Feature Articles on China’s Personal Information Protection Law (2) – The Impact of the “Personal Information Protection Law” on Foreign Information Processors (Mainland China)


With the advancement of globalization and digitization, cross-border collection of personal information is increasingly common. In order to fully protect the rights and interests of individuals in the country and curb the abusive collection of personal information by digital giants, the 13th Standing Committee of the National People’s Congress of China adopted at its 30th meeting the Law on the protection of personal information (“PIPL”), which comes into force on November 1, 2021. The PIPL extends the scope of the law to include foreign activities carried out by foreign entities, requiring “information processors” foreigners ”, who provide goods or services to natural persons in China or analyze or assess the behavior of natural persons in China, to follow the rules of the PIPL. In the age of the advanced Internet, all foreign companies with close economic and trade relations with the continent and its people are very likely to fall within the scope of the PIPL. As such, it is recommended that the foreign companies concerned check as soon as possible whether they are subject to the PIPL regulations in order to take the corresponding measures. The following is a summary of the potential effects on foreign information processors after the entry into force of the law:

1. Scope and definition of foreign subcontractors

(1) Regulations

Article 3, paragraph 2 of the PIPL states that the processing abroad of personal information of natural persons in the territory of the People’s Republic of China falls within its scope if any of the following conditions apply. applies: (i) the information processing is aimed at providing goods or services to natural persons in China; (ii) information processing involves the analysis or evaluation of the behavior of natural persons in China; and (iii) any other circumstance as stipulated by law and administrative regulations (hereinafter referred to as “Foreign Information Processors”). According to the “Explanation Regarding the PIPL of the People’s Republic of China (Draft)” released by the Deputy Director of the Legislative Affairs Committee of the Standing Committee of the National People’s Congress at the 22nd meeting of the Standing Committee of the 13th National Congress of the people on October 13, 2020, using the practices of other countries as a benchmark, this article aims to endow the PIPL with the extraterritorial applicability necessary to fully protect the rights and interests of individuals in the country.

(2) What constitutes “information processing for the purpose of providing goods or services to natural persons in China” or “analysis or evaluation of behavior of natural persons in China”?

Although the PIPL states that foreign information processors – including those who directly process information for the provision of goods or services, and who indirectly perform behavioral analysis and evaluation – are within the limits of its regulations, at At the time of writing this article, no opinions or opinions have been issued by the relevant competent authority to clarify the scope of Article 3 (2). Therefore, the specific criteria for determining what constitutes “processing information aimed at providing goods or services to natural persons in China “or” analyzing or evaluating the behavior of natural persons in China “is still unclear.

In view of the fact that Article 3 of the EU General Data Protection Regulation (“GDPR”) has been used as a reference for this article 3, paragraph 2 of the PIPL, the “Directives 3/2018 immediately territorial application of the GDPR (Article 3) ”published by the EU (hereinafter referred to as the“ EU Guide ”) should be of considerable reference value for the future application of PIPL and the definitions concerning foreign information processors.

According to the EU Guide, if a foreign processor processes data “aimed at providing goods or services to natural persons within the EU (regardless of their nationality or place of residence)” or “Monitoring the behavior of natural persons within the EU EU” is determined on a case-by-case basis and taking into account the following factors:

(3) Summary
In view of the lack of more detailed guidance on the scope of Article 3 (2) of the PIPL from the regulatory agency, we recommend using the factors from the aforementioned EU guide as references to determine if an activity is within the limits of the PIPL. before the publication of other detailed regulations; and beware of any future legislative tendency for the regulator to make adjustments at any time.

2. Obligations and responsibilities of foreign subcontractors

(1) General obligations and responsibilities of subcontractors

Article 51 of the PIPL stipulates that subcontractors must take into account the purpose and methods of processing personal information; the type of personal information to be processed and its impact on the rights of the data subject; and the potential security risks when taking the following measures to ensure that the processing of information complies with the law and administrative regulations, and the implementation of measures to prevent unauthorized access, tampering, loss or leakage of personal information: (1) establish an internal management system and operating procedures; (2) implement classified management of personal information; (3) adopt proportionate technological security measures such as encryption and anonymization; (4) reasonably determine privileges for the use of personal information and conduct regular security education and training for employees; (5) formulate and organize the implementation of emergency plans for personal information security incidents; and (6) other measures prescribed by law and administrative regulations.

For other laws and regulations to be followed by personal information processors, please refer to the article: “Chinese Personal Information Protection Law Feature Articles (1) – Personal Information Protection Law Summary (Mainland China)”.

(2) Special obligations of foreign subcontractors

In accordance with Article 53 of the PIPL, foreign information processors also create a special institution or appoint a representative responsible for matters relating to foreign information. staff protection of information and report the name of this institution or representative and their contact details to the service responsible for the protection of personal information. According to EU practice, the main obligation of such a designated representative is to keep relevant records of the processing of information and to cooperate with the national supervisory authority responsible for the protection of information.

The PIPL does not have any qualification requirements for the institution or special representative mentioned above, nor does it stipulate the legal responsibilities that foreign information processors will have to assume if they do not establish such an institution or representative. Thus, how the requirements of this regulation can be fulfilled in practice will only become clear after the publication of more detailed rules.

(3) Legal responsibilities for foreign information-Processors violating the PIPL

Those who violate the provisions of the PIPL, including foreign information processors, may be subject to the responsibilities set forth in Articles 66 to 71 of the PIPL, which include, but are not limited to:

  • Have illegal acts on credit records and make them public;
  • Be ordered to suspend or end the provision of services for applications that illegally process personal information;
  • Be ordered to rectify the violation and have illegal earnings forfeited; those who do not correct will be fined less than RMB 1 million; those directly responsible will be fined at least 10,000 RMB and up to 100,000 RMB. In addition, those who commit serious offenses may be fined less than RMB 50 million or less than 5% of the previous year’s turnover, its related business operations may be suspended or suspended for rectification. , and the competent authorities can revoke its relevant business permits. or licenses; and
  • When the processing of personal information infringes the rights and interests of individuals in matters of information and causes damages, be liable for damages and other tort liabilities.

In addition, the directly responsible person in charge and other directly responsible personnel should be fined at least 100,000 RMB and up to 1 million RMB, and may be prohibited from performing the duties of director, supervisor, senior manager or person in charge of privacy for a period of time.

With increasing fines and liability for PIPL violation, foreign information processors should continue to monitor legal developments for additional guidance on PIPL compliance and requirements and strengthen their oversight of compliance in processing of personal information in order to limit potential exposure under the PIPL. .

Source link


About Author

Comments are closed.