On November 1, 2021, China’s new comprehensive privacy law, the Personal Information Protection Law (official English translation) (“PIPL”), came into effect. Officially adopted on August 20, 2021 by the National People’s Congress of China, the PIPL is a key pillar of an emerging framework of privacy regulation in the People’s Republic of China, which already includes the Data Security Law (official English translation) and the Cybersecurity Law (Chinese (Simplified)). For Canadian companies and other organizations that do business in China or with residents of China, the PIPL promises to have potentially significant implications for global data protection and information management practices for years to come.
International Scope and Application
The PIPL governs the private and public sector processing of personal information of “natural persons” within China (Art. 3), with personal information defined as “various information related to an identified or identifiable natural person recorded electronically or by other means”, excluding anonymized information (Art. 4).
The PIPL applies extraterritorially where the personal information of natural persons within China is processed outside of China for the purpose of: (1) providing products or services to natural persons in China; (2) analyzing and evaluating the conduct of natural persons in the territory; or (3) other circumstances as prescribed by laws and administrative regulations (Art.3).
Key Rights and Requirements
The primary basis for processing personal information of an individual under the PIPL is consent that is “voluntary, explicit, and fully informed” (Arts. 13 and 14). Where individual consent has not been obtained, personal information may nonetheless be processed on one of the following grounds:
- as necessary to conclude or perform a contract the individual is party to, or for human resources management;
- as necessary for performing statutory duties or obligations;
- as necessary for responding to a public health emergency or protecting life, health, and property of natural persons under emergency conditions;
- as reasonable to carry out activities for the public interest, including news reporting and supervision of media;
- as reasonable to process already lawfully disclosed personal information in accordance with the PIPL; and
- other circumstances as prescribed by laws and administrative regulations (Art. 13).
However, consent is specifically required for several types of activities, including:
- transferring personal information to other processors (Art. 23);
- processing personal information that is deemed sensitive (Art. 29);
- processing the personal information of minors under the age of 14 (Art. 31); and
- transferring personal information beyond China’s borders (Art. 39).
Individual Personal Information Rights
Notice of Processing: Before processing personal information, processors must notify individuals of the following information (Art. 17), except where other laws or administrative regulations require the processor to preserve confidentiality or permit otherwise, or emergency circumstances justify later notification (Art. 18):
- the name and contact details of the personal information processors;
- the purpose and methods of processing, the categories of personal information being processed, and the retention period;
- the methods and procedure to exercise individual rights under the PIPL; and
- other information prescribed by laws or administrative regulations (Art. 17).
Where any of the above information changes, the individual must be notified of the change (Art. 17), and their consent must be re-obtained if the change was with respect to the purpose or method of processing, or the categories of personal information being processed (Art. 14).
Processing Rights: Under the PIPL, individuals also have a broad range of rights related to how their personal information is processed, including the following:
- to withdraw consent (Art. 15), and to not be refused products or services on this basis unless the processing of personal information is necessary for the product or service (Art. 16);
- to know, decide, limit, and refuse the processing of their personal information (Art. 44);
- to access and copy their personal information, and to have the processor facilitate the transfer of their personal information to another processor upon request (Art. 45);
- to have their personal information corrected, completed, or supplemented upon request (Art. 46);
- to have their personal information deleted upon request or proactively in certain circumstances, including withdrawal of consent or fulfilment of the processing purpose (Art. 47);
- to request processors explain their rules for processing personal information (Art. 48);
Processors must establish mechanisms to accept and review applications from individuals to exercise their rights, and must provide reasons for rejecting these requests (Art. 50).
Foreign Transfers and Data Residency
Foreign Transfer of Personal Information: Processors may only transfer personal information outside of China where necessary for business or other needs and where the transfer meets one of the following conditions:
- passing a security assessment organized by the Cyberspace Administration of China (“CAC”);
- obtaining personal information protection certification by a state-approved body;
- entering a contract with the foreign receiver of personal information in accordance with a standard contract formulated by the CAC; or
- other conditions prescribed by laws, administrative regulations, or a state-approved body (Art. 38).
The processor transferring the personal information outside of China must obtain the individual’s consent for the transfer, as well as notify the individual regarding: 1) the name and contact information of the foreign receiver; 2) the purpose and method of processing; 3) the category of personal information being processed; and 4) the procedures for individuals to exercise their rights under the PIPL with respect to the foreign receiver (Art. 39).
Data Residency: Operators of critical information infrastructure and processors of a prescribed amount of personal information are required to domestically store personal information that was collected and produced within the borders of China, and if necessary to transfer such information outside of China, must submit to a security assessment (Art. 40).
The draft guidelines published by the CAC (Chinese (Simplified)) for public comment on October 29, 2021 indicate, among other things, that the transfer security assessment requirement may apply to transfers of personal information of more than 100,000 individuals, transfers of sensitive personal information of more than 10,000 individuals, transfers by data processors who processed the personal information of more than one million individuals, and transfers in other circumstances to be determined.
Personal Information Breaches
Where personal information has been breached, tampered with, or lost, or where this may have occurred, the processors must immediately implement remedial measures and notify the affected individuals as well as designated government departments responsible for personal information protection (“Departments”). Notification may not be required where the processor has taken measures to effectively avoid any harm created by the breach, unless the Departments require otherwise (Art. 57).
Notification must include the following information: (1) the affected categories of personal information, the potential harms caused by the actual or potential breach, tampering, or loss of personal information, and its causes; (2) the remedial measures taken and the measures that the individual may take to mitigate harm; and (3) the contact information of the processor (Art. 57).
Enforcement and Penalties
The Departments have broad investigatory authority, including the ability to review and copy documents related to personal information processing, conducting physical inspections, and confiscating equipment and other items relevant to personal information processing based on evidence of unlawful processing activities (Art. 63).
Processors who violate the PIPL or otherwise fail to fulfill their personal information protection obligations under the PIPL may be subject to various penalties, including correction orders, the confiscation of unlawful income, the suspension or termination of the processor's activities involving unlawful processing, the cancellation of business licenses, the prohibition of individual personnel from holding senior or managerial positions, individual fines of up to one million RMB (approx. C$200,000), and organizational fines of up to fifty million RMB (approx. C$10-million) or 5% of annual revenue based on the preceding year (Art. 66). Unlawful acts under the PIPL are also subject to being publicized in China (Art. 67).
Key Compliance Provisions
The PIPL imposes a number of specific operational requirements on processors of personal information, including the following measures (Art. 51):
- developing internal management systems and operating procedures;
- implementing a categorization system for personal information;
- implementing technical security measures, such as encryption and de-identification;
- determining reasonable operational restrictions on the processing of personal information, and providing regular security training and education for employees;
- developing and organizing the implementation of emergency plans for personal information security incidents;
- performing regular compliance audits (Art. 54); and
- other measures prescribed by laws or administrative regulations.
Protection Impact Assessments
Processors are required to conduct and create a record of a personal information protection impact assessment prior to engaging in the following activities involving personal information (Art. 55):
- processing sensitive personal information;
- using personal information for automated decision-making;
- assigning processing responsibilities, providing personal information to other processors, or disclosing personal information;
- transferring personal information abroad; or
- other processing activities with a major influence on individuals.
Data Protection Officers
Processors that process a prescribed quantity of personal information set by the CAC must designate Data Protection Officers responsible for personal information protection and supervising the processing activities and the protective measures taken. The processor must provide the name and contact information of these Data Protection Officers to the Departments (Art. 52). Similarly, a processor based outside of China who analyzes and evaluates the conduct of natural persons in China must designate a representative or establish a dedicated entity within China to be responsible for personal information processing, and must report their name and contact information to the Departments (Art. 53).
Takeaways for Canadian Businesses and Organizations
For Canadian businesses and organizations carrying on business in China or processing the personal information of individuals in China, it is essential to carefully review the PIPL and determine its application to their operations. Although there are substantive similarities between the PIPL and Canadian privacy laws, there are a number of key differences and additional requirements that will require changes in data protection and information management frameworks. Entities that could be subject to the PIPL should consult with People’s Republic of China-qualified legal counsel to ensure overall compliance and, where applicable, audit their existing policies and practices for compliance gaps.
A number of prescribed regulations by the CAC and other state entities still need to be formulated to clarify key requirements, including the rules around transferring personal information outside of China. However, the coming into force of the PIPL represents a significant development in global privacy regulation. As Canada engages in its own privacy law modernization at the federal and provincial level, the PIPL may come to serve as a point of reference and influence as governments in Canada determine how domestic privacy laws should align with global standards.