Ultimate Guide to PIPL Compliance: Navigating China's Personal Information Protection Law

The global surge in cross-border data flow has prompted governments worldwide, including China, to intensify oversight of data export and enhance security provisions. This came as a response to the European Union's introduction of the General Data Protection Regulation (GDPR). China, aligning its policies with this new data protection paradigm, enacted the Cybersecurity Law, further tightened by subsequent laws like the Data Security Law (DSL) and the Personal Information Protection Law (PIPL).

Contributing Advisor

Nathaniel Rushforth

Senior Data Security & Compliance Consultant

These laws are critical for multinational corporations that handle data across borders as they navigate the complex requirements of China's data transfer regulations. Adhering to these laws is legal and crucial for ensuring data security and smooth international data flow. Ignoring these regulations can lead to serious repercussions, including business interruptions and penalties.

The newest regulation titled, Regulations to Promote and Standardize Cross-Border Data Flows, relaxes requirements for data export by adjusting thresholds triggering security assessments or the need for standard contracts or PI protection certification. Notably, it increases thresholds for security assessments, such as:

• Transferring non-sensitive personal information (PI) offshore from 100,000 to 1 million individuals' PI, and shortens the time period for cumulative PI assessment; and,
• Similarly, it adjusts thresholds for standard contracts or PI protection certification, with requirements now based on cumulative PI transferred since January 1 of the current year.

Many businesses still need to adjust to these changes, risking non-compliance and potential future policy shifts. In this dynamic environment, legal and cybersecurity experts recommend that businesses proactively adapt to CBDT regulations. They suggest a forward-thinking approach, preparing for both current and future compliance requirements.

Scope and definitions

Personal Information (PI) under the Personal Information Protection Law (PIPL) in China is broadly categorized as any information, recorded electronically or otherwise, that can identify a natural person, either directly or indirectly. This definition parallels the General Data Protection Regulation (GDPR) of the European Union but notably excludes anonymized data, which cannot be reversed to identify an individual. In contrast to GDPR, PIPL does not apply to the PI of deceased individuals, although it grants close relatives certain rights over the deceased's PI for lawful purposes.

The processing and handling of PI

The processing of PI encompasses various activities, including collection, storage, use, alteration, transmission, and deletion. This broad interpretation means that virtually any interaction with PI falls under the scope of PIPL, demanding strict adherence to its guidelines for both domestic and international entities operating in China.

Sensitive Personal Information (SPI) vs PI

SPI under the PIPL is treated with greater caution and includes data that, if misused, could harm an individual's dignity or personal and property security. This category is more extensive than the GDPR's 'special category data.' Article 28 of the PIPL specifies that ‘Sensitive PI’ is “PI that is likely to damage the personal dignity of any natural person or damage to his or her personal or property once disclosed or illegally used”. This is followed by a non-exhaustive list, which includes:

• Biometric data;
• Religious beliefs;
• Specific identities;
• Medical health;
• Financial accounts; and,
• The location of individuals, especially minors under 14.

The handling of SPI requires explicit consent and is subject to stringent protective measures, highlighting its elevated importance in data security.

The fact that financial account information is categorized as SPI came as a surprise to many foreign companies. It implies that almost any business activity involving a payment transaction would involve the processing of SPI. The company can refer to the national standard number GB/T35273-2020 to better understand the detailed scope of SPI defined by the PIPL.

The GDPR lists all ‘Special Category Data’, making it easy for companies or individuals to identify whether or not the PI they are processing falls within this category. The PIPL’s definition is more descriptive but does not include a full list as the GDPR does.

The GDPR treats the PI of minors under the age of 16 as special category data (though specific EU member countries have different rules on age limits, with some lowering it to 13) while the PIPL specifies the age of 14.

PIPL vs GDPR – Definition of Personal Information

Key highlights and interpretation of PIPL

Data protection principles

Below we have summarized the basic principles for protecting the security of PI and the rights and interests of PI subjects.

Regulatory framework for processing personal information

The PIPL sets out several legal bases for processing personal information. These include:

• Obtaining individual consent;
• Fulfilling contractual obligations and statutory responsibilities;
• Responding to public health emergencies;
• Journalistic reporting; processing publicly disclosed pi; and,
• Other legally permitted purposes, according to PIPL article 13.

Essentially, the law ensures that PI is processed legitimately and responsibly. Under China's Personal Information Protection Law (PIPL), obtaining consent for data handling is pivotal. Articles 24, 44, 45, 46, and 48 emphasize the need for clear notifications and explicit consent from individuals when third parties are involved in Personal Identifiable Information (PII) processing.

PI handlers are tasked with adopting robust security measures to safeguard PII from unauthorized access, leakage, or distortion. Additionally, they must be transparent about all PII processing activities, including data recipients' identity and contact details. The principal duties of PI handlers are as follows:

• Development and Implementation of a Privacy Program (PIPL Article 51).
• Appointment of a Data Protection Officer (DPO) (PIPL Article 52).
• Establishment of a Local Representative (PIPL Article 53).
• Conducting Regular Data Protection Audits (PIPL Article 54).
• Conducting PI Protection Impact Assessments (PIPIAs) (PIPL Article 55).
• Responding to Cybersecurity Incidents (PIPL Article 57).

Valid consent and its parameters

According to PIPL Article 14, consent must be freely given, voluntary, and explicit, based on full information. New consent must be obtained if there are changes in the processing purposes, means, or PI categories. This approach ensures that individuals are fully aware of and agree with how their data is used.

Separate consent

PIPL mandates separate consent in specific situations, though it doesn't explicitly define it. Separate consent is required when:

• Transferring PI to another handler (PIPL Article 23);
• Disclosing PI (PIPL Article 25);
• Processing PI from public surveillance for non-public security purposes (PIPL Article 26);
• Processing sensitive personal information (SPI)( PIPL Article 29); and,
• Transferring PI outside the PRC (PIPL Article 39).

This extra consent layer underscores the law's emphasis on individual autonomy over personal data.

Automated decision-making in PIPL

Automated decision-making uses computer programs to assess personal behaviors, health, and financial status. PIPL Article 73 requires that such processes are transparent, fair, and just. It prohibits unreasonable differential treatment based on automated decision-making.

Regulations concerning automated decision-making.

Under PIPL Article 24, if automated decision-making significantly affects an individual, they have the right to demand an explanation and can refuse decisions made solely on an automated basis. This provision is crucial in an era where algorithms play a significant role in decision-making processes.

PIPL compliance for organizations

Impact of PIPL on organizational data life cycle

The enactment of the Personal Information Protection Law (PIPL) has considerable implications for organizations, particularly regarding their data life cycle management. While the regulatory landscape continues to evolve, companies should start preparing by understanding the expected impact.

Below are some of the requirements for your business consideration to process personal data in the cloud:

Requirements for processing PI of minors and internet giants

Organizations must meticulously handle minors' personal information (PI) and comply with stringent requirements for processing data. This involves ensuring secure data collection methods, particularly when dealing with sensitive data like images or videos, and applying robust security measures like encryption and de-identification.

Data localization and cross-border transfer of  PI

What counts as CBDT activities?

There is no specific definition for “cross-border data transfer” in China’s CSL, DSL, or PIPL laws. However, clues can be found in the following three documents:

• The Measures for Data Export Security Assessment;
• The Guidelines for Data Exit Security Assessment and Declaration (First Edition); and
• The Standard Contract Measures for the Export of Personal Information.

Under the Measures for Data Export Security Assessment, cross-border data transfer is defined as:

• The provision of PI and important data collected and generated in the operation within the territory of the People’s Republic of China to institutions, organizations, and individuals located outside the country.

• The Guidelines for Data Exit Security Assessment and Declaration (First Edition) lists out some specific circumstances that are deemed as cross-border data transfer, including:
  • Where a data processor transfers or stores abroad the data collected or generated during its operation within the territory of China;
  • Where the data collected and generated by a data processor is stored within the territory of China for inquiry, retrieval, download and export by overseas institutions, organizations or individuals; and
  • Any other activity involving data to be transmitted abroad is prescribed by the CAC.

Finally, under the Standard Contract Measures for the Export of Personal Information, cross

border data (PI) transfer is defined as:

• When PI processors transmit and store PI that has been collected and generated during domestic operations overseas;
• When PI collected and generated by PI processors is stored within China, but overseas

Institutions, organizations, or individuals can inquire, retrieve, download, and export the PI;

• Other acts of exporting PI abroad as specified by the CAC.

From these above definitions, cross-border data transfer might be interpreted as:

• Direct transfer and storage of important data and PI to overseas locations;
• Remote access to important data and PI stored in China by a person or entity located outside of China - this is to say, if an overseas party within the same or different company, remotely accesses the Important Data or PI of an individual located in China, then this activity will also constitute cross-border data transfer, even if the data is not actively exported to a location outside of China.

While these definitions may suggest which company activities could constitute CBDT, it is by no means a comprehensive definition. The above measures and the overall framework include another clause implying that additional definitions may be left open to interpretation by the authorities in China.

CBDT's current regulatory framework

The newly revised regulations introduce specific exemptions to the requirements for exporting data, providing clarity and flexibility in certain scenarios. Data exports are now permitted without adhering to the previously strict requirements under these circumstances:

• The export of personal information (PI) is deemed necessary for the execution or fulfillment of contracts where the individual whose PI is involved is a participant. This includes a range of activities such as international shopping, delivery services, payment processes, opening bank accounts, reservation of tickets and accommodations, visa application processes, and examination services, among others.
• For the purpose of implementing human resources management in alignment with employment policies and collective labor agreements, exporting employees' PI is allowed.
• In emergencies where it is critical to protect individuals' life, health, or property, exporting PI is permissible.
• Entities not classified as critical information infrastructure operators are allowed to export the PI of up to 100,000 individuals cumulatively from the start of the current year.
• The export of PI that is collected or produced outside of mainland China is exempt, provided it does not include any "important data" or PI collected/generated within mainland China.
• Non-PI data collected or generated through international trade, cross-border shipments, academic collaborations, and international manufacturing and marketing activities are exempt from the requirements unless categorized as "important data" or other specific types of sensitive data, such as state secrets.

Furthermore, the regulations have been adjusted to ease some of the requirements associated with data export. These adjustments are particularly notable in terms of the security assessment triggers and the criteria for either standard contracts or PI protection certification:

• The new criteria for security assessment are as follows:
  • Critical information infrastructure operators intend to transfer any PI or "important data" abroad.
  • Data handlers are not classified as critical information infrastructure operators who wish to transfer "important data" abroad.
  • Non-critical information infrastructure operators have been transferring the PI of more than 1 million individuals (excluding sensitive PI) cumulatively since the start of the current year.
  • Non-critical information infrastructure operators are transferring the sensitive PI of more than 10,000 individuals cumulatively since the start of the current year.

It's important to note that data transfers falling within the exemptions are not subject to the security assessment requirements. Additionally, when calculating the processing volume of PI to determine if thresholds are exceeded, PI transferred under these exemptions will not be counted.

• Standard Contract or PI Protection Certification: The revised timeframe for the cumulative calculation of PI and sensitive PI now include:
  • Non-critical information infrastructure operators are transferring the PI of more than 100,000 but less than 1 million individuals cumulatively since the start of the current year.
  • Non-critical information infrastructure operators are transferring the sensitive PI of no more than 10,000 individuals cumulatively since the start of the current year.

Should these thresholds be met without triggering the security assessment thresholds and none of the exemptions apply, data handlers are required to comply with either the standard contract stipulations or the PI protection certification requirement.

Personal Information Protection Impact Assessment (PIPIA)

PIPL mandates that organizations conduct a Personal Information Protection Impact Assessment (PIPIA) in various scenarios, including handling sensitive information, using PI for automated decision-making, disclosing PI to third parties, and transferring PI internationally. This assessment is crucial to identify and mitigate potential risks in data processing activities.

Conducting PIPIA

Before transferring PI overseas using the standard contract method, companies must conduct a PIPIA. This report should be kept for at least three years. According to the Standard Contract Measures, the PIPIA must assess the following matters:

• The legality, legitimacy, and necessity of the purpose, scope, and processing method of the data processor [in China] and the overseas recipient.
• The scale, scope, type, and sensitivity level of the outbound PI being, and the potential risks that the export of the PI can pose to the rights and interests of the PI subjects.
• The responsibilities and obligations that are undertaken by the overseas recipient, and whether the management and technical measures and capabilities for fulfilling these responsibilities and obligations can ensure the security of outbound PI.
• The risk of the PI being tampered with, destroyed, leaked, lost, or illegally used after being exported, and whether the channels for safeguarding the rights and interests of the PI subjects are unobstructed.
• The impact that the PI protection policies and regulations in the country or region where the overseas recipient is located may have on the fulfillment of the standard contract.
• Other matters that may affect the security of the outbound PI.

What must be stipulated in the standard contract?

The standard contract for exporting personal information (PI) to overseas recipients must follow the template provided by the Standard Contract Measures, as set by the Cyberspace Administration of China (CAC). While CAC may make occasional adjustments to the template, it generally includes:

• Basic details of the PI processor in China and the overseas recipient, such as company names, addresses, and contact information.
• Duration of the contract and details about the mutual PI processing activities.
• Information on the security measures to be employed by the overseas recipient, like encryption, anonymization, and access control.
• Methods for arbitration and dispute resolution.

The contract template comprises nine articles covering the obligations of both the PI processor and the overseas recipient, the impact of local PI protection policies on contract fulfillment, and the rights and interests of the PI subjects. Additional terms can be agreed upon with the overseas recipient, provided they don't conflict with the standard contract's requirements. The export of PI is permissible only after the contract is in effect.

Filing procedures for the standard contract

Within 10 days of the standard contract taking effect, the PI processor must file requisite materials with the local provincial-level cybersecurity office. The PI processor can begin cross-border data transfer activities after the contract takes effect. All the materials must be delivered in both physical and electronic form.

The materials that need to be submitted are listed in the table below:

Provincial cybersecurity authorities will review submitted materials and notify companies of the outcome within 15 days. Successful reviews will result in a filing number issued to the PI processor. Unsuccessful ones will include a notice detailing reasons for the rejection. The company will receive written notification about the review result and may need to submit additional materials. These resubmissions must occur within ten working days of receiving the notice.

In certain situations, the PI processor might need to redo their Personal Information Protection Impact Assessment (PIPIA), re-sign the standard contract, and redo relevant filing procedures before expiration. These situations include changes in PI processing or overseas storage, alterations in overseas PI protection policies affecting PI subjects' rights, and other scenarios impacting PI subjects' rights. Any resubmitted materials will undergo a 15-day review. Violations of the Standard Contract Measures are subject to penalties as per the PIPL and other relevant regulations.

Conclusion

China's Personal Information Protection Law (PIPL) has significantly reshaped the data security legislation. Notably, in the latter half of 2023, Chinese authorities have indicated a potential easing of Cross-Border Data Transfer (CBDT) regulations, especially to boost foreign investments post-pandemic. Key developments include:

• The State Council's August 2023 measures for optimizing foreign investment, proposing "green channels" for qualified foreign companies and piloting a list of "general data" for freer cross-border transfer in major cities.
• The September 2023 draft regulations by the Cyberspace Administration of China (CAC) offer several allowances for PI and important data export, which could alleviate compliance burdens for foreign companies.

Looking ahead, China's cybersecurity and data protection regulations are expected to gain more clarity, particularly regarding the definition of important data. The country's efforts to align with international digital trade agreements like DEPA and CPTPP suggest forthcoming adjustments in its data regulation framework. These changes are anticipated to be trialed in Free Trade Zones (FTZs) and potentially expanded nationwide, easing CBDT requirements on a larger scale.

Staying informed and compliant is crucial for businesses grappling with these dynamic regulatory changes. Multinational companies should monitor legislative developments and adapt their cybersecurity and data protection policies accordingly. Dezan Shira & Associates offers expert guidance and support in:

• Assessing data protection and cross-border data transfer risks.
• Preparing for mandatory security assessments and documentation.
• Developing data collection, processing consent mechanisms, and privacy notices.
• Providing internal compliance training and strategies for data breach mitigation.

For tailored assistance in navigating China's cybersecurity and data protection landscape, contact Dezan Shira & Associates' team of experts. Stay updated with our insights and recommendations to ensure your business aligns with China's evolving data laws.