Personal Information Protection Law released by China

On August 20, 2021, China released the “Personal Information Protection Law”, which will become effective from Nov 1, 2021. In recent years, personal information protection legislation has been widely deployed worldwide, and it is reported that more than 120 countries have passed legislations to protect personal privacy. Among them, you may have heard about EU’s General Data Protection Regulation (GDPR), the U.S.’s California Privacy Act (CPRA), the California Consumer Privacy Act (CCPA), Network Security Law, and above law just released by China Government.

As large as an internet-based public service platform or a logistic service provider, as small as a factory or even a trading company, they may all be under the supervision of one or more privacy-related laws or  regulations.

Important Contents

According to China’s “Personal Information Protection Law”, personal information is a variety of information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymized information. The processing of personal information includes, but is not limited to, the collection, storage, use, processing, transmission, provision, disclosure, deletion of personal information.

Taking into account the EU GDPR framework,  China’s “Personal Information Protection Law” provides a localized approach for personal privacy protection, on the basis of the important principles of the internationally prevailing regulations. Similar to the principles of GDPR, the “Personal Information Protection Law” is not limited to activities within Mainland China in terms of its scope of application.

This law in China has similar requirements to GDPR in the following perspectives: the definition of personal information, application scope, principle of minimal impact from processing approaches, principle of minimum scope of collection, principle of shortest storage period, processing of sensitive information, handling of personal information of minors, anonymization, processing of de-identified information, obligation for security protection, right to know, right to object, right to modify and delete, privacy impact assessment, data protection officer (DPO) appointment, control of contracted processing, notification of data leakage, restrictions on automated decision-making and on face recognition, etc.

This law in China may has higher requirements than GDPR in the following perspectives: the legal basis of personal information processing, consent rules, personal information protection of the deceased, data localization requirements, additional obligations for large-scale personal information processors, cross-border data transfer security assessment, cross-border evidence retrieval, and administrative supervision.

China’s “Personal Information Protection Law” sets out four conditions under which personal information can be provided overseas from the perspective of network security and data sovereignty, as well as data localization requirements under certain circumstances.

Important obligations for personal information processors include: security controls, contracted processing controls, notification of data security incidents, privacy protection impact assessment, appointment of data protection officers, etc.

Relevant government departments will promote the construction of a social service system for personal information protection, and support relevant agencies to carry out personal information protection evaluation and certification services.

Legal Liabilities

The liabilities for violations of personal information protection law cover civil, administrative and criminal areas, and are quite stringent, supported with a multi-authority enforcement mechanism.

In terms of administrative penalties, an offended organization may be subject to suspension or termination of services, or a fine of up to RMB 50 million or 5% of the previous year’s turnover. In addition, the directly responsible persons or supervising persons may be subject to industry-access prohibition, a fine of up to RMB 1 million, or even criminal responsibility.

Challenges

This new law in China will lead to long-lasting impact to different kinds of organizations. It is challenging to many organizations to make and keep their operations risk-free in terms of compliance with these personal information-related laws and regulations. In practice, some large international companies were fined heavily by certain regulatory agencies like that in EU. To address and reduce the risks and challenges in a systematic way, some organizations have adopted or are considering to adopt the international standard ISO 27701:2019 to establish a privacy information management system and go for certification.

DQS Service

DQS is providing ISO 27001:2013 Information Security Management System (ISMS) and ISO 27701:219 Privacy Information Management System (PIMS) audit and certification services with accreditation recognized by the International Accreditation Forum (IAF).

Furthermore, DQS Academy is providing related training courses, covering Lead Auditors, Internal Auditors, Data Protection Officer, Cloud Security Manager, etc.

Note:

This artical is for reference only to an organization planning a management system and doesn’t serve as the purpose for legal advice. For a decision or action associated with the law or regulation, you shall consult your lawyer in advance.