Purpose of the Personal Information Protection Law

According to the IAPP, China’s Personal Information Protection Law (PIPL) was passed to “protect the rights and interests of personal information, regulate personal information processing activities, and promote the rational use of personal information.” 

The PIPL has been legally enforceable since November 1st, 2021. The PIPL is noteworthy because of its global reach: it has numerous extraterritorial applications that govern contentious issues such as cross-border data transfers and the storage of data outside of mainland China. This article is an essential introduction for South African businesses who want to understand the most fundamental elements and terminology of the PIPL. A fully translated version of the entire PIPL can be found here. 

Below are some of the PIPL’s most fundamental definitions, concepts and mechanisms that are indispensable if businesses aim to ensure compliance and avoid significant fines. 

PIPL Regulatory Compliance in South Africa 

Like South Africa’s POPIA, China’s PIPL has international application and covers the handling of personal information in China under any of the following circumstances: 

1. for providing a product or service to natural persons located within China; 

2. for analyzing or assessing the behaviour of natural persons located within China; 

3. or any other circumstance as provided by law or regulations.

International Data Transfers: The PIPL further empowers the Cyberspace Administration of China (CAC) to control the flow of personal information out of China. Organizations that China defines as Critical Information Infrastructure Operators (CIIOs) – examples include the energy and finance sectors – may be required to pass a security assessment performed by the CAC if they wish to transfer personal information outside of China. To legally complete transfers of personal information out of China, all handlers must acquire data subject consent and meet at least one of the following criteria…

1. Passing a security assessment organized by the State cybersecurity and informatization department;

2. Undergoing personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;

3. Concluding a contract with the foreign receiving side in accordance with a standard contract formulated by the State cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;

4. Other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department.

Provision of Information to Law Enforcement: If a business wishes to provide personal information stored in China to any foreign judicial or law enforcement authority, this handover must first be approved by Chinese authorities. 

PIPL Non-Compliance Fines and Accountability

The punishments for non-compliance are hefty and include, but are not limited to, fines of up to 7.7 million USD (or 5% of the last year’s annual revenue), as well as the revoking of business licenses. Like POPIA, the PIPL mandates that businesses designate individuals who are responsible for ensuring compliance. If found to be at fault, these persons may be fined $150,000 and be banned from serving as managers, supervisors, or directors. In addition, individuals have the right to sue a handler if their rights as a data subject are infringed upon.

• Personal Information Protection Officers: Article 52 requires that “personal information protection officers” are appointed when a data handling threshold is exceeded. Handlers must take steps to protect against data breaches and leaks and conduct routine risk assessments. If the handler is located outside of China, a representative within China must be appointed.

• Data Breaches: In the confirmed or probable event of a “leak, distortion or loss”, handlers must immediately notify affected individuals and those responsible for data protection. These notifications must include: the affected information categories; causes and potential harm; remedial measures being taken and options for those affected; and contact information for the responsible handler. 

PIPL Essential Concepts 

The following concepts form the framework for the PIPL:

• Definition of “Handler” and “Handling”: “Handling” includes, but is not limited to, the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information. “Personal information handler” is broadly defined as the entity that initiates the collection of data, obtains consent, arranges data processing, and contracts with third parties to process data. Under the PIPL, the “delegated party” is the individual or organization processing data on behalf of and at the instruction of the personal information processor. The PIPL does not apply to individuals who are handling personal information for family or personal reasons. 

• Consent: Data subject consent is one of the seven legal bases required for the handling of personal information. The consent of the data subject must be acquired before any of their personal information can be collected or processed. Valid consent can be acquired through a signature or ticked box, but to be valid the consent must be voluntary and explicit, be given with full knowledge, and be revocable at any time. Additional consent is required if a data subject’s personal information is to be further processed by a third party or transferred out of China – consent is not required if information is processed as part of a contract with which the data subject had originally consented. New consent must be acquired if changes are made to, for example, the handling method or the purposes for collection. Article 28 requires that additional explicit consent must be acquired for any information that is defined as sensitive or pertains to minors under the age of 14. Companies cannot refuse to do business with any individuals who do not consent to having their data handled. 

• Obligation to Inform: Before handling personal information, businesses must inform the data subject of the handler's name, contact method for the handler, the categories of personal information to be handled, the purposes of handling, the retention period, methods for individuals to exercise their data privacy rights, and any other requirements per legal or administrative regulations. 

• Third-Party Data Handling: Before any personal information can be transferred to a third party, agreement must be reached on: the handling, purpose, time limit and method; categories to be included; protection measures; and the rights and duties of both parties. The third party cannot transfer any of the personal information without additional consent from the original handler.  

China Wants to Shape Global Norms for Data Privacy and Data Protection 

The complex regulations for cross-border data transfers can constrain or promote business. Therefore, developing global standards that protect personal information but minimize compliance obligations is an objective worth pursuing. 

The GDPR already governs personal information for all EU member states, but China wants to take this concept further. Article 12 of the PIPL clearly states China’s ambition to shape global standards for personal information protection legislation. 

To understand the differences between South Africa’s POPIA and China’s PIPL laws, as well as gain an insight into the potential future of data privacy legislation, read our analysis here. 

Why Data Privacy Is So Important – Fostering Trust and Economic Growth 

Trust – understood as “our willingness to be vulnerable to the actions of others because we believe they have good intentions and will behave well towards us” – has been repeatedly undermined by companies and governments that mismanage and abuse personal information. Although due to many variables in addition to the abuse of personal information, the decay of trust is rife: we are more suspicious of businesses, government, and each other than ever before,¹  and the share of the global population that felt like most people could be trusted has fallen by 20% over the last 15 years.²

Laws that govern the protection of personal information – such as the PIPL, the EU’s GDPR and South Africa’s POPIA – are essential for restoring this trust. In an interview with Deloitte,³  the director of MIT’s Connection Science laboratory Sandy Pentland explained the value of transparency when dealing with personal information.

“I’m going to deliver this service to you, and then without really making it clear, we’re going to sell your data on the side. That’s a violation of trust. A consequence is that if I don’t understand your business model and what you are offering me and what the value is to you, I can’t trust you. It’s that transparency in value, the relationship, and the motivations that are often left on the floor” –Sandy Pentland, MIT. 

The legal requirement to acquire the consent of a data subject empowers individuals to make informed decisions about how and when their personal information is collected and processed. This fosters an environment in which consumers can trust that businesses will not abuse their personal information once it is collected. This is invaluable because countries in which businesses, governments and other institutions engender more trust experience stronger per capita GDP growth. Macroeconomics has shown that as trust improves, economic prosperity grows.⁴  

KYC, Enhanced Due Diligence and Identity Verification Services for South Africa

It is clear how vital it is to rebuild the trust we have lost. However, it is naïve to simply ask people to trust one another. The risk of loss is too high. Trust must be rebuilt on verifiable identities that can offer peace of mind by affirming the integrity of those we do business with.  

As South Africa’s leading provider of world-class due diligence and remote-onboarding solutions, ThisIsMe is proud to be at the forefront of a trust-based and privacy-compliant digital world. To experience our full suite of advanced due diligence services, book a demonstration by contacting our team here. 

Citations 

1. Edelman Trust Barometer 2021.
   
2. Deloitte. The link between trust and economic prosperity.
   
3. Deloitte. New Models for Building Trust: An Interview with MIT’s Sandy Pentland. April 2021.
   
4. Deloitte. The Link Between Trust and Economic Prosperity: Repairing the Global Erosion of Trust Has Economic Advantages. May 2021.