China implemented the Personal Information Protection Law (China PIPL) in November 2021. Since then, it has had a huge effect on businesses both locally and internationally. This is due to the strict requirement of PIPL on data protection measures - getting permission to process data, limiting data use, deleting data, implementing strong data security measures, and allowing for international data transfers. These rules are like the GDPR in the EU, but are stricter.
In order to stay compliant with PIPL and keep their business running smoothly, organizations dealing with Chinese residents' data must comply with the law as soon as possible. This article gathers the most important parts of 8 chapters and 74 articles mentioning the actions to be taken on handling data, which includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.
Chapter 1: General Provisions
This chapter is based on the Constitution and is designed to safeguard personal information rights and regulate their handling.
- Articles 1 to 12: The law ensures legal protection against infringement of personal information rights and extends its application to data handling both within China and in specific international contexts affecting Chinese nationals. Personal information (PII) is broadly defined to include all identifiable data but excludes anonymized information. The law mandates strict handling practices, emphasizing legality, propriety, necessity, and sincerity while prohibiting misleading or coercive methods.
It requires that data collection and handling have a minimal, clear purpose and be transparent to individuals involved. Handlers must maintain high data quality to prevent adverse effects on individual rights and are held accountable for ensuring data security. This chapter prohibits illegal activities such as unauthorized collection, use, and disclosure of personal information.
Chapter 2: Personal Information Handling Rules
This chapter is divided into three sections, each addressing different aspects of personal information management.
Section 1: Ordinary Provisions
This section includes 15 articles covering the general rules for handling personal information.
-
Articles 13 to 27: These articles detail the conditions under which personal information may be handled, emphasizing the necessity of individual consent and the circumstances under which it is not required. It addresses consent requirements, the rights to withdraw consent, and conditions under which providers cannot refuse service if consent is denied or rescinded. It also specifies the obligations of personal information handlers to inform individuals about how their information is handled, including the obligation to delete personal information if the handling contract is void, has been canceled, terminated, or does not take effect, ensuring that personal information is not retained unnecessarily. Furthermore, it outlines the responsibilities when transferring personal information due to corporate changes.
Section 2: Regulations for Handling Sensitive Personal Information
This section comprises 5 articles, focusing specifically on the handling of sensitive personal information.
- Articles 28 to 32: These articles define sensitive personal information and set stringent conditions for its handling, emphasizing the necessity of protecting such information due to its potential to cause significant harm if misused or disclosed. They require explicit, informed consent for handling sensitive information, additional notifications about the handling purposes and potential impacts on individuals, and strict adherence to legal provisions for handling such information. Special rules are mandated for handling the personal information of minors under 14, including obtaining consent from a parent or guardian and creating specialized handling rules.
Section 3: Special Provisions on the Handling of Personal Information by State Authorities
This section outlines the specific obligations and procedures for state organs when handling personal information, consisting of 5 articles.
- Articles 33 to 37: These articles establish that while general laws on personal information apply to state organs, specific provisions in this section take precedence when they are more specific. They require state organs to handle personal information strictly within the bounds of legal powers and necessary procedures. Additionally, state organs must store personal information within the national territory unless truly necessary to transfer it abroad, in which case a security assessment is required. Furthermore, the provisions extend to organizations authorized by laws to manage public affairs, ensuring they also follow these stringent standards.
Chapter 3: Rules on the Cross-Border Provision of Personal Information
This chapter governs the transfer of personal information outside the People's Republic of China and contains six articles focused on ensuring stringent compliance and security measures, including permanent data deletion.
- Articles 38 to 43: The regulations mandate that any cross-border data transfer must meet specific criteria, including passing security assessments, obtaining certifications, or following standardized contracts. Information handlers are required to clearly inform individuals about where and how their data will be processed and to obtain their explicit consent. Critical data must be stored domestically unless a rigorous security evaluation allows for international transfer and data that is no longer needed must be securely deleted. Furthermore, any transfer requests by foreign law enforcement must comply with Chinese laws and international agreements, ensuring no data is shared without proper authorization. The chapter also allows for protective measures against foreign entities that misuse Chinese citizens' data or pose threats to national security, with provisions for reciprocal actions if international data protection practices are discriminatory against China. These combined measures enforce a robust framework for secure and compliant international data handling.
Chapter 4: Individuals’ Rights in Personal Information Handling Activities
This chapter outlines the rights of individuals in managing their personal information across seven articles. These rights include the right to deletion of personal information, the right to access and consent to withdraw.
- Articles 44 to 50: Individuals have extensive rights regarding their personal data, including the rights to access, control, and refuse processing, except where law dictates otherwise. They can request corrections, copies, or the transfer of their data to a designated handler under specific conditions. Critically, individuals can demand the deletion of their data when the purpose of its use is fulfilled, consent is withdrawn, or if the data was handled improperly. They also have the right to understand how their data is processed and can challenge rejections of their requests through legal channels, ensuring transparency and accountability in data handling practices.
Chapter 5: Personal Information Handlers' Duties
This chapter outlines the duties of personal information handlers in ensuring data protection and legal compliance.
- Articles 51 to 59: Personal information handlers must implement effective security measures, appoint data protection officers (DPOs), and, if operating internationally, designate a local representative. Data Protection Officers are required to conduct impact assessments for activities involving sensitive data or international transfers, maintaining reports for three years.
In case of a data breach, immediate remedial actions and notifications are mandatory unless preventive measures adequately mitigate potential harm. Large internet platforms face additional responsibilities, including forming oversight bodies and issuing transparency reports.
Entrusted handlers are also obliged to uphold data security and assist in legal compliance, ensuring comprehensive data protection.
Chapter 6: Departments Fulfilling Personal Information Protection Duties and Responsibilities
This chapter delineates the roles and responsibilities of various government bodies in managing and safeguarding personal information.
- Articles 60 to 65: The State cybersecurity and informatization department leads personal information protection, planning, and supervision. State Council departments and local governments also have roles. These departments educate on data protection, handle complaints, publish evaluation results, and investigate unlawful activities. They create rules and standards, support secure identity technologies, and improve complaint mechanisms. They can interview and inspect companies, ensuring cooperation. If risks or incidents occur, they can mandate audits and corrective actions. Complaints about unlawful data handling can be filed by anyone, and departments must address them promptly, publishing contact methods for such complaints.
Chapter 7: Legal Liability (for non-compliance with China PIPL)
The China PIPL sets forth a range of penalties for breaches in personal information handling, emphasizing both correction and deterrence.
- Articles 66 to 71: Here’s what happens when these laws are broken:
- For minor violations, Authorities can order corrections, seize illegally earned profits, and potentially halt services. Fines can reach up to RMB 1 million ($1,40,000 approx.), with individuals directly responsible facing fines between 10,000 and 100,000 Yuan.
- For serious breaches, Penalties escalate dramatically, with fines up to RMB 50 million ($7 million approx.) or 5% of the handler's annual revenue of the previous year. Businesses may be forced to pause operations or undergo a full re-evaluation, and the responsible individuals could be banned from executive roles.
Further legal liability includes:
- Public records: Unlawful acts are recorded in credit files and publicized.
- State organ accountability: If state organs fail in their protection duties, corrections are mandated, and responsible individuals are sanctioned.
- Liability for harm: If personal information misuse results in harm, the responsible handlers must compensate unless they can prove no fault.
- Class actions: Procuratorates, consumer organizations, and designated bodies can file lawsuits on behalf of affected individuals.
- Criminal liability: For violations that constitute crimes, appropriate legal actions are pursued.
Chapter 8: Supplement Provision
This chapter contains the definition of some important terms that are used in this law. Also, it provides the information of omission of the applicability of the law.
- Articles 72 to 74: These articles define the scope of the law, excluding personal and family use, and outline terms like personal information handler, automated decision-making, de-identification, and anonymization, specifying their meanings and applications.
Ensuring compliance with China PIPL
Compliance with the China Personal Information Protection Law is critical for businesses. To avoid severe penalties, companies processing Chinese citizens’ data must secure explicit consent for data processing, appoint a dedicated Data Protection Officer (DPO), and follow the strict rules for cross-border data handling. China PIPL also binds companies to implement strong data security measures and delete personal data after fulfillment of purpose or if consent is withdrawn. Non-compliance can result in hefty fines of up to 50 million Yuan or 5% of annual revenue. Secure data deletion of Chinese personal data is essential for compliance with these regulations. Utilizing BitRaser Data Eraser proves to be an ideal choice for businesses to perform secure & permanent data wiping—whether onsite, offsite, or remotely. BitRaser tamper-proof erasure reports and certificates serve as audit trails and help in meeting compliance with China PIPL.
+1-844-775-0101
