By Qiao Peng and Shirley Sha
- Effective on 1 November 2021
- Separate consent by individuals required for sensitive information
First Personal Information Protection Law in China
The Personal Information Protection Law (PIPL) was passed in China on 20 August 2021 and will come into force from 1 November 2021. It is specified, among the rest, that automated decision-making methods to push information and direct commercial marketing to individuals shall provide options that are not specific to their personal characteristics or provide individuals with convenient means to refuse. Separate consent shall be obtained from individual when processing sensitive personal information relating to biometrics, medical and health, financial accounts and location tracking. Applications that illegally process personal information shall be ordered to suspend or stop providing services.
Increased Restriction on Excessive Collection of Personal Information
Excessive collection of personal information through applications is one of the main focus points of the law.
It is stipulated that personal information processors shall not refuse to provide products or services on the grounds that individuals disagree to let them process their personal information or withdraw their consent on processing of their personal information unless processing personal information is a necessary part of providing products or services.
Duly Processing Sensitive Personal Information
Sensitive personal information is directly related to human dignity and security of personal property. The law has set up a specific chapter for detailed regulations on the processing of such kind of information.
The law has specified that sensitive personal information shall include biometrics, religious beliefs, specific identification, medical and health, financial account and location tracking and personal information of minors under 14 years old.
With regard to the widely concerning facial recognition technology, it is stipulated under the third draft that facilities installed in the public for image collection and identity recognition shall be necessary for protection of the public security, compliant with the relevant national regulations and shall be marked with salient signs.
Facial information is some of the most exposed and easiest personal information to collect among sensitive personal information.
Definition of Personal Information
- It refers to all kinds of information related to an identified or identifiable natural person recorded in electronic or other forms excluding information that has been anonymized.
- Processing of personal information includes collection, storage, use, processing, transmission, provision, publication, deletion and related activities.
Core Principle: Informed Consent
- When processing personal information, individual consent shall be obtained upon prior full disclosure, and must not be obtained through misleading, fraudulent or coercive means.
- Personal information processors shall not refuse to provide products or services due to individual dissent.
- Personal information processors shall provide convenient means to refuse.
- Processing of personal information shall adopt the means that has the smallest impact to personal rights and interests.
- The collection scope of personal information shall be confined to its minimum scope that for achieving the purpose of processing.
- The retention period shall be the minimum period that is necessary for achieving the purposing of processing.
Regulations on Excessive Collection of Personal Information, Big Data-Driven Price Discrimination, Illegal Transaction, Disclosure of Personal Information through Mobile Phone Applications:
- Personal information processors who provide important Internet platform services, have a large number of users, and carry out complex business activities are obligated to:
- establishing an independent organization that mainly consists of external members for supervision;
- formulating platform rules regarding protection of personal information; and
- regularly publishing personal information protection social responsibility reports.
- When using personal information in automated decision-making, unreasonable differential treatment shall not be imposed on individuals in terms of transaction prices and other transaction conditions.
Strict Restriction on Processing of Sensitive Personal Information:
- Biometrics, religious beliefs, specific identification, medical and health, financial account, location tracking and others fall into the scope of sensitive personal information.
- Processing rules: Such information shall only be processed when there is a specific purpose and sufficient necessity on condition that strict protection measures have been taken; individuals shall be informed of the necessity of processing and the impact on their personal rights and interests.
Personal Information of Minors Included as Sensitive Personal Information:
- When processing such information, consent shall be obtained from the minors’ parents or guardians and special rules of processing personal information shall be set up.
Improvement on Rules on Cross-border Transfer of Personal Information:
- Critical Information Infrastructure Operators (CIIO) or personal information processors that process personal information at the amount prescribed by the Cyberspace Administration of China (CAC) shall store personal information within China.
- Without the prior approval of the relevant authorities in China, individuals and organizations are not allowed to provide personal data stored within China to foreign law enforcement authorities.
Stricter Punishment for Infringement of Personal Information
- When personal information is processed in violation of the PIPL, or the personal information protection obligations under the PIPL are not fulfilled during the course of processing, the competent departments responsible for personal information protection shall order the processor to make rectification, confiscate illegal gains and give a warning to the processor, and order that the application processing personal information illegally to suspend or cease its services.
- If rectification is refused, a fine of no more than RMB 1 million shall be imposed concurrently on the processor; and a fine of no less than RMB 10,000 but no more than RMB 100,000 shall be imposed on the person directly in charge of the processors and other directly liable persons.
- Where the circumstances are serious, the departments at the provincial or above level shall order the processor to make rectification, confiscate illegal gains and impose a fine of not more than RMB 50 million or not more than 5% of the previous year’s turnover on the processor, and may also order the processor to suspend relevant business or to suspend business for rectification, and notify the relevant competent departments to revoke the relevant business permit or business license
- A fine of no less than RMB 100,000 but no more than RMB 1 million shall be imposed on the persons directly in charge and other directly liable persons, who may be prohibited from taking positions as director, supervisor, senior management and management of personal information protection in relevant companies within a designated period of time.
With her team, Alice Qiao frequently advises international companies collecting or handling data with their data compliance risks in China. Feel free to contact the author at [email protected] if you wish to assess or lower your company’s compliance risks.