According to the Financial Times, demand for data protection officers (DPOs) has skyrocketed since the coming into force of the Personal Information Protection Law (PIPL) in China on 1 November 2021. The PIPL is China’s first comprehensive data protection legislation and is based on the constitution.

The law is designed to “protect personal information rights and interests, regulate the processing of personal information, and promote the reasonable use of personal information.” (Article 1) Together with the Cybersecurity Law and the Data Security Law, the PIPL forms part of the overarching data protection and cybersecurity regime in China.

Under Article 3, the PIPL applies to “the processing of the personal information of natural persons within [Chinese] territory” and to processing outside Chinese territory in “any of the following circumstances”:

  • where the purpose is to provide products or services to domestic natural persons;
  • where the purpose is to analyse and evaluate the activities of domestic natural persons; and
  • other circumstances provided by laws and administrative regulations.

Personal information is defined as “various kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding the information processed anonymously.” (Article 4.)

Under Article 13, the PIPL includes seven legal bases for processing personal information:

  • where the consent of the individual concerned is obtained;
  • where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or to implement human resources management;
  • where it is necessary for the performance of statutory duties or statutory obligations;
  • where it is necessary for coping with public health emergencies or for the protection of the life, health, and property safety of a natural person;
  • where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope;
  • where the personal information disclosed by individuals themselves or other legally disclosed personal information is processed within a reasonable scope in accordance with the provisions of this Law; and
  • other circumstances provided by laws and administrative regulations.

Unlike the GDPR, legitimate interest is not a legal basis for processing under the PIPL, but, in common with the GDPR, the PIPL includes rights to access, correction and erasure, among others.

PIPL requires the appointment of a DPO in certain circumstances: “where the quantity of personal information processed by a processor reaches that specified by the state cyberspace administration, the processor shall designate a person in charge of personal information protection to be responsible for supervising the processing of personal information and the adopted protection measures.” (Article 52). However, the threshold for appointing a DPO is not specified in the legislation and has yet to be specified by the Cyberspace Administration of China (CAC), established in 2014 to centralise internet regulation.

Any processor based outside of China must establish a dedicated office or appoint a representative in China “to be responsible for relevant matters of personal information protection”. (Article 53.)

Breaches of the PIPL could lead to administrative fines of up to RMB 50 million (US$7.8 million) or 5% of annual turnover. Individuals found personally responsible can be found liable for up to RMB 1 million (US$ 156,000). They may also be prohibited from serving as directors, supervisors and senior managers.

The impact of the PIPL is already being felt. Both Yahoo and LinkedIn have withdrawn from China in the past month citing challenging business conditions. In July, CAC sent a team of investigators to conduct a cybersecurity review of taxi-hailing app Didi Chuxing, shortly after its IPO on the New York Stock Exchange. It ordered all Didi apps to be removed from app stores while it conducted its investigation.

Lillian Tsang, Data Protection & Privacy Director at HewardMills said: “The GDPR has started a revolution in data protection laws across the globe, with the PIPL in China being the latest version of a comprehensive data protection law. The provisions of the PIPL appear to be robust and consistent with GDPR in many respects, but much will depend on how the Cyberspace Administration of China enforces the legislation moving forward.”

If you have any questions on the PIPL, or would like to learn more about HewardMills’ services, please send an email to dpo@hewardmills.com.