. Biometric data, religion, disabilities, health, financial data and place of residence are given as examples. In addition, all personal data of minors under the age of 14 falls into this category.
Who is affected by the Personal Information Protection Law?
The focus of the PIPL is to protect the privacy and personal information of Chinese citizens. Consequently, the law is relevant for all companies in China that work with personal data.
Under certain conditions, the scope of the law extends beyond the national borders of China. If a company processes personal data of Chinese citizens, evaluates the behavior of Chinese citizens or offers products and services in China, the requirements of the law must also be complied with; even if the company is not based in China. In this case, the company is obliged to appoint a data protection officer in China and to communicate his contact information to the responsible authorities in China.
Important deviations from the GDPR
In many aspects, the law is based on the framework of the GDPR. However, there are certain differences that affected companies should be aware of.
Identical to the GDPR, the consent of the user is required for the collection and processing of personal data. This consent must be given explicitly and voluntarily, and the user must be informed about what their data is used for. The user must also be able to revoke his consent at any time. However, the PIPL defines the following exceptions in which personal data may be used without prior consent:
However, there is no exception for the processing of personal data in the context of legitimate interest. The criteria for re-obtaining consent are also much stricter: If the purpose of use, the method of analysis or the categorization of the personal data changes, consent must be obtained again, and the person must be informed of the changes.
Transferring data to third parties
The regulations for the transfer of personal data to third parties are an important and very detailed part of the PIPL and have been further specified since it came into force. It is also crucial whether the data leaves the Chinese national borders when exported to a third party.
In principle, the user must give their explicit consent before their personal data is transferred to a third party. It must be disclosed who the third party is and what exactly the data is used for. At the same time, the website operator must ensure that the data is only used by the third party to the extent that the user has consented to.
If the data is sent to a third party outside of China, further rules must be observed. It must be ensured that the recipient of the data takes appropriate data protection precautions that at least meet all the legal requirements of the PIPL. The law lists three possible ways of doing this.
1. Security Audit
The procedure for a security audit by the "Cyberspace Administration of China" (CAC) was defined by it in July 2022 as part of the "Measures for Security Assessment of Outbound Data Transfers" (数据出境安全评估办法). These stipulate that such a security audit is mandatory if the operator
If one of these conditions applies to the operator, the security audit is the only way to obtain approval for the transfer of personal data to a third party outside of China.
The first step of the security audit is a detailed self-assessment by the operator and the creation of an associated report, which is then submitted to the CAC. This examination must take into account the following aspects:
After completion of the self-assessment, the associated report and the relevant contractual documents between the operator and the third party must first be submitted to the provincial authority of the CAC. There the documents are checked within a few days and, if they are in order, passed on to the national level of the CAC. After checking the documents again, the CAC initiates a security audit within a few weeks.
If the results of this security audit are also positive, the operator receives permission to export personal data to the third party. This permit is valid for two years. For an extension, the steps of the security audit must be run through again. Likewise, the security audit must be repeated in advance if there are significant changes in connection with the export of the data to the third party.
2. Standard Contract
At first glance, the conclusion of a contract between the website operator and the third party that is to receive the personal data sounds relatively straightforward - especially since it is a standard document provided directly by the Chinese Cyberspace Authority. In February 2023, the latter described the procedure for this in more detail in the "Measures for Standard Contracts for the Outbound Transfer of Personal Data" (个人信息出境标准合同办法). On closer inspection, the first impression is deceptive and there is much more complexity behind this option.
First of all, there are several requirements that the website operator must meet in order to be able to conclude such a standard contract at all. In many respects, these are the opposite of the conditions under which a security audit must be carried out. For the standard contract, the website operator
The associated contractual document is attached to the measures on standard contracts for the export of personal data published by the CAC and can be obtained online. As expected, the contract defines the rights and obligations of both parties with regard to the protection and processing of the personal data. Likewise, the rights of Chinese citizens whose data is processed are described and contact options that must be provided are specified.
However, some of the obligations that the third party must fulfill should be highlighted. The personal data may only be stored for the duration of the processing and must then be deleted. At the same time, the third party agrees that it will be supervised by the Chinese authorities, in particular the CAC, with regard to its obligations under the contract and must disclose relevant information to the authorities in China upon request and fight possible legal disputes related to the contract in China's courts.
However, the standard contract is not the only document required for this process. In addition, a data protection impact assessment must be carried out and a comprehensive report must be submitted to the authorities in China together with the contract document. As part of this impact assessment, specific company processes in which personal data is transmitted to a third party must be examined according to specified criteria. This includes, for example, the legal basis for processing the data and obtaining the necessary consent from the user.
It should also not be underestimated that the report expects an assessment of the data protection rules in the country of the third party with regard to the fulfillment of the standard contract. The data protection impact assessment therefore requires legal analysis by both parties, which is why the support of data protection experts or legal advice on both sides is recommended.
3. Data Protection Certification
Data protection certification is the third option mentioned in the PIPL for the legal transfer of personal data. The exact definition of this certification was specified in December 2022 by the Chinese authorities as part of the Implementation Rules for Personal Information Protection Certification (个人信息保护认证实施规则). These implementing rules are simultaneously closely aligned with the Security Certification Specifications for Cross-Border Processing of Personal Information (个人信息跨境处理活动安全认证规范) and the Information Security Technology Personal Information Security Specifications 信息安全技术 个人信息安全规范).
The basic requirements of the data protection certification are identical to the standard contract. This means that the parties concerned
In the first version of the provisions on data protection certification, their application was implicitly only intended for affiliated companies, e.g. between the headquarters in Europe and a subsidiary in China. Meanwhile, the regulations have been further updated and with the second version, the data protection certification can be applied to any transfer of personal data across Chinese national borders.
In particular, the data protection certification is used for foreign companies that do not have a subsidiary or office in China, but evaluate data from Chinese citizens or offer corresponding services in China. In this case, the company can appoint a data protection officer in China, through whom the certification process can be carried out. Going forward, however, we will focus on data protection certification between a company in China and a third party outside of China.
When personal data is exchanged between a Chinese company and a foreign party, the privacy certification can be handled through the company in China, which takes responsibility for both parties. However, branch offices in China or representative offices of foreign (region) enterprise are explicitly excluded. In particular, the Chinese company must be under "normal operations" and have "good credit and reputation", although criteria for this are not specified in more detail. In preparation for the certification process, there are three key points to be noted:
Once these preparations have been made, the certification process can be initiated with approved authorities in China. As of July 2023, the only authority that has been approved for data protection certification is the China Cybersecurity Review Technology and Certification Center (CCRC), which provides a corresponding online portal for the process. It is currently unclear whether there will be other authorities in the future that will be approved for data protection certification.
The application for data protection certification must include the following documents and information:
After the application has been submitted, the competent authority first carries out a technical analysis and verification before an on-site inspection takes place at the company in China. If this inspection is successful, the results will be processed further by the authorities and, in the best case, the certification will be issued, after which the authority will continue to supervise. The data protection certification is then valid for 3 years and must be renewed within the last 6 months. Due to the scope of the inspection and approval process, it can take several months between the application and the issuance of the certification.
After the data protection certification has been issued, the parties also receive a corresponding seal that proves the certification. This seal contains three pieces of information:
Which approach is recommended in practice?
Since the data protection regulations in China are still very young and there is no case law, it is still very difficult to assess the three processes mentioned above.
Of course, if your company meets one of the criteria under which a security audit is mandatory, you have no choice and must go through this process. The standard contract is similar in many respects to the Standard Contractual Clauses of the GDPR, but with the crucial difference that this contract has to be submitted to the authorities in China, while the submission of the Standard Contractual Clauses to the competent authorities under the GDPR only becomes necessary when a relevant situation arises in which these arrangements need to be scrutinized.
The data protection certification is also similar to the certification scheme and the Binding Corporate Rules of the GDPR. However, these procedures are almost never used in practice within the framework of the GDPR. Since the data protection certification is significantly more complex than the standard contract, the standard contract could turn out to be the preferred approach, similar to the standard contractual clauses.
For the data transfer between a Chinese and a European company, a conceivable option is currently that both the standard contract and the standard contractual clauses are concluded in order to cover both sides (GDPR and PIPL). The extent to which this proves itself in practice remains to be seen in the future.
If a company violates the provisions of the Personal Information Protection Law, fines of up to RMB 50 million (about US$ 7 million) or up to 5% of the company's annual turnover, as well as confiscation of all illegally generated turnover, are possible. In severe cases, the Chinese company license can be revoked or an entry in China's social credit system is possible - both for the Chinese company and for the responsible persons within the company. Those responsible can also be sentenced to between three and seven years in prison.
It is therefore important to note that penalties can not only be imposed on the company itself, but also on the people responsible. If a company is accused of violating the Chinese data protection law, the burden of proof is reversed. This means that the Chinese company has to prove that data protection regulations have not been violated.