Thu. Mar 28th, 2024

Content Assessment: Hello from the Mainland? China's Personal Information Protection Law Goes Into Effect

Information - 95%
Insight - 90%
Relevance - 95%
Objectivity - 90%
Authority - 95%

93%

Excellent

A short percentage-based assessment of the qualitative benefit of the post by the PCPD highlighting China's Personal Information Protection Law.

Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.


An Overview of China’s Personal Information Protection Law*

Background Note: The Office of the Privacy Commissioner for Personal Data (PCPD) is an independent body based in Hong Kong and set up to oversee the implementation of and compliance with the provisions of the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (the Ordinance). The PCPD strives to ensure the protection of the privacy of individuals in relation to personal data through monitoring and supervising compliance with the Ordinance, enforcing its provisions, and promoting the culture of protecting and respecting personal data. Provided below is an overview of China’s Personal Information Protection Law that becomes effective from November 1, 2021, as shared by the PDCD.

Personal Information Protection Law of the Mainland (China)

Introduction

The Personal Information Protection Law, the first piece of legislation in the Mainland dedicated to the protection of personal information, was passed by the Standing Committee of the National People’s Congress on 20 August 2021 and will be effective from 1 November 2021.

The Personal Information Protection Law establishes individuals’ consents as the principal legal basis for processing personal information. It requires that the processing of personal information shall abide by the principles of legality, fairness, good faith, minimum necessity, openness, and transparency. There shall also be specific and reasonable purposes of processing.

Individuals shall have the right to access and obtain a copy of their personal information from the processors of personal information (similar to data users under the Personal Data (Privacy) Ordinance of Hong Kong). Individuals can also request the processors of personal information to rectify or delete their personal information, as well as to provide them with means to transfer their personal information to other processors.

When processing personal information of a minor under the age of 14, processors of personal information shall obtain the consent of the minor’s parent or guardian, and establish specific processing rules.

The Personal Information Protection Law prohibits the use of automated decision-making based on personal information if it leads to discriminatory trade practices such as unreasonable price discrimination against individuals. In addition, when automated decision-making is used for push notification or marketing, individuals shall be provided with an option for not receiving personalized information or convenient opt-out channels.

Processors of personal information which need to transfer personal information out of the Mainland shall obtain separate consent from individuals, and meet certain requirements, such as passing the security assessment made by the state cyberspace authorities, obtaining the required certification, or entering into a standard contract as prescribed by the state cyberspace authorities.

The Personal Information Protection Law contains provisions on extraterritorial application. Foreign organizations which process personal information of individuals in the Mainland for the purposes of offering products or services to them, or analyzing and assessing their behaviors, shall be subject to this law. These foreign organizations shall also establish designated agencies or appoint representatives in the Mainland.

The state cyberspace authorities shall be responsible for coordinating the protection of personal information and the relevant regulatory work. Ministries of the State Council shall be responsible for the protection of personal information and regulatory work within their purview.

A processor of personal information which contravenes the requirements under the Personal Information Protection Law is liable to a maximum fine of RMB 50,000,000 [Editor’s Note: Renminbi is the official currency of the People’s Republic of China. RMB 50,000,000 is approximately $7.8 Million US Dollars] or 5% of its annual turnover of the preceding year. Other penalties may include suspension of operation for rectification, cancellation of business permits or licenses, etc.

The full text of the Personal Information Protection Law (in Chinese only) is available on the website of the National People’s Congress.

Below are highlights of the Personal Information Protection Law.


1. Legislative Purpose To protect the rights and interests in relation to personal information, regulate processing activities of personal information, and facilitate the rational use of personal information.
2. Targets to be Regulated The Personal Information Protection Law regulates personal information processing activities in the Mainland, including the processing activities carried out by state organs.

A processor of personal information refers to any organization or individual that is able to make its own decision on the purpose, means of processing, and other matters relating to the processing of personal information.

3. Extra-territorial Application Foreign organizations carrying out personal information processing activities in foreign countries for the purpose of, among others, offering products or services to natural persons in the Mainland, or analyzing and assessing the behaviors of natural persons in the Mainland shall be subject to the Personal Information Protection Law.

Foreign processors of personal information that are subject to the requirements under Article 3(2) of the Personal Information Protection Law shall establish designated agencies or appoint representatives in the Mainland. These agencies or representatives shall be responsible for matters relating to the protection of personal information.

4. Definition of Personal Information Personal information refers to all kinds of information, recorded electronically or in other forms, that relates to identified or identifiable natural persons, excluding anonymized information.
5. Sensitive Personal Information Sensitive personal information refers to personal information that, if leaked or used illegally, may easily cause harm to the dignity of natural persons, or serious damage to the safety of individuals and properties, including information relating to biometric identification, religious beliefs, specific identities, healthcare, financial account, individual location tracking, etc., as well as personal information of minors under the age of 14.

Processors of personal information shall only process sensitive personal information if there is a specific purpose and a sufficient necessity, and when stringent protective measures are in place.

Separate consent shall be obtained from individuals when processing sensitive personal information, unless otherwise specified by other laws and regulations.

Any installation of image collection and personal identity recognition facilities in public premises shall be for the purpose and necessity of ensuring public security. Signages shall be prominently displayed. Information of personal images and personal identification collected shall only be used for the purpose of ensuring public security, and shall not be used for other purposes, unless separate consent from individuals has been obtained.

Prior to processing sensitive personal information, processors of personal information shall carry out personal information protection impact assessments. The relevant reports and records shall be retained for at least three years.

6. Transparency When processing personal information, the principles of openness and transparency shall be adhered to. The rules on personal information processing shall be publicized, and the purposes, means and scope of processing shall be made available explicitly.

Processors of personal information shall, before processing personal information, inform individuals prominently using comprehensible language and in a truthful, accurate and complete manner: (1) their names and contact information; (2) processing purposes, means of processing, categories of personal information processed, and the retention period; and (3) methods and procedures for individuals to exercise their rights, etc.

If processors of personal information provide individuals with the above information by setting up personal information processing rules, they shall publicize the rules and ensure that the rules can be easily accessible and retained.

If processors of personal information need to transfer personal information due to mergers, divisions, dissolutions or bankruptcies, they shall inform individuals of the recipients’ names and contact information.

7. Collection, Use and Disclosure, etc. The processing of personal information refers to collection, retention, use, handling, transmission, provision, disclosure, and erasure etc. of personal information.

Processing of personal information shall abide by the principles of legality, good faith, necessity and integrity. It shall not be conducted by means that are fraudulent, misleading, or coercive, etc.

When processing personal information, there shall be a specific and reasonable purpose. Processing of personal information shall be directly related to the purpose, and the impact on individuals’ rights and interests shall be kept to a minimum. Collection of personal information shall be minimized and shall not be excessive in relation to the purpose of processing.

Processors of personal information shall only process personal information under the situations prescribed in the Personal Information Protection Law, including (1) when individuals’ consents have been obtained; (2) for performance of a contract, or carrying out human resources management; (3) for fulfilling legal duties/obligations; (4) for news reporting in the public interest; and (5) when the personal information concerned has been disclosed publicly by individuals themselves or otherwise legally disclosed, and the processing is within a reasonable scope.

When processing personal information of minors under the age of 14, processors of personal information shall establish specific personal information processing rules.

Organizations and individuals shall be prohibited from illegally collecting, using, processing, transferring, trading, providing or publicizing personal information of other individuals, and shall not carry out personal information processing activities which endanger national security and public interests.

8. Consent An individual’s consent refers to consent which is given voluntarily and unambiguously by the individual who has been fully informed. Where the laws and regulations require separate or written consent for processing personal information, such requirement shall be complied with. Obtaining individuals’ consents is one of the legal bases for processing personal information.

When there is any change to the processing purpose, means of processing and categories of personal information, consent shall be obtained again.

If the processing of publicly disclosed personal information has serious impact on the rights and interests of individuals, the individuals’ consents shall be obtained.

Processors of personal information shall obtain separate consents from individuals in the following situations: when

  • providing personal information to other processors of personal information;
  • publicizing personal information;
  • processing sensitive personal information;
  • personal images and identification information collected in public venues are used for purposes other than public security; and
  • transferring personal information out of the Mainland.

When processing personal information belonging to a minor under the age of 14, processors of personal information shall obtain the consent of his or her parent or guardian.

Processors of personal information shall not deny offering products or services on the ground that individuals refuse to give consent or withdraw their consent to the processing of their personal data.

9. Security Processors of personal information shall be accountable for their personal information processing activities, and implement necessary measures to ensure the security of the personal information that they process.

Processors of personal information which engage third parties to process personal information shall enter into a contract with the third parties to specify the purposes, duration and means of processing, categories of personal information and protection measures involved, as well as the rights and obligations of both parties, etc. The processors shall supervise the processing activities carried out by the third parties.

Parties engaged to process personal information shall implement necessary measures to safeguard the security of the personal information processed.

10. Retention Period The retention period of personal information shall be the shortest time necessary for fulfilling the purpose of processing.

Processors of personal information shall, whether on its own volition or upon the request of individuals, erase the personal information under the situations prescribed in the Personal Information Protection Law, such as when (1) the retention period has come to an end, (2) the purpose of processing has been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purpose, (3) the consent of the individual has been withdrawn, or (4) the processors of personal information have ceased providing products or services.

11. Accuracy When processing personal information, the quality of the personal information shall be guaranteed in order to avoid any adverse impact on individuals’ rights and interests caused by inaccurate or incomplete personal information.
12. Accountability and Governance Having regard to the purposes, means of processing, categories of personal information, the impact on individuals’ rights and interests, and potential security risk, etc., processors of personal information shall implement measures to ensure that their personal information processing activities comply with the laws and regulations, and to prevent any unauthorized access to, leakage, distortion or loss of the personal information. These measures include: (1) establishing internal management systems and operating procedures; (2) managing personal information by category; and (3) employing security and technological measures such as encryption and de-identification, etc.

Processors of personal information shall appoint a personal information protection officer if the quantity of personal information that they process reaches the threshold set by the state cyberspace authorities. The personal information protection officer shall be responsible for supervising the personal information processing activities and the implementation of protective measures.

Processors of personal information shall regularly conduct compliance audit of their personal information processing to ensure that these activities adhere to the laws and regulations.

Personal information protection impact assessments shall be conducted by processors of personal information prior to the following situations: (1) processing sensitive personal information; (2) conducting automated decision-making; (3) engaging other parties to process personal information, and providing other processors of personal information with or publicizing personal information; (4) transferring personal information out of the Mainland; or (5) carrying out processing activities which have serious impact on the rights and interests of individuals. Relevant reports and records shall be retained for at least three years.

13. Obligations of Internet Platforms Processors of personal information who provide important internet platform services, have a large number of users and operate with complex business models should fulfill specific obligations, including (1) establishment and improvement of compliance systems for personal information protection and establishment of independent bodies comprising of mainly external members to supervise their personal information processing activities; (2) abiding the principles of transparency, fairness and impartiality, establishment of rules of platforms, specifying practices and obligations of personal information processing for platforms’ products and service providers; (3) suspension of service to products or service providers which seriously violates the laws and regulations when processing personal information; and (4) publication of social responsibility reports on personal information protection on a regular basis and accepting supervision by the public.
14. Breach Notification In the event of leakage of, tampering with, or loss of personal information, or when such events may have occurred, processors of personal information shall take remedial actions immediately, and notify personal information protection authorities as well as individuals. The notification shall include (1) categories of personal information involved, causes of the incidents and potential harm; and (2) remedial measures taken by the processors of personal information and mitigation measures that individuals may take, etc.

If processors of personal information consider that the measures taken can prevent any harm arising from the leakage of, tampering with, or loss of information, they may choose not to notify individuals. However, if personal information protection authorities consider that the personal information leakage may cause harm to individuals, they may require the processors of personal information to notify the individuals.

15. Cross-border Data Transfer Processors of personal information who need to transfer personal information out of the Mainland shall first carry out personal information protection impact assessments. Processors of personal information shall also obtain separate consent from individuals and meet one of the following requirements:

  • passing the security assessment conducted by the state cyberspace authorities;
  • obtaining certification in relation to personal information protection from professional institutions according to the regulations of the state cyberspace authorities;
  • entering into a standard contract as prescribed by the state cyberspace authorities with the overseas receiving parties to stipulate the rights and obligations of both parties;
  • fulfilling the requirements stipulated in other laws or regulations, or in the rules set by the state cyberspace authorities.

If the international treaties and agreements that the People’s Republic of China has concluded or acceded to contain provisions on the requirements of transferring personal information out of the Mainland, those requirements shall be complied with.

Processors of personal information shall carry out necessary measures to ensure that the personal information processing activities undertaken by the foreign receiving parties meet the personal information protection standard prescribed by the Personal Information Protection Law.

In addition, processors of personal information shall inform individuals of the names of the foreign receiving parties, their contact information, processing purposes, means of processing, categories of personal information involved, the ways and procedures individuals can enforce their rights under the Personal Information Protection Law, etc. Processors of personal information shall also obtain separate consent from individuals for the transfer of personal information.

Operators of critical information infrastructure and processors of personal information by which the quantity of personal information processed reaches the threshold set by the state cyberspace authorities shall store the personal information collected and generated in the Mainland locally. If it is necessary to transfer the personal information overseas, they shall pass the security assessment conducted by the state cyberspace authorities, unless other laws, regulations or rules set by the state cyberspace authorities exempt them from undertaking the security assessment.

16. Personalised and Automated Decision-Making Automated decision-making refers to the use of computer programs to automatically analyze, assess and make decisions about the behaviors, habits, interests, hobbies as well as financial, health and credit conditions of individuals.

Processors of personal information using personal information in automated decision-making shall ensure that the decision-making processes are transparent, and the results are fair and impartial. There shall not be any unreasonable price discrimination against individuals.

If the automated decisions cause significant impact on individuals’ rights and interests, the individuals shall have the right to request the processors of personal information to provide explanation, and object to the decisions made solely by automated process.

When automated decision-making is used for push notification and marketing, individuals shall be provided with an option for not receiving personalized information or convenient opt-out channels.

Prior to implementing automated decision-making, processors of personal information shall conduct personal information protection impact assessments and retain the relevant reports and records for at least three years.

17. Data Access and Correction Individuals shall have the right to access and obtain a copy of their personal information from processors of personal information, and processors of personal information shall respond timely.

If individuals discover that their personal information is inaccurate or incomplete, they shall have the right to request the processors of personal information to correct and supplement.

Processors of personal information shall establish a convenient mechanism for accepting and processing the requests made by individuals. They shall provide individuals with reasons when denying their requests. Individuals may institute legal proceedings in the courts against the processors of personal information that deny their requests.

18. Personal Information Portability If individuals request processors of personal information to transfer their personal information to their designated processors of personal information, and the requests fulfill the conditions stipulated by the state cyberspace authorities, processors of personal data shall provide the means for transfer.
19. Right to Erasure, Restrict or Refuse Personal Information Processing Processors of personal information shall, on their own volition or upon receiving requests from individuals, erase personal information under one of the following situations:

  • the purpose of processing has been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purpose of processing;
  • processors of personal information have ceased providing products or services;
  • the retention period has come to an end;
  • individuals have withdrawn their consent;
  • processors of personal information have violated the laws, regulations or agreements when processing personal information;
  • other situations provided by the laws or regulations.

If erasure of personal information is technically infeasible, processors of personal information shall cease processing the personal information, except for processing which is necessary for the storage and security of the personal information.

Individuals shall have the right to restrict or refuse the processing of their personal information by others, except when the laws or regulations stipulate otherwise.

Close relatives of deceased natural persons may, for their own lawful and proper interests, exercise the rights in respect of the personal information of the deceased, such as accessing, obtaining a copy of, rectifying and erasing the information.

20. Enforcement Authorities The state cyberspace authorities shall be responsible for coordinating the protection of personal information and the relevant regulatory work. Ministries of the State Council shall be responsible for the protection of personal information and regulatory work within their purview of duties.

The above authorities shall generally be referred to as personal information protection authorities.

Personal information protection authorities shall refer illegal personal information processing activities that come to their attention while carrying out their duties to public security authorities if the activities may constitute criminal offences.

21. Penalty In the event that the processing of personal information violates the requirements in the Personal Information Protection Law, personal information protection authorities may issue an order for rectification, issue warnings and confiscate any unlawful income. Those refusing to rectify shall be liable to a fine up to RMB 1,000,000. The person in-charge who is directly responsible and other personnel who bear direct responsibility shall be liable to a fine between RMB 10,000 and RMB 100,000.

For cases of serious nature, personal information protection authorities above the provincial level may issue an order of rectification, confiscate any unlawful income, and impose a fine up to RMB 50,000,000 or 5% of annual turnover for the previous year. The personal information protection authorities may also issue an order of suspension of business or operation for rectification, notify authorities in-charge for cancellation of business permits or licenses. The person in-charge who is directly responsible for and other personnel who bear direct responsibility shall be liable to a fine between RMB 100,000 and RMB 1,000,000, and may be barred from serving as directors, supervisors, senior officers and personal information protection officers in corporations within a certain period of time.

If the violation of the Personal Information Protection Law amounts to public security offenses, such act shall be liable to public security penalties. If it amounts to criminal offenses, it shall be liable for criminal liabilities.

Contraventions of the requirements under the Personal Information Protection Law may be entered into credit files and publicized.

22. Civil Compensation If the processing of personal information infringes individuals’ personal information rights and interests and causes harm, and the processors of personal information cannot prove that they are not at fault, the processors of personal information shall be liable for damages and other civil liabilities. The damages shall be determined on the basis of any loss suffered by the individual or any profit gained by the personal information processor. If the loss and profit are difficult to be ascertained, the amount of the damages shall be decided on the actual circumstances.

If processors of personal information violate the requirements under the Personal Information Protection Law when processing personal information and infringe the rights and interests of a mass of individuals, the People’s Procuratorate, organizations endorsed by the state cyberspace authorities, and consumer organizations stipulated by the laws may file a lawsuit with the People’s Court according to the law.

Disclaimer from the Office of the Privacy Commissioner for Personal Data 

The information provided is for general reference only. It does not serve as an exhaustive guide to the application of the Personal Information Protection Law and does not constitute legal or other professional advice. The Privacy Commissioner for Personal Data makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information set out shared. Organizations and individuals who want to comply with the requirements under the Personal Information Protection Law should seek professional legal advice.

Read the original article.

* Shared with permission under Creative Commons licensing (CC By 4.0).

Additional Reading

Source: ComplexDiscovery

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Midjourney, and DALL-E, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is a highly recognized digital publication focused on providing detailed insights into the fields of cybersecurity, information governance, and eDiscovery. Based in Estonia, a hub for digital innovation, ComplexDiscovery OÜ upholds rigorous standards in journalistic integrity, delivering nuanced analyses of global trends, technology advancements, and the eDiscovery sector. The publication expertly connects intricate legal technology issues with the broader narrative of international business and current events, offering its readership invaluable insights for informed decision-making.

For the latest in law, technology, and business, visit ComplexDiscovery.com.