Challenges Under New Personal Information Protection Regime in China
On August 20, 2021, China enacted the Personal Information Protection Law (PIPL), which will take effect on November 1, 2021. This legislation supplements the Cybersecurity Law enacted on November 7, 2016, the privacy rights and personal data protection provisions of the Civil Code of the People’s Republic of China enacted on May 28, 2020, and the Data Security Law which will take effect on September 1, 2021.
The newly enacted PIPL and Data Security Law demonstrate that China is placing national security and political control over the economic interests advocated by the business community after its recent crackdown on Alibaba, Tencent and other digital business power houses in China — most of which are privately owned. These laws have significantly tightened the Chinese government’s control over data privacy in China and revealed the government’s determination to assert data sovereignty over cross-border data transfers. As one of the most restrictive data privacy laws in the world, PIPL will create significant hurdles to the business operation of foreign invested enterprises (FIEs) in China, especially in connection with internal investigations.
Scope of Application of the PIPL
PIPL applies the processing of personal information of individuals within the territory of China.1 The definition of personal information is very broad, including “any kind of information related to an identified or identifiable individual as electronically or otherwise recorded, excluding information that has been anonymized.”2 Processing personal information is defined as “the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information.”3
The PIPL also provides for certain extraterritorial applications. Under Article 3 of the PIPL, it shall also apply to the activities of processing the personal information individuals inside China which are comnpleted outside China under one of the following circumstances:
- It is for the purpose of providing products or services to natural persons inside China
- It relates to analyzing or evaluating the behaviors of natural persons inside China
- It is regulated by other Chinese laws and regulations.
The first two items appear mainly applying to offshore ecommerce business targeting Chinese domestic consumers. However, the application of the second item is much broader and could extend to employment, education and even business due diligence managed by an offshore entity. Therefore, at least in theory, even if the personal information of an individual in China is collected outside of China (including personal information voluntarily provided by an individual in China to an offshore entity or individual), processing such information for the purpose of business due diligence or internal investigation is likely to be subject to the application of the PIPL.
For the extraterritorial applications, Article 53 of the PIPL requires that a special agency or a representative shall be established or designated in China to handle matters related to personal information protection.,It also states that the information of such an agency or representative shall be reported to the relevant Chinese authorities. This provision is very difficult to implement if the Chinese government strictly enforces its extraterritorial authorities as set forth in Article 3 of the PIPL.
Consent-Based Processing and Disclosure Requirements
Consent
Under Article 13 of the PIPL, a personal information processor (PIP)4 may process personal information only under one of the following circumstances:
1) It has secured the consent of the subject individual
2) It is necessary for the execution and performance of a contract to which the subject individual is a party, or it is necessary for the implementation of human resource management based on the labor and employment policies that are issued in accordance with laws or the collective contract signed in accordance with laws
3) It is necessary for the performance of statutory duties or statutory obligations
4) It is necessary for dealing with urgent public health incidents, or for the protection of life and health of nature persons or the safety of properties in an emergency event
5) The personal information is processed within reasonable scope to conduct news reports or media supervision for the public interests
6) The personal information that is processed within reasonable scope in accordance with the provisions of the PIPL has already become publicly available by the subject individual or through other legitimate means
7) Other circumstances permitted by laws and administrative regulations.
Consent is required for processing personal information unless it falls into the category of items 2-7 above.5 Processing employment related personal information generally falls into Article 13.2 listed above, unless special consent is required under the PIPL or other Chinese laws and regulations.
However, Article 13.2 is only applicable to a company that has direct contract relationship with the subject individual or HR policies that are issued in accordance with Chinese laws. Such wording implies that Article 13.2 is not applicable if personal information is processed by a FIE’s parent entity outside of China, which is an independent legal entity but not a legal person in China, unless one of the following exists:
- A direct contract between the subject individual and the offshore parent entity in connection with personal information processing
- The FIE’s labor and employment policy (issued through proper procedure) contains explicit language authorizing its offshore parent entity to participate in the HR manage matters of the FIE and to process personal information of its employees.
Without such a direct contract or valid labor and employment policy, consent from the subject individual will be required under the PIPL if the offshore parent entity would like to manage or process personal information collected by its China subsidiaries. In that event, the offshore entity will be treated as a contractor under Article 21 of the PIPL, under which a contract between the offshore entity and the FIE is required, or as a third party PIP under Article 23 of the PIPL, under which the subject individual’s “separate consent” is required. It is unclear what will constitute a valid “separate consent” under the PIPL, whether it means consent specifically tied to transferring personal information to the offshore parent entity, precludes consent to a bundled FIE company policy containing a provision permitting the transfer of personal information to its offshore parent entity, or ends up somewhere in the middle.
Another reason for having a direct contract or valid HR policy with explicit authorization to the FIE’s parent entity as discussed above is that the PIPL does not list legitimate interests as a basis of processing personal information. The statutory duties or obligations under Article 13.3 refer to those under the Chinese laws, not the laws of other countries. China strongly rejects the application of foreign laws within the territory of China. Therefore, a U.S. company and its FIE are not allowed to process personal information of employees in China without consent, direct contract or valid HR policies claiming that processing personal information in internal investigation is their legitimate interests as they are required to comply with FCPA or other U.S. laws.
Note that “separate consent” is also required for processing sensitive personal information, and written consent may be required if imposed by laws.6 Sensitive personal information refers to personal information that, if leaked or used illegally, may lead to degrading treatment against individuals or seriously threaten the safety of individuals and properties, including biometric data, religion, special personal identity, medical and healthcare data, financial account, personal whereabouts, etc. Personal information of individuals under the age of 14 is also classified as sensitive personal information. A PIP shall only process sensitive personal information for specific purposes and sufficient necessity with strict protective measures in place.7
Disclosure Requirements
While consent is not required under Article 13.2 of the PIPL, it does not exempt an employer from its disclosure obligations under Article 17 of the PIPL, which requires a PIP to disclose to the subject individual the following information truthfully, accurately and completely, by explicit means and in unambiguous language, prior to processing personal information:
- Name and contact information of the PIP
- Purposes and means of processing personal information, type of personal information to be processed and duration of storing personal information
- Means and procedure of the subject individual exercising their rights under the PIPL
- Other information that shall be disclosed under relevant laws and regulations.
If any of above information changes, the PIP is required to notify the subject individual about such changes.
As discussed above, “separate consent” is likely required for a multinational corporation (MNC) to process the personal information of the employees of its Chinese subsidiaries if the MNC is treated as a third-party PIP. Under Article 14 of the PIPL, if consent is required to process personal information, the consent shall be made voluntarily and explicitly on the condition of full disclosure to the subject individual. The disclosure requirement relating to transferring personal information to a third-party PIP is similar to the normal disclosure requirement. When a PIP intends to provide the personal information it has processed to a third-party PIP, the providing PIP is required to disclose to the subject individual the third party PIP’s name and contact information, purposes and means of processing personal information and the type of personal information to be provided.8 The receiving PIP is required to process the personal information within such scope. If the receiving recipient changes the purposes and means of personal information process, it shall regain the consent from the subject individual in accordance with the PIPL.9
Above disclosure requirement could be waived if any laws and regulations impose confidentiality obligations or exempt disclosure requirements.10 Such waiver and exemption typically associate with the Chinese government’s authority in processing personal information, and they are rarely available to the private sector.
Provision of Personal Data Across Borders
Prior to the enactment of the PIPL, both Cybersecurity Law and Data Security Law only required Critical Information Infrastructure Operators to undertake data security assessment conducted by government authorities for the provision of data across borders.11 Note these regulations use the term “provision” instead of “transfer” in connection with cross-border data processing activities. Provision of data includes providing offshore entities and individuals with access to data stored in China, and it is not limited to physical transfer of data across borders.
For companies not classified as Critical Information Infrastructure, these two laws and other regulations have not provided clear and specific guidance on cross-border transfer of personal information other than general consent and requirements on the collection and use of such data.
The PIPL totally changes the rules on cross-border transfer of personal information. Under Article 38 of the PIPL, a PIP may transfer personal information across border only if it meets one of the following conditions, and there is no threshold to waive such conditions:
- It has passed a security assessment administered by the Cyberspace Administration of China (CAC)
- It has obtained personal information protection certification from professional institutions in accordance with the rules of the CAC
- It has entered into a data transfer agreement with the overseas recipient by adopting the contract template published by the CAC
- It has met other conditions set forth by laws, regulations or rules issued by the CAC.
The first item listed above applies to personal information possessed by the operators of Critical Information Infrastructure or the amount of personal information possessed reach the threshold as mandated by relevant laws and regulations12. With respect to the second item, such certification is already available, although the Chinese government has yet to issue regulations and rules governing such certification process and requirements. In 2018, the China Cybersecurity Review Technology and Certification Center (CCRC) issued Personal Information Security Management System certificates to 10 major Chinese digital business companies, including Alibaba, Tencent, Baidu and JD.COM, by applying national standard GB/T 35273-201713. Currently, CCRC offers the services of issuing Privacy Information Management System Certification, based on ISO/IEC27701:2019 and GB/T22080-2016. As to the third item, CAC has not yet published its cross-border data transfer contract template, but we expect that it will contain provisions addressing data sovereignty, a key area of concern for the Chinese government.
Therefore, with the promulgation of PIPL, regardless of whether a FIE in China has only one Chinese employee’s personal information or it has thousands of Chinese consumers’ personal account information to share with its offshore parent entity, it is basically forced to apply for personal information protection certification, or to adopt CAC’s contract template for the provision of data across borders when it becomes available — hopefully prior to PIPL taking effect on November 1, 2021. The other alternative is to have all personal information collected in China processed inside China and to set up a firewall to prevent the flow of personal information out of the country. All these options present daunting challenges to the FIEs and their offshore parent entities, and it is not an overstatement that their business operations in China could be disrupted by the implementation of PIPL if they fail to timely address this compliance requirement.
In addition to meeting above conditions to provide data across borders, a PIP is required to disclose to the subject individual the following information: name and contact information of the offshore recipient, purposes and means of processing personal information, types of personal information processed, and the means and procedures for the subject individual to exercise his/her rights under the PIPL.14
The PIP shall also secure the subject individual’s “separate consent” for providing their personal data across borders.15 Again, “separate consent” is not defined, and it is not clear what form of “separate consent” will constitute valid consent under the PIPL. The consent requirement could create significant risks to an internal investigation conducted by a FIE’s offshore parent company, because such consent may be withdrawn by the subject individual if they realize the investigation is heading in an unfavorable direction. For consent-based personal information processing, an individual has the right to withdraw consent.16 Although such withdrawal does not nullify the personal information processing conducted prior to such withdrawal, the PIP has the obligation to delete personal information voluntarily or upon the request of the subject individual.17 In that event, deleting personal information of individuals involved in non-compliance practices might torpedo the ongoing FCPA or other internal investigations. It is not clear whether the subject individual’s right to withdraw consent and a PIP’s obligation to delete personal information upon the subject individual’s withdrawal could be waived by a prior agreement signed between the PIP and the subject individual.
Providing Personal Information to Foreign Law Enforcement Agencies
The Chinese government has a very strict judicial sovereignty policy. In reacting to Huawei and other cases against Chinese companies and individuals under the Trump administration, China enacted the Law on International Judicial Assistance in Criminal Matters in 2018, which contains a specific provision addressing collecting evidence in China:
“Without the approval of the competent authority of the People’s Republic of China, no foreign institution, organization or individual shall conduct activities relating to criminal proceeding as specified hereunder within the territory of the People’s Republic of China, and no institution, organization or individual within the territory of the People’s Republic of China shall provide any evidential material or the assistance set forth hereunder for a foreign country.”18
This provision is generally viewed as only applicable to situations where a criminal proceeding has already been in existence outside of China, so it shall not apply to FCPA and other internal compliance investigations conducted in China by a multinational company, unless a criminal investigation has already been initiated outside of China in connection with such an internal investigation. However, the recent promulgation of Data Security Law and PIPL have created significant legal hurdles for multinational companies to conduct internal compliance investigations.
Article 36 of the Data Security Law states:
“Without the approval of the competent authority of the People’s Republic of China, no organization or individual within China shall provide foreign judicial or law enforcement authorities with data stored within the territory of the People’s Republic of China.”
This prohibits the provision of data stored within the territory of China to judicial or law enforcement authorities without approval from Chinese government. Theoretically, the challenge created by this provision to a multinational company’s China operation could be largely resolved if the data has already been stored in its global platform and the internal compliance investigation is conducted by the offshore parent company instead of by a local team. However, with the promulgation of the PIPL, multinational companies are going to face great difficulty in any internal compliance investigation where personal information is typically an essential part of such investigation.
Article 41 of the PIPL states:
“Without the approval of the competent authority of the People’s Republic of China, a Personal Information Provider shall not provide foreign judicial or law enforcement authorities with personal information stored within the territory of the People’s Republic of China”.
Since the PIPL does not limit PIPs to the organizations or nature persons located within China,19 this provision applies to an offshore parent company and its offshore legal/financial advisors processing personal information during the internal investigation in China. Under this provision, the offshore parent company and its offshore legal/financial advisors are prohibited from providing evidence containing personal information collected in China to the DOJ, SEC or other law enforcement authorities in the U.S. unless such personal information has been adapted.
If a foreign organization or individual has infringed a Chinese citizen’s right to their personal information or engaged in personal information processing activities endangering the national securities or public interest of China, CAC may put the foreign organization or individual on a list to restrict or prohibit providing personal information to such foreign organization or individual.20
Liabilities
If a PIP has violated its legal obligations as set forth in the Personal Information Law, depending on the degree of its offense, it may be subject to some or all of the following penalties, among others:21
- Confiscation of illegal gains and a penalty fine on the PIP up to RMB 50 million or 5% revenue of last fiscal year
- Penalty fines on the in-charge persons ranging from RMB 100,000 to RMB 1 million
- Suspension of relevant business or all business operation, revocation of operating permits, or revocation of business license.
In addition, the victim of such infringement is entitled to seek financial compensations against the PIP, and the compensation amount will be determined based on the damage amount suffered by the victim and the interests/benefits gained by the PIP.22
Conclusions and Suggestions
Foreign companies are facing daunting challenges created by the data sovereignty provisions of the PIPL, especially when facing legal reporting obligations to their home countries. It is likely that they will need to make a choice to deal with the conflicts of legal obligations imposed by China and their home countries after evaluating the risks of available options. However, in order to have these options available, foreign companies with operations in China will first need to be prepared to have a compliance system in place, and may consider taking the following steps before the PIPL takes effects on November 1, 2021:
- Having the offshore parent entity to sign data privacy agreement with management personnel and key technicians to consent to the provision of personal data across borders. The agreement shall also provide the offshore parent entity with the rights to access and process personal information and require the individual to waive the right to withdraw consent and the right to request for deletion of personal information during their employment period.
- Adopting a FIE labor and employment manual through proper procedure as required by the Chinese laws, with provisions explicitly authorizing its offshore parent entity to participate in the HR management of the FIE and to process personal information. It is critical to explicitly list detailed information relating to processing personal information, addressing every issue raised by the PIPL.
- Establishing personal information management system in the FIEs to comply with the requirements imposed by the PIPL.
The Chinese government is likely to issue regulations and rules with more details to implement the PIPL, and we will closely monitor the situation to provide timely advices to our clients.
- Personal Information Protection Law, Art. 3.
- Personal Information Protection Law, Art. 4.
- Id.
- Personal Information Provider is defined as the organization or individual who has the discretion in determining the purposes and means of processing personal information. See Article 73.1 of the Personal Information Protection Law.
- Personal Information Protection Law, Art. 13.
- Personal Information Protection Law, Art. 29.
- Personal Information Protection Law, Art. 28.
- Personal Information Protection Law, Art. 23.
- Personal Information Protection Law, Id.
- Personal Information Protection Law, Art. 18.
- Cybersecurity Law, Art. 37; Data Security Law, Art. 31. For definition of Critical Information Infrastructure, see Regulations on Security Protection of Critical Information Infrastructure (July 30, 2021), and Guidance on Determining Critical Information Infrastructure (2017). The extent of Critical Information Infrastructure is still evolving, and has recently expanded to Didi and other companies in the automobile industry.
- Personal Information Protection Law, Art. 40.
- The current standard is GB/T 35273-2020.
- Personal Information Protection Law, Art. 39.
- Personal Information Protection Law, Art. 39.
- Personal Information Protection Law, Art. 15.
- Personal Information Protection Law, Art. 47.
- Law on International Judicial Assistance in Criminal Matters, Art. 4.
- Personal Information Protection Law, Art. 72.1. See also, Personal Information Protection Law, Art. 3: “This Law shall also applies to any of the following situations when the processing of personal information of nature persons located within the territory the People’s Republic of China is conducted outside the territory of the People’s Republic of China: 1) for the purpose of providing products or services to the nature persons within China; 2) analyzing and assessing the conducts of nature persons within China; 3) other situations stipulated by laws and regulations.
- Personal Information Law, Art. 42.
- Personal Information Law, Art. 66.
- Personal Information Law, Art. 69.