China’s Personal Data Protection Law (PDPL)
The first draft of the PDPL was unveiled in October 2020. Resembling GDPR, it upgraded China’s CyberSecurity Law with a focus on offshore data privacy and protection rules and regulations. The draft contains various data protection principles, stressing transparency, fairness, purpose limitation, data minimization, limited retention, data accuracy, and accountability.
Personal Information Protection Law (PIPL)
Although China had two laws in place, with regard to data protection—the CyberSecurity Law and the Data Protection Law—in November 2021 the country passed the Personal Information Protection Law (PIPL) designed to regulate online data and protect personal information. PIPL draws inspiration from the European Union’s General Data Protection Regulation (GDPR) and is enforced and administered by the Cyberspace Administration of China and relevant state and local government departments. The framework consists of 8 chapters and more than 70 articles. It levies heavy penalties of either $7.7 million or 5% of the previous year’s global profit. The legislation is applicable to all types of business activities relating to data—from the collection, storage, management and usage to the provision, transmission, disclosure, and deletion. All organizations outside the country that provide services and products in China, or organizations and individuals that analyze consumer behavior in the country, must abide by PIPL.
Broadly defined to include “any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information.”
Sensitive Personal Information
Includes “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14.”
6 Data Protection Principles of PIPL
Collection Purpose and Means
GDPR accords special responsibilities and legal obligations to processors. The processor will also have legal liability if they are held responsible for a breach.
Accuracy and Retention
Steps should be taken to ensure the personal data is accurate and isn’t stored for longer than necessary.
The data must only be used for the purpose it is collected unless explicit and voluntary consent is given by data subjects.
Data users must take steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use.
Data users must take necessary measures to share and adhere to personal data policies and practices known to the public about the data they hold and how they intend to use it. .
Data Access and Correction
Data subjects must be given access to their personal data and must be allowed to make corrections whenever they think that data is inaccurate.
An individual’s consent to process their personal information is required when:
- Sensitive personal information is processed
- The personal information is provided by the processor to another processor
- Personal information is transferred outside of China
Article 13 of PIPL allows the following exceptions, allowing personal information to be processed without the individual’s consent when it is:
- Necessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts.
- Necessary to perform legal responsibilities or obligations
- Necessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property.
- Necessary to a reasonable extent for purposes of carrying out news reporting and media monitoring for public interests.
- Personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with PIPL.
- Necessary in other circumstances as required by laws.
Key Principles of PIPL
- Unlike GDPR, China’s PIPL focuses more on personal data processing activities.
- PIPL doesn’t allow the collection and handling of sensitive personal information unless the intended purpose is specified. Only where there is a specific purpose can personal data handlers handle sensitive data, under strict protection measures. (‘Handling’ under PIPL refers to collecting, using, sharing, storing, transmitting, or transferring).
- Data handlers need to clearly and specifically disclose why they need the data and how they intend to use it.
- Under PIPL, individuals have the right to withdraw their consent to share their personal information at any time. Organizations cannot discriminate against individuals for exercising their right to withdraw their consent.
- Individuals have the right to be informed about why their data is being collected and for how long it will be stored. Individuals also have the right to know they can exercise their rights whenever they want along with the contact details of the organization that is collecting their data.
- Individuals can also request their personal data from an organization via email, pdf format, or any other feasible means.
- Individuals must have control over their data and PIPL gives them the right to decide who has access to their data.
- Individuals also have the right to opt-out and not share their personal information.
- Under PIPL, individuals have the right to request data deletion as well as correct and modify their data.
The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.