Interpretation of the Personal Information Protection Law
Author: Dr. Wu, Weiming(Victor) & Yao, Xinyu (Laura) 2022-03-10On October 21, 2020, the Personal Information Protection Law of the People's Republic of China (Draft) (hereinafter referred to as the "First Review Draft") was officially released to the public for comments. On April 26, 2021, the 28th Session of the Standing Committee of the 13th National People's Congress of the People's Republic of China has deliberated on the Personal Information Protection Law of the People's Republic of China (Second Review Draft) (hereinafter referred to as "Second Review Draft"). The Personal Information Protection Law of the People's Republic of China (hereinafter referred to as the PIPL) adopted at the 30th meeting of the Standing Committee of the 13th National People's Congress on August 20, 2021, is hereby promulgated, effective November 1, 2021.
The full text of the PIPL consists of eight chapters and seventy-four articles. Focusing on the processing of personal information, corresponding rules are established from different perspectives such as processing rules, cross-border provision, personal rights, processor obligations, protection responsibility departments and legal responsibilities; and special rules are emphasized for the processing of sensitive personal information and handling of state organs. The author will interpret it from eight aspects: legislative purpose, important concepts analysis, processing personal information rules, individual rights, processor responsibility, cross-border personal information, socialized governance and penalties.
I. Legislative purpose i. Approach data flows with caution It is not difficult to figure out from the name that the main starting point of the PIPL is to protect personal information. This is made clear in Article 1. Regarding to the legislative purpose of the personal information protection law, Article 1 of the First Review Draft stipulates that "this law is enacted in order to protect the rights and interests of personal information, regulate the processing of personal information, ensure the orderly and free flow of personal information according to law, and promote the rational use of personal information." Compared with the First Review Draft, the Second Review Draft takes more cautious attitude towards the flow of personal information and deletes the expression "ensuring the orderly and free flow of personal information according to law". In addition to following the expression of the Second Review Draft, the Personal Information Protection Law also adds the content of "in accordance with the Constitution" before "formulating this Law", which is great significance for protecting the personal dignity and other rights and interests of citizens in the provisions of the Constitution. ii. Extraterritorial jurisdiction On the issue of extraterritorial jurisdiction, the Personal Information Protection law adopts the same principles as the data security law. Article 2 of the Data Security Law stipulates that where data processing activities outside the territory of the People's Republic of China damage the national security, public interests or the legitimate rights and interests of citizens and organizations, legal liabilities shall be investigated according to law. Article 3 of the Personal Information Protection Law stipulates following circumstances that can be subject to extraterritorial jurisdiction, (I) where the purpose is to provide domestic natural persons with products or services; (II) Where the activities of domestic natural persons are analyzed and evaluated; (III) Other circumstances as prescribed by laws and administrative regulations. Sanctions are also specified in Chapter III "Rules for Cross-border Provision of Personal Information". Article 42 stipulates that where an overseas organization or individual engages in personal information processing activities infringing upon the personal information rights and interests of citizens of the People's Republic of China, or endangering the national security and public interests of the People's Republic of China, the Cyberspace Administration of China may include such organization or individual in the list of subjects to whom provision of personal information is restricted or prohibited, announce the same, and take measures such as restricting or prohibiting provision of personal information to such organization or individual. II. Discrimination of Important Concepts i. What is personal information With regard to the definition of personal information, the personal information protection law distinguishes the identification of personal information into "identified" and "identifiable" expressions on the basis of "identification" stipulated in the Cybersecurity Law of the People's Republic of China (hereinafter referred to as "Cybersecurity Law") and the Civil Code of the People's Republic of China (hereinafter referred to as the "Civil Code"). That is, all information related to "identified" natural persons or an "identifiable" natural persons are personal information. The Personal Information Protection Law distinguishes between "identified" and "identifiable" on the basis of "identification", integrates the elements of "association" to further improve the extension of personal information protection. However, it should also be noted that the provisions of PIPL are lack of operability in terms of what is "relevant", that is, how to determine the criteria of relevance, which may bring greater discretionary space to specific law enforcement and justice. Therefore, it is suggested to enumerate personal information on the basis of the above provisions, so as to reduce the uncertainty of personal information identification. ii.Definition and method of personal information processing In Article 76 of the Cybersecurity law, processing is a concept parallel to collection, storage, transmission and exchange, while in Article 4 of the PIPL, processing has become an upper concept, while collecting, storing, using, processing, transmitting, providing, disclosing, and deleting are the specific ways of information processing. This expression is consistent with the Civil Code and similar to the information security technology — Personal information security specification. Such difference may directly affect the scope of application of a specific provision. Thus, it is necessary to pay attention to the scope of "processing" in different contexts in order to accurately understand the differences between different laws and regulations. From the perspective of the processing method of personal information, in addition to the original collection, storage, use, processing, transmission, provision and disclosure, the processing method of "deletion" is added. III. Important content of processing rules i. Do not over collect personal information Article 6 of the Personal Information Protection Law stipulates that excessive collection of personal information is not allowed. This provision is related to the background of crackdown on excessive collection of personal information by APP and other applications by relevant ministries and commissions in recent years. Incorporating such into the legal provisions is conducive to regulating the collection of personal information. ii.Prohibition of data discrimination Data discrimination is a common situation in the use of big data, and it is also a difficult problem in personal information protection. In this regard, the personal information protection law regulates it. In the application of big data, information push and commercial marketing through user profiling and automatic decision-making are common application scenarios. However, it also brings problems such as algorithm discrimination and big data-enabled price discrimination against existing customers. On this point, Article 24 of the personal information protection law make targeted regulations on the use of personal information for automatic decision-making: 1) Where a personal information processor makes use of personal information, it shall ensure the transparency of the decision-making and the fairness and impartiality of the results, and shall not impose unreasonable discriminatory treatment on individuals in respect of the transaction price and transaction conditions. 2) Information pushing and commercial marketing to an individual through automated decision-making shall be accompanied by options that do not target the individual's personal characteristics, or convenient rejection ways shall be provided to the individual. 3) Where a decision is made through automatic decision-making that has a significant impact on an individual's rights and interests, the individual shall have the right to require the personal information processor to make an explanation and reject the decision made by the personal information processor only through automatic decision-making. iii.Clearly incorporate human resource management into the scope of personal information processing The Personal Information Protection Law includes the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law in the scope of exemption from individual consent. The scenario of human resource management is relatively special, because employees and enterprises have subordinate relationship in the working relationship. In some cases, in order to achieve the reasonable purpose of human resource management, the company needs to process personal information, and the processing of personal information in this case may not be explicitly stipulated in the labor contract. If the conventional notification consent principle is followed, it will affect the realization of the purpose of the labor contract. If the rules and regulations formulated by the company according to law are signed or informed by the employees, they are generally considered to be part of the labor contract, and thus can be considered to have completed the notice-consent procedure. Based on this, the above provisions have been added to Article 13 of the personal information protection law. iv.Facilitation of withdrawal of consent Article 15 of the Personal Information Protection Law stipulates that "Where the processing of personal information is based on the consent of the individual concerned, the individual is entitled to withdraw his/her consent. The personal information processor shall provide a convenient method for the individual to withdraw his/her consent.". The Personal Information Protection Law stipulates the principle of convenience. Although it has not been carried out on what is convenience, it is generally understood that the difficulty of "withdrawing consent" should not be greater than that of "consent". That is, according to common understanding of the convenience of doing business on internet, the "withdraw" button should be located in the eye-catching place of the page, or in the same easy-to-read position as the "Personal Information Protection Policy" (or privacy policy), and the check box of "withdraw consent" should be given item by item within the scope of permission. v.Classify minor information processing as sensitive information processing Article 31 of the Personal Information Protection Law takes the personal information of minors under the age of 14 as sensitive personal information, and requires personal information processors to formulate specialized rules for processing such personal information. This provision is in line with the requirements of the Provisions on the Cyber Protection of Children's Personal Information, raising this provision to the height of the Law. At the same time, it is much clear that as long as the personal information involving children is protected according to the standard of personal sensitive information, which reflects the importance of the law on the protection of children's personal information (i.e. minors under the age of 14). vi.Exceptions to notification and consent The Civil Code clearly states that there are exceptions - "except as otherwise provided by laws and administrative regulations", which reflects the duty of disclosure and the preconditions for obtaining consent before handling, and also gives some room for exceptions. At present, at the level of laws and administrative regulations, exceptions are scattered in different provisions. Article 13 of the Personal Information Protection Law includes six exceptions: the necessity of contracts, the handling of human resources matters, statutory responsibilities, emergencies, the reasonable handling of public information, and the reporting and supervision of public interests. In addition, there is another exception in the PIPL, that is, the provisions of Article 26 on image collection and personal identification equipment in public places do not require personal consent if conspicuous prompting signs are set and the collected personal images and personal identity information are used for the purpose of maintaining public security. If used for other purposes, individuals' separate consent is required. IV. The level of individual rights is more clearly defined Before the promulgation of the PIPL the Cybersecurity Law and Law of the People's Republic of China on the Protection of Rights and Interests of Consumers both made provisions on the rights of individuals related to personal information. Mainly around the "inform consent" principle, it stipulates that the personal information subject has the right to know and consent, and the right not to collect and use personal information without consent. Information security technology — Personal information security specification stipulates the rights of inquiry, correction, supplement, deletion, withdrawal of authorization and consent, response, etc. In addition to the above provisions, the PIPL also defines the rights of individuals in personal information processing activities more clearly through Articles 44 to 50. Important new contents worthy of attention are as follows: i. Right to carry personal information The PIPL stipulates the portability of personal information. That is, if an individual requests to transfer his personal information to his designated personal information processor, which meets the requirements of national cyberspace department for transferring personal information, such personal information processor shall provide the detailed methods for the transfer. For a long time, various Internet platforms regard users' personal information as their important property rights and interests, and usually do not assist or cooperate in transferring personal information to other personal information processors except deleting personal information as requested. The provisions of the law on the portability of personal information are conducive to the free processing of their personal information and provide convenient conditions for cross platform transfer of information. ii.Personal information protection rules for the deceased Article 49 of the Personal Information Protection Law stipulates that "Where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in this Chapter, unless otherwise arranged by the deceased prior to his/her death. " From the perspective of the protection of the rights and interests of close relatives and the will of the deceased, the PIPL allows close relatives to access, copy, correct and delete the personal information of the deceased within a limited scope. This processing method is in line with the attribute of personal information as personality right. V. Responsibilities of personal information processor In order to safeguard national interests and individual rights, the PIPL lists the responsibilities of processors through processing rules and special obligations. Chapter V of the PIPL sets out some general obligations of personal information processors, such as (a) Take necessary measures to protect the security of personal information; (b) Designate a person in charge of huge amount of data; (c) A specially assigned person shall be responsible for the overseas data processor; (d) Regular audit; (e) Personal information impact assessment and recording; (f) Remedial measures and notification of leakage incidents etc. This article will focus on the relevant highlights of the PIPL. i. Special person in charge The Personal Information Protection Law stipulates the system of "person in charge of personal information protection" or "special institutions and designated representatives" for a certain number of personal information processors and overseas personal information processors. Article 52 stipulates "Where the quantity of personal information processed reaches that specified by the CAC, the personal information processor shall designate a person in charge of personal information protection to be responsible for supervising the activities of processing of personal information and the adopted protection measures. The personal information processor shall make public the contact information of the person in charge of personal information protection and submit the name and contact information of the person in charge of personal information protection to the authorities’ performing duties of personal information protection. " Article 53 is for "personal information processors outside the territory of the People's Republic of China shall establish a special agency or designate a representative within the territory of the People's Republic of China to be responsible for handling matters relating to personal information protection, and submit the name and contact information of the relevant agency or the representative to the authorities performing duties of personal information protection." ii. Specific obligations of important internet platforms Article 58 of the PIPL stipulates that: Any personal information processor that provides important Internet platform services, with a large number of users and complicated business type shall perform the following obligations: a) Establishing a sound compliance system for personal information in accordance with the provisions of the nation. It is clear that the platform needs to establish and improve the personal information protection compliance system, so as to raise the construction of the "compliance" system to the legal level. This provision is a new addition to the Personal Information Protection Law, which reflects the legislative goal of the legislature that the legislature hopes enterprises to reduce the legal risk of personal information processing and improve the level of data governance through their own compliance construction. b) Introduce external members to form an independent agency Setting up an independent agency mainly composed of external members to supervise personal information protection. This system has strengthened the intervention of external supervision forces. Due to the important Internet platform services, a huge number of users and complex business types, the personal information processor which holds their personal information has great utilization value. Whether the enterprise's internal control system and data compliance system can be truly implemented in the implementation process needs to introduce external forces for necessary supervision. c) Supervision responsibilities of Platform The clause stipulates: "ceasing to provide services to product or service providers on the platform that process personal information in serious violation of laws and administrative regulations;" and this provision is similar to the supervision responsibility of E-commerce platform operators on product quality, intellectual property rights and consumer protection of E-commerce operators in the platform stipulated in the E-commerce Law. d) Social responsibility reports The article also provides that, the platform shall regularly releasing social responsibility reports on personal information protection for public supervision. According to this principle, personal information processing is not only the relationship between the platform and the personal information subject, but also the embodiment of the social responsibility of the platform. iii. Personal information protection impact assessment Article 55 stipulates that: Under any of the following circumstances, a personal information processor shall conduct an impact assessment on personal information protection beforehand and keep a record of the handling: (I) processing sensitive personal information; (II) making use of personal information to make automatic decision-making; (III) entrusting others to process personal information, providing other personal information processors with personal information and publicizing personal information; (IV) providing personal information to overseas parties; or (V) other personal information processing activities that have significant impact on personal rights and interests. VI. Cross border transmission The PIPL no longer sets security assessment as a necessary prerequisite but stipulates four conditions in Article 38, at least one of which should be met: (I) it shall pass the security evaluation organized by the Cyberspace Administration of China in accordance with the provisions of Article 40 hereof; (II) it shall have been certified by a specialized agency for protection of personal information in accordance with the provisions of the Cyberspace Administration of China; (III) it shall enter into a contract with the overseas recipient under the standard contract formulated by the Cyberspace Administration of China, specifying the rights and obligations of both parties; and (IV) it shall meet other conditions prescribed by laws, administrative regulations or the Cyberspace Administration of China. VII. Highlight the role of third-party institutions Article 64 of the Personal Information Protection Law stipulates: "Where authorities performing duties of personal information protection find in their performance of such duties that there are high risks in personal information processing activities or personal information security incidents have occurred, they may, according to prescribed authority and procedures, have an interview with the legal representative or person chiefly in charge of the personal information processor concerned, or require such processor to entrust a specialized agency to conduct a compliance audit on its personal information processing activities. The personal information processor shall take measures to make rectification and eliminate hidden dangers as required." According to this provision, entrusting professional institutions to conduct compliance audit on personal information processing activities is a remedial measure that enterprises or other institutions can take when facing risks or information security incidents. For the problems found in the compliance audit, the personal information processor shall take measures to rectify and eliminate the hidden dangers as required. VIII. Legal Liability The Personal Information Protection Law has greatly improved the diversity of punishment measures and the severity of punishment compared with the previous legislation. Article 66 is particularly representative. This article sets out three types of penalties for those who illegally handle personal information, or who do not perform the obligations of personal information protection stipulated in the Personal Information Protection Law: i. Suspension or termination of services In the event that personal information is processed in violation of the provisions of this Law or that personal information is processed without performing the obligation of protecting personal information as stipulated in this Law, the authorities performing duties of personal information protection shall order the suspension or termination of provision of services by the applications that illegally process personal information. ii. Huge fines For any illegal act with serious circumstances, the authorities performing duties of personal information protection shall confiscate its illegal gains, and impose a fine of not more than 50 million yuan or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license. iii. Market ban Decision may be made to prohibit the person directly in charge and other directly liable persons from acting as the director, supervisors, senior executives and persons- in-charge of personal information protection of the relevant enterprises within a certain period of time. Summary The Personal Information Protection Law will undoubtedly have a profound impact on the personal information processing behavior of the internet, information technology industry and other industries handling personal information. In order to protect personal information, it will also bring new opportunities and challenges to enterprises. Hence, the ability of enterprise personal information protection and governance capability will become an important competitiveness of enterprises.