China: Major new law passed on protection of personal information

Employer Action Code: Act

The comprehensive Personal Information Protection Law (PIPL), which takes effect on November 1, 2021, includes many new provisions on the handling of personal information (PI) and gives formal legal effect to various existing draft regulations and guidelines. While the PIPL has some similarities to the European Union’s General Data Protection Regulation (GDPR), it is an integral part of China’s active legislation agenda on data security, which includes the Cybersecurity Law (CSL) effective June 2017 and the Data Security Law effective September 1, 2021, focusing on data security relating to national security and the public interest.

Key details

The PIPL’s provisions are complex and wide-ranging. In general, key points include:

• Data controllers (which include employers) are subject to new duties, including the appointment of a data protection officer and the establishment of data processing contracts with recipients if PI is transferred outside of China.
• The PIPL greatly expands the legal bases for the processing of PI, from the data subject’s simple consent to other legal bases where the data subject’s consent is not required, including contractual or legal necessity for human resource purposes, compliance with legal responsibilities, processing of PI that is already publicly available, for the purposes of news reporting and public opinion monitoring (in the public interest), and in response to public health emergencies.
• The PIPL clarifies those situations where consent of data subjects is required (including how consent is defined, withdrawn or subject to separate consent requirements). These include sharing PI with third parties or other parties outside of China, the processing of “sensitive” PI, public disclosure of PI and gathering PI via devices installed in public places for purposes other than for public security. Sensitive PI is defined as information that could result in discrimination or harm to the person or his or her property, including (among other things) information on race, ethnicity, religious beliefs, health, finances and physical location.
• The requirement that PI be stored on servers located in China (initially applicable to companies certified as critical infrastructure operators under the CSL) has been extended to include companies that process PI in an amount beyond a threshold yet to be specified by the Cyberspace Administration (CA). Companies not subject to this requirement must, in addition to data subjects’ consent, obtain PI protection certification or use a standard CA contract signed by the recipient before PI may be transferred outside of China.
• The PIPL states that it is applicable outside of China with regard to companies that handle PI collected in China. Foreign companies that violate the PI privacy rights of Chinese citizens (or that harm China’s national security or public interests) may be placed on a blacklist and restricted or barred from receiving PI.
• Penalties for noncompliance may include fines of up to 50 million yuan (US$7.4 million) or 5% of revenue in the prior year, as well as revocation of the company’s business license. Individuals directly responsible may be fined up to 1 million yuan and be temporarily barred from serving in certain roles.

Employer implications

Though the provisions of the PIPL have some similarities to those of the GDPR (which has become the de facto model for data privacy regimes around the world, due in large part to the size of the EU market and the GDPR’s global reach), differences with the GDPR are substantive; any company doing business in China should conduct close legal and procedural analyses of the PIPL. Employers — in and outside of China — that handle PI of persons covered by the new data privacy regime should work with their legal counsel to ensure understanding of and compliance with the new rules.