Recent years have brought a flood of new privacy laws from multiple jurisdictions. The European Union, the United Kingdom, other countries, and  multiple states, including Utah and California, have passed data privacy laws that impose requirements on how companies process consumer data. These laws apply to many Utah companies, so it is important for attorneys to become familiar with these laws to effectively counsel their clients.

 

Our past articles have covered various developments in data privacy laws. This article discusses a Chinese data privacy law that could apply to Utah companies. In August 2021, the People’s Republic of China (the PRC) passed a comprehensive data privacy law, the Personal Information Protection Law (PIPL), which became effective on November 1, 2021. The PIPL together with various other PRC laws governs the collection, processing, publishing, and transfer of the personal data of Chinese residents. We provide a high-level overview of what you need to know about the PIPL if your Utah-based client operates in the PRC.

 

Does the PIPL Apply to My Client?

If your client has a presence within the PRC or is registered outside of the PRC but collects and processes personal information of persons living within the PRC, the PIPL will apply. The PIPL also purports to apply extraterritorially to any processing that relates to the personal data of natural persons
living within the territory of PRC and is done: (i) for the purpose of providing products or services to natural persons in the PRC; (ii) for the purpose of analyzing and evaluating the behavior of natural persons in the PRC; or (iii) for other purposes specified by law or regulation. Thus, if your client
collects or processes personal information of persons living in the PRC, it likely will be subject to the PIPL.

 

What does the PIPL Require?

Registration & Data Protection Officers

PIPL refers to persons or entities who process personal information that is subject to PIPL as personal information handlers (PIHs). A common question is whether PIPL requires PIHs to register with the PRC Cyberspace Administration of China (CAC), China’s data protection authority. The answer is generally no. However, organizations that meet certain data processing volume thresholds, which have not yet been specified, will be required to appoint a data protection officer (DPO), and register the name and contact details of the DPO with CAC. Although the PIPL volume threshold has not yet been released, the National Standard of Information Security Technology – Personal Information Security Specification already requires an organization to appoint a DPO and a data protection office if it: (i) has more than 200 employees and its main business line involves data processing; (ii) processes (or is estimated to process) the personal information of more than 1,000,000 individuals; or (iii) processes sensitive personal information of more than 100,000 individuals. Finally, organizations based outside of the PRC that process PRC personal information also must appoint a specific representative or organization within the PRC. Details as to how and when the DPO should be appointed and reported to CAC, especially where the PIH is an offshore entity, have not yet been released.

 

In addition to appointing a DPO, your client may be required to prepare and file personal information protection assessments (i.e., security assessments), particularly when data will be transferred outside of the PRC, as discussed below.

 

Consent

The PIPL generally requires PIHs to obtain express, informed consent from data subjects before their personal information can be collected, used, transferred, or otherwise processed. Personal information can only be processed without consent in the following circumstances:

  1. Entering into or fulfilling a contract with the data subject;
  2. Carrying out human resources management under an employment policy or a collective contract;
  3. Fulfilling legal obligations;
  4. In response to public health incidents;
  5. For public security and public interest reasons; and
  6. As required by PRC law.

In practice, consent is the primary basis relied upon for lawful data processing.

 

PIPL also requires PIHs to obtain “separate consent” from data subjects to: (i) transfer their personal information to third parties; (ii) publicly disclose their personal information; (iii) transfer their personal information abroad; and (iv) process sensitive personal information. While PIPL does not explain the difference between “consent” and “separate consent,” it is generally assumed that separate consent means that the data subject must specifically agree to that particular action, rather than providing consent to a general privacy policy.

 

Notice

In addition to obtaining consent, PIHs are required to notify data subjects about the following: (i) name and contact information of the PIH; (ii) purpose and method of processing; (iii) type of personal information processed; (iv) retention period; and (iv) methods and procedures to exercise their rights under PIPL. This notification can be made using an online privacy policy, so long as it is presented in a way that is prominent and easy for users to understand.

 

Transfer and Cross-Border Transfer

If your client discloses personal data to any third party other than the data subject, this disclosure constitutes a data “transfer” under PIPL. If a PIH transfers personal information to another PIH, it is required to notify data subjects of the name of the other entity, its contact information, the purpose of processing, the processing method, and type of personal information shared. No additional guidance has been issued on how to notify data subjects of a transfer, but presenting the required information on a website in a way that is prominent and easy for users to understand (such as in a privacy policy containing a list of entities that personal information is shared with) should meet the notice requirement.

 

PIHs are also required to obtain separate consent from data subjects to transfer their personal information abroad. In addition to obtaining consent, PIHs exporting the data are also required to do the following to transfer it outside of the PRC: (i) carry out a personal information protection impact assessment in advance (as described below) and (ii) meet one of the lawful transfer mechanisms. The lawful transfer mechanisms that are permitted depend on the type of PIH and their processing activities.

 

Some PIHs must undergo a security assessment administered by CAC. Among others, this requirement applies to PIHs that process a “large” volume of personal information. According to CAC regulations issued in June 2022, “large” volume means PIHs who process the personal information of one million or more data subjects or who have cumulatively transferred the personal data of 100,000 or more data subjects abroad in the last fiscal year or the sensitive personal data of 10,000 or more data subjects abroad in the last fiscal year. For those PIHs processing large volume of personal information (and others who are subject to this requirement) undergoing a security assessment requires the PIH to first conduct a cross-border transfer self-assessment and file it with the provincial CAC, who will then administer the CAC security assessment. If the PIH fails to pass the security assessment, then the PIH cannot carry out any cross-border transfers until it remediates the issues identified by CAC.

 

For all other PIHs (i.e., small volume PIHs), a security assessment is not mandatory. Instead, one of the following alternative lawful transfer mechanisms can be relied upon: (i) obtaining certification from a “professional institution” in accordance with the rules of CAC; (ii) entering into a transfer agreement with the overseas recipient based on the “standard contractual clauses” published by CAC (CAC SCCs); or (iii) relying on any other mechanism that has been provided by regulation. To rely on CAC SCCs, the PIH must file an executed copy of the CAC SCCs with the Cyberspace Administration ten days before the agreement’s effective date. The PIH also must file a personal information impact assessment for the cross-border transfer with the executed CAC SCCs. If the purpose and means of the cross-border transfer changes, the PIHs must execute and re-file new CAC SCCs.

 

Data Security

PIHs also are required under PIPL to implement security measures to protect personal information and prevent unauthorized access, as well as personal information leaks, distortion, or loss. Specifically, PIHs must: (i) formulate internal management structures and operating rules; (ii) implement categorized management of personal information; (iii) adopt corresponding technical security measures (e.g., encryption, de-identification); (iv) reasonably determine operational limits for personal information handling; (v) regularly conduct security education and training for employees; (vi) formulate and implement personal information security incident response plans; and (vii) other measures required by regulation.

 

The foregoing requirements may vary based on the purpose of processing, the handling methods, the type of personal information being processed, the effect on rights and interests of data subjects, and possible security risks. In addition, PIHs must regularly conduct audits of their personal information
handling and compliance with law.

 

If the PIH handles sensitive personal information, uses personal information to conduct automated decision-making, discloses personal information to other PIHs, or transfers personal information abroad then the PIH must conduct a personal information protection impact assessment in advance. This personal information protection impact assessment must include: (i) whether the purpose for processing, processing method, etc., are lawful, legitimate, and necessary; (ii) the influence on data subjects’ rights and interests and the security risks; and (iii) whether protective measures undertaken are legal, effective, and suitable to the degree of risk. These assessment reports must be preserved for at least three years.

 

Data Retention and Deletion

An important component of data security under PIPL is timely deletion of personal information that is no longer needed. PIHs must proactively delete personal information where: (i) the handling purpose has been achieved, is impossible to achieve, or the information is no longer necessary to achieve the purpose; (ii) the PIH stops providing the product or service or the retention period required by law has expired; (iii) the data subject rescinds consent; or (iv) the personal information was handled in violation of law or agreements.

 

Data Breach Notification

Regardless of how careful your client may be, there is always the possibility that a data breach (leak, distortion, or loss) may occur. If your PIH client experiences a data breach, it must “immediately” adopt remedial measures and notify departments in the organization that oversee data protection. If the departments can take action and void the harm created by the breach, then the PIH is not required to notify the data subjects. However, if the departments believe harm may have occurred, they may require the PIH to notify the data subjects.

 

How is PIPL Enforced?

If your client is found to have violated the PIPL, regulators may order your client to take corrective actions. In addition, regulators may issue warnings, confiscate illegal income, suspend services, or issue a fine. Fines may be imposed up to 50 million RMB (currently, about USD 7 million) or 5% of an organization’s annual revenue for the prior year. Violations also may be recorded in the “credit files” of the PIH under the PRC’s national social credit framework. PIHs also may be liable for tort damages if they infringe the rights and interests of data subjects, and, if they infringe the rights and interests of a large number of data subjects, the People’s Procuratorate may file lawsuits.

 

Summary

In summary, the PIPL imposes several requirements that may apply if your client collects or processes any personal information from persons living in the PRC. While this article is not intended to be comprehensive, we hope this overview provides you with a high-level understanding of the basic requirements that may be relevant to your Utah-based client.