Key regulatory changes in China’s new legislation on personal information protection
31 August 2021
On 20 August 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law (the PIPL), the long-awaited and first omnibus personal data protection legislation in China. This new law will take effect on 1 November 2021. As it does not offer any statutory transition period after 1 November, it may be challenging for some players to adapt their data privacy policies and practice to comply with this new law within a two month period.
The new law is in essence an omnibus rulebook for those who process1 the personal information of individuals located in China, regardless of whether those processors of personal information2 are in China themselves or are outside of China. There are general rules for personal information processors (Chapter 2, part 1), as well as special rules for government organs (Chapter 2, part 3). There are also special rules for those that process sensitive personal information (Chapter 2, part 2). The new law also outlines the unified rules applicable to the provision of personal information across borders (Chapter 3). It articulates rights for individuals in connection with the activities of those who process personal information (Chapter 4) and spells out certain obligations for those who process personal information (Chapter 5). The law identifies those departments who are responsible for carrying out the protection of personal information (Chapter 6). Legal liability for violation of the law are set out in Chapter 7.
The term “personal information” is defined quite broadly in the law, leading the reader to consider other already existing laws and regulations in this area – “All kinds of information recorded electronically or through other methods related to identified or identifiable natural persons, not including information after being made anonymous (Article 4(1)).” A photograph of a person along with that person’s name would seem to be enough to qualify as personal information if it contains sufficient details for identifying the natural person. Or a name together with an email address might also seem to be enough, but a name alone would likely not be enough unless it was unique. Put another way, “personal information” looks to be any combination of information that allows someone to identify one person from another person. If this is the correct interpretation, multiple headaches are coming for those that hold or use the information of individuals in China.
To read the full article, download the PDF below:
1 Under the PIPL, the processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information.
2 Please note that the definition of the personal information processor under the PIPL is similar to that of the data controller under the GDPR.