With the continued integration of information and the economy, personal data protection, which is collected and used widely in China, has become a heated issue.
Despite stronger personal data protection in China in recent years, some companies and individuals still collect, access, use and trade personal data illegally for business purposes, which, in fact, has a huge influence on people’s lives and even infringes their property rights. Due to the missing protection of personal data in legislation in China, on August 20, 2021, the Standing Committee of the Thirteenth National People’s Congress voted to adopt the Personal Information Protection Law of the People’s Republic of China (in Chinese “中华人民共和国个人信息保护法”, hereinafter “the Law”), which came into effect on November 1, 2021.
There are 8 chapters and 74 articles within the new legislation, including rules on personal information processing, rules on cross-border transfer, individuals’ rights in personal information processing activities, obligations of processors, duties of authorities and liabilities. To provide insight on how the Law will have an impact on foreign enterprises that obtain data linked to their investments in China or cooperation with Chinese companies, this article provides more information on the scope of the Law and relevant requirements and obligations when processing or transferring personal information outside of China.
Scope of the Law
To clarify the terms of the Law, Article 4 defines “personal information” as information that relates to natural persons’ identification, excluding anonymized information. The information that is identifiable or assigned to a specific person can be generally classified into two types: (i) Basic Personal Information (such as name, home address, identification number, telephone number, etc.); (ii) Sensitive Personal Information, including data related to biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen. Meanwhile, “processing personal information” refers to collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.
And the Law not only applies to providing personal information to any party not from China, but also processing information outside the territory of China if it is:
- for the purposes of providing products and services to persons in China; or
- analyzing or assessing the conducts of persons in China; or
- other circumstances regulated by laws.
Processing Personal Information outside of China
Personal information can be processed only when (i) obtain the individual’s consent where such consent is mandatory if the processor would like to disclose the information or it consists of sensitive personal information; (ii) it is necessary to perform the contract or statutory obligations; (iii) it is necessary to respond to the emergencies or reasonable to respond to the news and opinions based on public interest; (iv) information has been legally disclosed; (v) other situations provided by laws.
And processors shall inform individuals about its name, contact information, purposes, methods, categories, retention, procedures and any changes of such details. Nevertheless, after collecting or processing, security measures should be taken to prevent leakage, tampering or losing personal information. Furthermore, internal management and operating rules, classification, encryption, de-identification, regular trainings for employees and emergency plans should be instated. A regular audit on compliance is also needed.
Moreover, cross-border personal information processors, for example, a Dutch company may collect and process personal information of its consumers or employees in China, have a special obligation to establish special institutions or designate representatives in China to handle affairs relating to personal information protection, and the relevant names and contact information should be submitted to the corresponding authorities in China.
Transferring Personal Information outside of China
If personal information is provided to any party outside of China due to business needs, for an instance, a Chinese branch or subsidiary has to transfer personal information of its employees or consumers to the Dutch headquarter, it shall meet at least one of the following requirements:
- passing the national cyberspace administration’s security assessment, where such assessment is mandatory if the quantity being processed reaches a certain amount (there is no specific number mentioned in the Law, but in accordance with Measures on Security Assessment of the Cross-border Transfer of Personal Information and Important Data (Draft for Comments) (in Chinese “个人信息和重要数据出境安全评估办法（征求意见稿）”), the number of personal information is more than 500,000);
- certification by a specialized institution;
- entering into the model contract with the overseas recipient, where the information provider shall take necessary measures to ensure the overseas recipient meets the standards of the Law; and
- other conditions provided by laws or international treaties.
Moreover, providing personal information abroad is strictly regulated through imposing notification obligations, which means that the information processor should notify individuals of the overseas recipient’s name and contact information, purposes and methods of processing, categories of personal information being transferred, the methods and procedures for individuals’ exercise of the rights provided in this Law over the overseas recipient, and obtain individual’s separate consent. In addition, the processor should conduct a personal information protection impact assessment and record the processing information before providing it to overseas recipients.
Last but not least, without the approval of the China’s authorities, the processor is not allowed to provide personal information stored in China to any foreign judicial or law enforcement authority.
Furthermore, if an overseas organization or individual jeopardizes public security and the public interest of China, or violates the interests and rights of Chinese citizens, the national cyberspace administration may include it on a restricted or prohibited list.
Impact of the Law
To further fulfil the obligations set out by the Law and meet the compliance requirements, companies or individuals who process and transfer information outside of China shall check and confirm the details mentioned above so as to avoid being listed.
This article is written by Job Bezemer and Minyi Xiao. Should you have any questions on the Chinese Personal Information Protection Law, please contact our China Practice: