“PI" means any kind of information related to an identified or identifiable natural person recorded by electronic or other means but excluding anonymized information.[1]

“PI processing" is broadly defined as activities such as collection, storage, use, processing, transmission, provision, disclosure, and deletion of PI.[2]  Notably, PI deletion is newly added in the final version of PI Law.

“PI processor" means any organization or individual that independently determines on the purposes and methods of PI processing.[3]

It is worth noting that the PI Law has introduced a new concept of “small-scale PI processor"[4]. Although currently there is no definition of it, in the PI Law[5], we believe there will be different compliance requirements for a “small-scale PI processor" in the future.

You should keep an eye on further rules regarding “small-scale PI processor".

Yes, the PI Law is applicable to you if you process PI of residents of China while you are outside China in any of the following circumstance:

(a) for the purpose of providing products or services to natural persons located within China;

(b) for analyzing and/or assessing the conducts of natural persons located within China; or

(c) in any other circumstance as provided by PRC laws or administrative regulations.[6]

• In practice, this means that you will need to comply with the PI Law even if you operate a golf resort/hotel in Australia, as long as you collect PI from Chinese residents as your members. 

   

• If the PI Law applies to you, you will be obliged to set up a special agency or designate a representative within China to take responsibility of PI protection and report their contact details to the relevant PRC authority.[7]  However, it remains to be clarified by further implementing rules regarding what are the qualification requirements for such agency and designated representative.

You can only process PI in any of the following circumstances:

(a) you have obtained the relevant individual’s consent;

(b) it is necessary for concluding or performing a contract to which a natural person is a party or to implement human resources management in accordance with labor rules and regulations as well as collective contracts;

(c) it is necessary to fulfil any statutory duties or obligations;

(d) it is necessary to protect any natural person's life, health and property safety under emergency circumstances or public health emergency events;

(e) you are processing PI within the reasonable scope for conducting news reports, public opinion-based supervision, and other activities for the public interest;

(f) you are processing any PI that has been made public by the relevant individual or by other lawful means within a reasonable scope according to the PI Law; or

(g) in other circumstances provided by laws or administrative regulations.

The relevant individual’s consent is not required under the above circumstances (b) – (g).[8] 

It is likely that (b) will be relied on by many PI processors.  But it remains to be seen as how the provisions of (b) will be interpreted by the enforcement authorities in practice.

Prior to cross-border transfer of PI, you shall:

(i) notify individuals of the overseas recipient’s name and  contact information, processing purposes, processing methods, categories of PI, the methods of which individuals may exercise their rights provided in the PI Law, and other relevant matters;[9]

(ii) obtain the individuals’ separate consents (rather than collective consents);[10]

(iii) conduct an impact assessment for cross-border transfer of PI;[11] and

(iv) take necessary measures to ensure that the overseas recipients will be bound by relevant PI protection obligations no less stringent than those contained in the PI Law (a new requirement in the final version of the PI Law).[12]

If you are (i) a critical information infrastructure operator (“CIIO"), or (ii) a processor with a processed PI amount reaching or exceeding the quantity threshold specified by the Cyberspace Administration of China (“CAC"), then other than the general requirements, you must also meet all the following conditions before transferring any PI abroad:

(i) store the PRC PI collected in the PRC; and

(ii) pass the security assessment organized by the CAC, unless otherwise provided by laws, regulations, or the CAC.[13]

If you are a Non-CIIO processor and the PI you process is below the quantity threshold specified by the CAC, then other than the general requirements, you must also meet one of (rather than all of) the following conditions before transferring any PI abroad:

(i) obtain the PI protection certification from a specialized institution designated by CAC (details of such certification remain to be clarified by further measures);

(ii) conclude a contract with the overseas recipient based on the model contract developed by the CAC, agreeing on both parties’ rights and obligations (the model contract has not yet been made); or

(iii) other conditions provided in laws or administrative regulations or by CAC.[14]

• Cross border transmission of PI is heavily regulated under the PI Law.  There are general requirements and specific requirements on different kinds of PI processors (e.g., CIIO, Non-CIIO).  The cross-border PI transfer plan shall be carefully designed according to the actual situations of the company and compliant with all applicable requirements in the PI Law and other regulations.

   

• Please note that the requirements for cross-border transmission of PI also apply to PI transfer from the mainland of China to Hong Kong SAR, Macao SAR, and Taiwan, as they are deemed as separate jurisdictions for the purpose of PI Law.

According to the PI Law, you shall comply with the following principles:

(a) Ensure that the process of PI is carried out legally and properly, based on the principle of necessity and integrity.  You must not use misleading, fraudulent, or coercive means to process PI.[15]  The final version of PI Law has added the principle of “necessity".

(b) Process PI for clear and reasonable purposes[16].  This principle requires the PI processing:

i. be conducted in a manner that have minimal impacts on personal rights and interests; and

ii. be restricted to the minimum scope required for achieving the processing purpose (i.e., avoiding “over collection" of PI). 

(c) Process PI openly and transparently.[17]   You shall disclose the rules for processing PI, and explicitly indicate the purpose, method, scope of PI processing.[18]  Individuals have the right to know[19] and give consent[20].

(d) Ensure the accuracy and completeness of PI.[21]   You shall avoid adverse impacts on the rights and interests of individuals caused by inaccurate or incomplete PI.

(e) Take responsibility for your PI processing activities and take necessary measures to ensure security of the PI that you process.[22]

You shall strictly adhere to the above principles when processing PI, for example:

• you may need to re-design your website or APP to ensure that the rules on PI processing could be easily accessed by users at prominent space (Openness and Transparency); and

   

• you may set up different PI processing policies for different business scenarios and users shall be explicitly informed of the PI processing purpose under each business scenario.  Processing of PI that is irrelevant to the purpose shall be prohibited (Clear and Reasonable).

Informed consent remains the primary and most used justification for processing PI.  Here are the requirements for obtaining a valid consent:

You must truthfully, accurately, and completely notify the following matters in clear and easy-to-understand language before processing PI:

(i) the name and contact information of the PI processor;

(ii) the purposes, methods, categories of the processed PI, and the preservation period (generally, it shall be the shortest period necessary to achieve the processing purpose);

(iii) methods and procedures for individuals to exercise their rights provided in the PI Law; and

(iv) other matters provided by laws or administrative regulations.[23]

(i) the consent shall be expressed by individual voluntarily and explicitly on the premise of being fully informed;[24]

(ii) you shall obtain consent from the minor’s parents or other guardians when the minor is under 14 and formulate special rules for processing PI of minors[25] (this could be relevant to network game operators);

(iii) the individual shall have the right to withdraw his/her consent;[26]  and

(iv) unless processing of PI is necessary for the provision of products or services, you must not refuse to provide products or services simply because the individual does not consent to the processing of his/her PI or has withdrawn his/her consent.[27]

According to the PI Law, you need to obtain “separate consent" from the relevant individual if you:

(i) provide the PI you process to any other PI processor;[28]

(ii) disclose the PI you process to the public;[29]

(iii) use personal image and identification information collected in public space for any purpose other than maintaining public safety;[30]

(iv) process sensitive PI;[31] and

(v) provide PI to any party outside of the PRC.[32]

It will be a challenge for companies to comply with this “separate consent" requirement if they deal with a large amount of PI in the above scenarios.  The PI Law does not provide specific guideline on what is and how to obtain a “separate consent".  Based on our previous experiences, you shall ensure the followings:

• The individual shall be separately and fully informed of the matters that require “separate consent".  For example, if you are a website/APP operator, you may need to set up separate pop-ups to inform the users, other than collective inform of all PI rules/policies in a single page/interface.

   

• Failure to obtain a “separate consent" must not affect or limit that individual’s right on any other aspects.  If you are an APP operator and you need to obtain “separate consent" from the user to allow them to use certain functions of that APP, failure to obtain such consent must not affect that individual’s right to use other functions of your APP.

Sensitive PI is any PI that, once leaked or illegally used, can easily result in infringement of personal dignity or harming personal and property safety of a natural person, including information such as biometric identification, religious beliefs, specific identities, medical health, financial accounts, track of whereabouts and other information, as well as PI of minors under the age of 14.[33]

For example, if you manage a medical and health company that processes any such information, your company will be subject to the “enhanced" rules, which include the followings: 

(a) You must have specific purpose and sufficient necessity and take strict protective measures before processing sensitive PI.[34]  Compared with the “clear and reasonable purpose" standard of non-sensitive PI, this is apparently a higher standard. 

(b) You must obtain a “separate consent" from the relevant individual (or a written consent if any law or administrative regulation requires so).[35]  This means you cannot rely on a “collective" consent.

(c) You must have informed the individual of the necessity of processing his/her sensitive PI and the impact on his/her rights.[36]  It means your notification shall contain more details than the notification to individuals for non-sensitive PI. 

(d) You must formulate special PI processing rules for processing PI of minors under the age of 14.[37]

(e) You must conduct PI protection impact assessments in advance.[38]

(f) You must obtain relevant license or be bound by other restrictions when the laws or administrative regulations provide so. [39]

• You need to classify your processed PI in terms of its sensitivity level and apply more stringent processing policy when dealing with sensitive PI.

   

• At present, there are special industrial rules for processing PI in industries such as automotive, finance and medical/healthcare.  You need to comply with the specific industry rules in addition to the PI Law.  There may be more industry specific rules in the future, and you need to keep an eye on the developments.

Civil liabilities

(i) paying damages to the victims.

Administrative liabilities

(ii) rectification order;

(iii) warning;

(iv) order to suspend the relevant business;

(v) order to suspend or terminate the services of APPs;

(vi) prohibition of the responsible persons from taking up directorship;

(vii) confiscation of illegal income;

(viii) fines.

Criminal liabilities

(i) criminal offence.

(i) If the circumstance of illegal conduct is “serious", the PI processor may face a fine up to RMB 50,000,000 or 5% of its revenue in the preceding year.  Each directly liable official / individual may face personal fines (up to RMB 1,000,000) and/or be prohibited from serving as director, supervisor, senior manager, and person in charge of PI protection of relevant enterprises for a certain period.  The PI processor’s business license or other relevant operation permits may also be revoked.  APPs that illegally process PI may be ordered to suspend or their services may be terminated. [40] 

(ii) The PI Law does not set out the standard of “serious circumstances", so the relevant authorities may have greater discretion in the enforcement of law before further statutory or judicial guidance is given. 

In PI related legal actions, the burden of proof is on the PI processor.  You will be held liable to pay damages to the relevant individuals if you cannot prove your innocence.  The damages shall be determined based on the loss of the victim or the benefits gained by the PI Processor.[41]

The procuratorate, the consumer protection organization, or the organization determined by CAC may initiate proceedings at court on behalf of a large number of individuals whose interests have been infringed.[42]

In certain circumstance, the PI processor and their responsible officials may even face criminal liability.  The relevant offences include:

(i) infringement on citizens’ PI;[43]

(ii) refusing to perform the obligation of information network security management;[44] and

(iii) illegally providing state secrets.[45]

In addition to fines, the maximum penalty as provided in (i), (ii) or (iii) is life imprisonment for convicted individuals.

Apparently, the PI Law is not “toothless".  Compliance with the PI Law shall be a non-neglectable issue for the relevant companies and their directors personally.

Yes, it’s relevant.

(a) No one is allowed to export PI stored in China at the request of foreign judicial or law enforcement authorities, unless approved by the competent authority of China.[46] 

(b) The CAC may establish a “blacklist" to include foreign entities or individuals who engage in PI processing activities that damage the rights and interests of PRC citizens regarding PI or endanger national security or public interests of China.  Once “blacklisted" you will be restricted or prohibited from receiving any PI from China.[47]

(c) China may adopt reciprocal measures if any country or region adopts any prohibitive, restrictive, or other similar discriminatory measures against China in terms of PI protection.[48]

• Please note that those provisions may create conflicts of obligations if you are required by the law of a foreign country to transfer abroad the PRC stored PI.  In such case, you shall seek legal advice immediately.

   

• You shall regularly check whether your overseas recipient of PI has been “blacklisted" by the CAC.  If so listed, you shall promptly stop transmitting any PI to such entity.

The PI Law will be effective from 1 November 2021. There is no retrospective effect.