On 20 August 2021, the 13th National People's Congress of the People's Republic of China ("PRC") passed the Personal Information Protection Law (中华人民共和国个人信息保护法) ("PIPL"), which will take effect on 1 November 2021. The PIPL is the first dedicated national law on regulation and protection of the personal data in China, introducing several important new rules that will have a significant impact on how personal information processors ("PIPs") may handle and process "Personal Information", defined in the PIPL as all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, but excluding information which has been anonymised. For a detailed analysis on the PIPL, please see our client update here.
Extension of Bases for Data Processing
In the past, the data subject's consent is the sole basis for collection and processing of the personal data. For the first time, the PIPL extends this to include other lawful bases, such as when it is necessary to:
- conclude and perform a contract;
- perform lawful duties or obligations;
- respond to public health incidents; or
- protect the lives, health, and property of natural persons in an emergency.
Expansion of Extraterritoriality
The extraterritorial power of the PIPL has been expanded to be greater than that of the PRC Data Security Law, which targets data processing activities outside China which harms China's national security or public interest or the lawful rights of its citizens and organisations. The PIPL is applicable to Personal Information processing activities outside the territory of the PRC, if such activities relate to (i) the provision of goods or services to natural persons within the territory of the PRC; or (ii) the analysis and evaluation of the behaviour of natural persons within the territory of the PRC. It also contains a catch-all provision that permits the Chinese government to include other situations provided for by other PRC laws or administrative regulations.
Requirements for Cross-border Transfer of Personal Information
The PIPL imposes some conditions on the cross-border transfer of Personal Information. PIPs will need to fulfil at least one of the following conditions before transferring the Personal Information out of China:
- Passing a safety assessment by the national cyberspace authority;
- Obtaining personal information protection accreditation from a professional agency appointed by the national cyberspace authority; or
- Entering into a contract with the overseas recipient in a standard form formulated by the national cyberspace authority.
The PIPL contains a catch-all provision to permit the Chinese government to impose other conditions provided for under laws and regulations, or those set by the national cyberspace administration authority.
Appointment of a Person in Charge of Personal Information Protection ("DPOs") by Overseas PIPs
Overseas PIPs who are subject to the PIPL must establish a special institution or appoint representatives within the PRC for handling matters relating to the protection of personal information and report the name and contact details of such institution or representative to the relevant authorities. As the PIPL has not come into effect and this requirement is new, stakeholders await further clarifications from the authority as to the detailed requirements and procedures in this respect.
