China’s Landmark Personal Information Protection Law—Are You Prepared?
中国划时代《个人信息保护法》生效——你准备好了吗?
Following the launch of the Cybersecurity Law (“CSL”, effective June 1, 2017) and Data Security Law (“DSL”, effective September 1, 2021), China enacted the Personal Information Protection Law (“PIPL”) on November 1, 2021. The PIPL is by far the most significant law in China’s data protection regime with extraterritoriality and stringent sanctions (fines could go as high as RMB 50 million (approx. USD 7.74 million) or 5% of the violator’s turnover in the previous year). While in many aspects similar to the EU’s General Data Protection Regulation(“GDPR”), the PIPL has some significant differences for companies with an interest in China. Below we highlight some key aspects of the PIPL with relevance to both Chinese and foreign companies that process personal information (“PI”) in China.
继《网络安全法》(“《网安法》”,2017年6月1日生效)和《数据安全法》(“《数安法》”,2021年9月1日生效)后,中国于2021年11月1日颁布《个人信息保护法》(“《个保法》”)。《个保法》是迄今为止中国数据保护制度中最重要的法律,具有域外效力和严厉的制裁(罚款可高达5000万元人民币(约774万美元)或违规者上一年度营业额的5%)。虽然在许多方面与欧盟的《通用数据保护条例》(“GDPR”)类似,但《个保法》对于对中国感兴趣的公司而言存在一些重大差异。以下我们重点介绍《个保法》的一些关键方面,这些方面与在中国处理个人信息的中国和外国公司都息息相关。
PI Processing Basis
个人信息处理依据
The PIPL provides for six bases for collecting and processing PI. The most prominent one is informed consent but it is important to remember it is not the only basis. It is also worth noting that “Legitimate Interest” which is recognized under the GDPR as an independent basis and may require GDPR compliant companies to make certain adjustments to their policies. Under the PIPL, companies are allowed to process PI if the processing is necessary to conclude contracts or perform contractual obligations. The necessity to fulfill statutory functions or statutory obligations or tackle public health emergencies also justifies PI processing.
《个保法》为收集和处理个人信息提供六个依据。最突出的是知情同意,但切记这非唯一依据。还值得注意的是,GDPR承认的“合法权益”为一个独立依据,这可能要求GDPR合规的公司对其政策进行某些调整。根据《个保法》规定,如果订立合同或履行合同义务需要处理个人信息,则允许公司处理个人信息。履行法定职能或法定义务或处理突发公共卫生事件的必要性也可证明个人信息处理的合理性。
Additionally, companies should always bear in mind they are only allowed to process PI “within a reasonable scope”. Though there is ambiguity about the definition of “reasonable scope”, a risk minimizing approach would be to minimize the use of PI and the time for which it is stored. It is also critical to have proper processes in place (as well as the relevant legal documentation) in relation to both collection and use to ensure that the basis is solid.
此外,公司应始终牢记,其只被允许在“合理范围内”处理个人信息。虽然“合理范围”的定义存在歧义,但风险最小化的方法是尽量减少个人信息的使用和存储时间。同样重要的是,在收集和使用方面建立适当的流程(以及相关的法律文件),以确保有强有力的依据。
Data Subject Rights
数据主体权利
The PIPL requires businesses to obtain an individual’s consent for certain actions involving processing his or her information and providing individuals with rights over their personal information such as the right to know, access, modify, copy and delete it, withdraw their consent and refuse automated decision-making. Deceased persons also enjoy rights under the PIPL, exercised by their close relatives. Noticeably, failure to implement mechanisms that will facilitate data subjects in exercising their rights may create legal liability.
《个保法》要求企业对涉及处理其信息并向个人提供其个人信息权利的某些行为取得个人同意,如知情权、访问权、修改权、复制权和删除权、撤回同意权,以及拒绝自动决策权。死者也享有《个保法》项下的权利,由其近亲行使。值得注意的是,未能实施有助于数据主体行使其权利的机制可能会产生法律责任。
Extraterritorial Effect
域外效力
The PIPL is applicable to both Chinese and foreign companies (the law has an extraterritorial reach) when it comes to PI processing of Chinese individuals. Extraterritoriality will apply if the information concerned is that of natural persons inside China, and it is processed in order to provide products and services to natural persons in China, analyze or assess their conduct or under any other statutory circumstance. In particular, data processers outside of China are required to designate a personal information protection representative or institution within China to protect PI under certain circumstances.
当涉及中国个人的个人信息处理时,《个保法》适用于中国和外国公司(该法律具有域外效力)。如果相关信息是中国境内自然人的信息,且其处理目的是向中国境内自然人提供产品和服务、分析或评估其行为或在任何其他法定情况下,则适用域外效力。尤其是,在某些情况下,中国境外的数据处理方需要指定中国境内的个人信息保护代表或机构以保护个人信息。
Cross-border Data Transfer
跨境数据传输
A major issue for international businesses is the cross border transfer of information. Under the PIPL, if businesses are to undertake cross-border PI transfer, they have to meet one of several conditions such as passing a security assessment by the Cyberspace Administration of China (“CAC”, China’s privacy regulator), signing a contract based on CAC’s model contract with the overseas information recipient or getting a prior personal information protection certification by a specialized institution in accordance with CAC rules. Specific and separate consent from the data subject may also be required for cross border data transfers under certain circumstances.
国际商业的一个主要问题是信息的跨境传输。根据《个保法》,如果企业要进行跨境个人信息转移,必须满足以下条件之一,如通过国家互联网信息办公室(“网信办”,中国个人信息监管机构)的安全评估,根据网信办的标准合同与境外信息接收者签订合同,或根据网信办规则事先获得专业机构的个人信息保护认证。在某些情况下,跨境数据传输可能还需要获得数据主体的特定和单独同意。
Additional Liabilities
额外责任
The PIPL imposes additional liabilities on PI processors providing important internet platform services, having a massive number of users and complex business types. This may be of special relevance to some tech companies.
《个保法》对提供重要互联网平台服务、拥有大量用户和复杂业务类型的个人信息处理者施加额外责任。这可能与一些科技公司尤其相关。
Recommendations
建议
Inview of the PIPL’s relevance and penalties, companies should carefully study the requirements, review and amend their data protection agreements as well as their standard terms and conditions, introduce well-developed consent forms, cross-border data transfer policies, designate a personal information protection representative or institution within China (if applicable) and implement data subject right protection mechanisms. While GDPR and PIPL are similar, companies should not assume their GDPR compliance makes them PIPL compliant automatically.
鉴于《个保法》的相关性和处罚力度,公司应仔细研究其要求,审查和修订其数据保护协议及其标准条款和条件,引入完善的同意书模板、跨境数据传输政策,在中国境内指定个人信息保护代表或机构(如适用),并实施数据主体权利保护机制。虽然GDPR和《个保法》相似,但公司不应该认为其GDPR合规性使其自动符合《个保法》规定。
By: Zach Lichtblau and Yasmin Yao
撰稿:蓝泽奇 姚阳辉
If you have any questions about privacy or data protection in China, you may contact BNLS Law Firm at zl@bnlslaw.com and yy@bnlslaw.com.
如果您对中国的隐私或数据保护有任何疑问,请联系上海搏纳朗盛律师事务所:zl@bnlslaw.com和yy@bnlslaw.com。