China introduces data protection legislation with significant impact for foreign businesses with operations in or sales to China. The long-awaited Personal Information Protection Law (the “PIPL”) took effect on 1 November 2021, less than three months after its adoption in August.
It is the first comprehensive and dedicated law in the area of personal information protection in China. It affects all the companies having presence in China, as well as foreign entities that process personal data overseas, for the purpose of providing service and products to natural persons within PRC or analyzing or evaluate the behaviors of natural persons within PRC.
Highlighted below are some key points of the PIPL.
- Scope of “Personal Information”
The PIPL to a large extent mirrors the language in EU’s General Data Protection Regulation (GDPR) in relation to the definition of personal information. The fairly broad definition covers all kinds of information relating to identified or identifiable natural persons recorded by either electronic means or in other forms.
It is however worth noting that pursuant to the PIPL information processed anonymously is not considered to be personal information.
It is also the first time for the PRC law to introduce a concept of “sensitive personal information”, which refers to personal information that is likely to infringe the dignity of a natural person or result in harm to his/her personal safety and property security if it is disclosed or illegally used. Biometric identification information, religious beliefs, medical health information and financial accounts are all deemed as sensitive personal information.
- Legal Basis of Processing
One of the welcoming changes introduced by the PIPL is a broad and expanded legal basis of personal information processing, which is quite similar to the GDPR. The processing of personal information must satisfy the legally provided processing conditions. Apart from the condition of obtaining consent from the natural persons, following conditions are also recognized:
- processing is necessary for the concluding or performance of contract with the data subject, or for human resources management according to lawfully formulated labor rules and lawfully concluded contracts;
- processing is necessary for the performance of statutory duties or for compliance with legal obligations;
- processing is necessary for coping with public health emergencies for the protection of the life, health, and property safety of a nature person;
- processing personal information that has been publicly disclosed by the data subjects themselves or other legally disclosed personal information within a reasonable scope; and
- other circumstances permitted by laws.
It is notable that consent must be a clear and voluntary declaration of intent as a prerequisite to the full knowledge of the natural persons. A package consent covering all the processing purpose is also not allowed while the processor is required to obtain a separate consent under certain circumstances, including:
- processing sensitive personal information,
- providing personal information to a third party,
- publicizing personal information processed,
- using personal information which is collected for public security for any other purpose, and
- transferring personal information outside the territory of China.
- Cross-border transfer of personal information
Cross-border transfer of personal information can only be made for legitimate and solid reasons (e.g. business needs), and the transferor is obligated to take the necessary measures to ensure that such processing activities satisfy the protection standards set out in the PIPL.
As written under Item 2 above, comparing to the general rules under the PIPL, the consent requirement for the cross-border data transfer is enhanced – the processor must inform the natural persons (data owners) of the name of the overseas recipient, the recipient’s contact information, purpose of processing, processing methods, and types of personal information to be processed, as well as the procedures for the natural persons to exercise their rights under the PIPL (such as right to review, copy, amend, supplement and delete his/her personal information). In this case, separate consent on the cross-border transfer must be obtained by the processors before the transfer.
- Our take
The new PIPL reshapes the handling of personal information in China and marks that protection of personal information there to stay. Further details are and will be released via additional regulations and practical guidance in the near future. Companies need to map the data they currently store and collect, revisit their existing practices and procedures, have a wholescale self-assessment in terms of collected personal information, and take implementation steps, including without limitation, (i) updating the company’s personal information policy; (ii) adopting a robust and comprehensive internal compliance system for the personal information protection from both global and local perspectives, (iii) reviewing the data processing agreements with third parties, and (iv) providing necessary legal and compliance trainings to relevant managers, advisors and employees.
If you have any question or comment on this topic or any other matters related to foreign companies doing business in China or Chinese investments in Europe, please do not hesitate to contact Magnusson’s China Group.
Our China Group team has almost two decades of experience advising Chinese companies who conduct business in the Baltic Sea Region and local clients who conduct business in China.
We have Chinese qualified lawyers in our group as well as Mandarin speakers in most of our offices. Our lawyers are able to offer a comprehensive range of services in Mandarin and the local languages and have considerable experience of helping Chinese businesses who are looking to set up operations in the Baltic Sea Region.
Moreover, we are also there to support and advise local businesses looking to take advantage of the many opportunities that China offers. Our services include M&A and investments, dispute resolution, employment law, foreign investment screening, regulatory advice, e-trade and personal data and commercial contracts.
Nikolaj Juhl Hansen
+45 27 74 05 07
+46 72 442 68 80
Magnusson’s international M&A team advises on sign...
Magnusson acted as legal adviser in property sale...
Swedish chapter for The Legal 500: Intellectual Pr...
Magnusson supports Nordic start-up community at Lo...
Magnusson advised Tilitoimisto Likvidi Oy and its...
Magnusson acted as legal adviser to Galderma
Magnusson advised Forus Oy in creating a partnersh...
Global Legal Insights: Employment & Labour Law in...
Magnusson assisted Eurofins Scientific in the acqu...
Magnusson assisted Trosa Vagnhärads Mark AB