November 1, 2021: A New Day for Data Protection in China
In recent years, the question of privacy protection in China has been an important concern, and specifically for companies with business ties to China. While many jurisdictions undertook privacy reform in the past years, such as the European Union with the General Data Protection Regulation ("GDPR") or California with the California Consumer Privacy Act (“CCPA”), some have considered that China lags behind in privacy protection. It is in that context that China passed a major new privacy law on August 20, 2021. The new law, often cited in English as the Personal Information Protection Law (“PIPL”) comes into force on November 1, 2021. As the PIPL outlines in its first article, the aim of the law is to “protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information”. The PIPL complements China’s Cybersecurity Law and the Data Security Law and completes China's legislative arsenal to regulate cyberspace.
A fragmented Chinese legal framework prior to the adoption of the PIPL
Prior to the adoption of the PIPL, there was no comprehensive national data privacy law in China. The existing rules in this area were scattered in various texts, including in legislation (e.g. the General Principles of Civil Law and the Tort Liability Law), decisions (mainly the Decision on Strengthening Online Information Protection of 2012), regulations and guidelines (e.g. the Guidelines on Internet Personal Information Security Protection).
Hence, the Chinese legal framework for the protection of personal information prior to the adoption of the PIPL diverged greatly from the Canadian legal framework. Now, the PIPL, both in its structure and in its scope, is much closer to the Canadian privacy regime, and may even go a step further.
The PIPL’s Key Provisions
Although this blog is not intended to be an exhaustive review of the provisions of the PIPL, there are certain key provisions worth highlighting.
- Definitions: The PIPL defines certain key terms in a way that is similar to the GDPR and the CCPA, including the concepts of "personal information" and "processing". However, the PIPL uses the term best translated as "processor" to describe a role that would more closely resemble a "data controller" under the GDPR.
- Data Minimization Principle: The guiding principle behind the PIPL is that the collection, processing and retention of personal information should be limited to the minimum amount necessary to achieve the purpose of processing, a principle well established in Canadian privacy law.
- Legal Basis for Processing: The PIPL requires a legal basis for processing personal information, the primary basis being the consent of the individual. This approach is similar to the GDPR. Certain exceptions are provided for, notably when processing is necessary for the performance of a contract to which the individual is a party or if the processing is necessary for coping with public health emergencies.
- Extra-Territorial Scope: The PIPL is similar to the GDPR in that it provides for a very broad territorial scope to encompass both the processing of personal information within China, as well as processing activities conducted outside of China where the personal information of an individual located in China is processed for the purpose of (i) offering goods or services to individuals in China, or (ii) analyzing and evaluating the behavior of individuals in China. In these latter situations, the foreign processor will also need to identify a local representative to oversee compliance.
- Cross-Border Transfer: In the event that a personal information processor needs to transfer such information outside of China, it must either do so under a state-approved contract, undergo a security assessment by the Chinese cyberspace administration or receive certification of data practices by a state-approved body. This obligation places a potentially heavy compliance burden on companies operating in China and will be a point of interest on how it is put into practice.
- Separate Consent: The PIPL provides for a number of situations where the separate or written consent of data subjects will be required, including conducting cross-border transfer, providing personal information to third parties and processing of sensitive personal information such as medical data and financial information.
- Data residency: The PIPL goes one step further than the GDPR and the CCPA by providing an explicit additional obligation to store personal information within the territory of China for “critical information infrastructure operators” (“CIIO”) and businesses processing personal data exceeding a certain volume threshold. CIIO is not directly defined in the PIPL but is described in the Cybersecurity Law – Regulations on the Security Protection of Critical Information Infrastructure. The regulations set out that Chinese government authorities are responsible for identifying the CIIOs in a given industry. Based on this, we can reasonably expect that those designated as CIIOs should be notified to this effect by a government authority.
- Presumption of Liability: The PIPL creates a presumption of liability to the effect that if processing infringes the rights and interests of personal information and causes damages, the processor has the burden to prove that it was not at fault.
Implications for Canadian companies and companies with business ties to China
As mentioned above, the PIPL takes effect November 1, 2021, and therefore concerned parties doing business in China or otherwise processing personal information of Chinese residents must act quickly to adapt to the new measures, if they have not already done so.
Compliance with the new PIPL is even more crucial for foreign stakeholders doing business in China given its extra-territorial application and the requirement to appoint a local representative in certain situations mentioned above. Similarly, foreign entities have to quickly analyze whether they fall under the definition of "critical information infrastructure operators" or if they reach the threshold of personal information processed in order to develop an IT infrastructure in China.
Overall, the PIPL clearly fills a gap in China’s regulation of data privacy and businesses will be further motivated to comply in order to avoid the significant penalties for processors who violate the law, including fines of up to 5% of their turnover from the previous year, revocation of the business permit/license and personal liability for company executives. We will be monitoring with interest future enforcement actions.
 See official text here: http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml. English translation of the PIPL prepared by China Briefing available at: https://www.china-briefing.com/news/the-prc-personal-information-protection-law-final-a-full-translation/
 PIPL English translation, article 73(I): “A personal information processor refers to any organization or individual that independently determines the purpose and method of processing in personal information processing activities.”
 GDPR, article 4(7): “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
 It is also relevant to note that the PIPL applies only in Mainland China since Hong Kong remains governed by its own data privacy regime.
 According to the regulations, CIIO refer to, amongst others, operators in important industries such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defence, science and technology, or industries where a data breach may seriously endanger important network facilities, information systems, national security, national economy, people's livelihood, and public interest. According to Article 10 of the Critical Infrastructure Regulations, the competent authority is responsible for organising the identification of key information infrastructure in an industry and an field in accordance with the identification rules, promptly notifying the operators of the identification results, and reporting it to the Public Security Department. See: https://www.dataguidance.com/opinion/china-operationalising-pipl-part-two-data-transfers