China Plans Implementation of New Personal Data Privacy Law

10.2021

Background & Overview

Organizations with data ties to China should closely consider their business risks and adapt their data privacy policies in light of a new law.  On August 20, 2021, China passed its most comprehensive data protection law yet, entitled Personal Information Protection Law (“PIPL”), which becomes effective on November 1, 2021. China has drafted the law to supersede international agreements addressing the same issues.

PIPL governs the storing, transferring, and processing of personal information by entities or individuals within and outside of China.  For foreign organizations, PIPL applies when (1) offering goods or services to individuals in China, (2) analyzing and evaluating the behavior of individuals in China, and (3) other circumstances provided in Chinese laws or regulations (Article 3, PIPL).

U.S.-based companies should analyze four major issues when considering how PIPL may affect their business practices: (1) the legal basis for processing personal information, (2) sensitive personal information, (3) automated targeting activities, and (4) cross-border data transfers.

1. Legal Basis for Processing Personal Information

PIPL outlines a total of eight circumstances for the processing of personal information.  The definition of personal information is quite broad to include any information recorded by electronic or other means related to identified or identifiable natural persons. Organizations or companies may process personal information by: 

1. Obtaining the individual’s consent;
2. Fulfilling a contract in which the data subject is a party;
3. Conducting human resource management activities as required by law or contracts;
4. Fulfilling statutory obligations;
5. Responding to public health or security incidents;
6. Reporting news, providing supervision of public opinion, or conducting other activities in the public interest;
7. Using personal information lawfully disclosed by the individuals themselves; or
8. Abiding by the requirements of other laws or regulations (Article 13, PIPL).

PIPL provides no “legitimate interest” exemption as is found in the GDPR.  Compared to other jurisdictions’ data privacy laws, PIPL’s notice and consent requirements are more demanding. They require that the data subject have “full knowledge” and provide a “voluntary and explicit statement” indicating consent (Article 14, PIPL).  Pending regulations should further clarify the meaning of these requirements. 

2. Sensitive Personal Information

Unlike other data protection laws in China (the Civil Code, the Data Security Law, and E-Commerce Law), PIPL clearly defines sensitive personal information to include: biometric characteristics, religious beliefs, medical health, financial accounts, and the personal information of minors under the age of 14 (Article 29, PIPL). In addition to these categories, PIPL expands the definition to include information that may easily cause harm to a natural persons’ dignity or grave harm to their personal property or security if ever leaked or illegally used (Article 29, PIPL).

3. Automated Targeting Activities

PIPL defines “automated decision-making” as “the activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions [based thereupon]” (Article 73, PIPL).  Under PIPL, organizations will need to take greater precautions in targeting and marketing to people based on such individual characteristics.  Organizations must provide individuals with a “convenient method to refuse” any automated targeting activities (Article 24, PIPL).

4. Cross-Border Data Transfers

PIPL explicitly permits cross-border transfers of personal information for international agreements or treaties that are approved or acceded to by China. The law requires cross-border data transfers to meet at least one of the following conditions:

1. Pass a security assessment by the Cyberspace Administration of China (CAC);
2. Receive a personal information protection certification by the CAC;
3. Form a valid contract with the foreign data receiver following the CAC’s standard contract; or
4. Other conditions provided by laws or regulations.

A high degree of ambiguity remains for cross-border data transfers, until regulatory authorities in China offer greater clarification (Article 38, PIPL).

Summary

The obligations for companies under PIPL are significant and far-reaching. PIPL provides a framework setting out overall principles and general responsibilities. In PIPL’s wake, CAC will issue regulations, and other regulatory agencies will issue technical standards and enforcement updates. Kirton McConkie has the expertise to help you navigate this evolving landscape. Please let us know if you have any questions or concerns by reaching out to: 

Lee Wright | lwright@kmclaw.com

Chad Grange | cgrange@kmclaw.com

Yangzi Jin | yjin@kmclaw.com

Robert Snyder | rsnyder@kmclaw.com