What Publishers Should Know About China’s PIPL (Personal Information and Protection Law)?

Earlier this year on August 20th, China passed its new privacy law that strengthens China’s stance on the regulation and protection of the privacy of its citizens. On November 1st, 2021, the Personal Information Protection Law or PIPL came into effect, with a total of 74 articles spread out over 8 chapters, covering everything from rules for personal information processing, responsibilities, and obligations of publishers and penalties for violation. In this article, we will go over all the relevant policies for publishers in order to comply with China’s PIPL. 

Does China’s PIPL law apply to you?

Before we get into detail about what this law actually means, it is important to first understand who this law applies to! 

The rules and regulations mentioned in the PIPL apply to all organizations and individuals who use the data and personal information collected from China, and its citizens. This means, any publisher regardless of its size, is required to abide by the rules mentioned in the law. 

Therefore, if you’re a publisher from China or someone who gets a major chunk of their users from China, then you should be aware of the provisions and regulations mentioned in the PIPL. The PIPL even has certain specific legal requirements for publishers who use the personal information collected from China and process it outside the country.

What publishers should know about China’s PIPL?

PIPL follows in the footsteps of other international privacy regulations such as EU’s GDPR and California’s CCPA. With the launch of PIPL, China has put its foot down when it comes to protecting the personal information of its citizens. The law highlights key rules and regulations in regards to the processing of personal data, cross border-transfers of data, penalties for violations, and much more, which we will get to in a bit. 

Let us first have a look at the definition of some of the terms used in the PIPL, so that you can understand the laws more easily. 

• Personal Information

The law defines personal information as any information related to an identified or identifiable natural person located in China, through electronic or other means, except data that has been anonymized. 

• Data Subjects 

A data subject is any individual or individuals whose personal information is collected and processed online through electronic or other means. In your case, it can be a website visitor or an app user.

• Information Processor 

PIPL defines an information processor as, any individual or organization that uses personal information for the purposes of collection, storage, transmission, analytics, disclosure, and deletion. 

What are the obligations of publishers while handling Personal Information?

Prior to PIPL, giving notification and getting consent was the only legal basis for collecting and processing personal information. But with PIPL, the responsibilities of publishers for processing personal information have become much more specific. 

Under the PIPL, the legal obligations of personal information processors are stated, which include the obligation to: 

1. Construct frameworks and procedures for managing and protecting the integrity of personal information.
2. Ensure confidentiality while using personal information for processing purposes.
3. Implement necessary technological security protocols including encryption and anonymizing the data.
4. Formulate effective emergency measures in case of security incidents involving personal information.
5. Undertake routine audits and adopt suitable security measures as per the laws and regulations.
6. Set up a special institution or designate a representative to handle matters related to the protection of personal information who shall report to the relevant authorities.

In addition to PIPL, publishers in China will have to comply with the preexisting regulatory frameworks, namely, Cybersecurity Law (CSL) and the Data Security Law (DSL) which were passed in 2017 and 2021 respectively. 

What are the Rules for Cross-Border Transfer of Personal Information?

There are special provisions for cross-border transfer and processing of personal Information under PIPL. Publishers need to have a legal basis along with the consent of data subjects when transferring personal information across the border for processing activities.

Here are the legal requirements publishers must follow for cross-border processing of PI: 

1. The publisher must pass a security assessment conducted by the Cyberspace Administration of China (CAC), if the information belongs to Critical Information Infrastructure (CII).
2. The processor must form a legal contract with the recipient overseas in accordance with the regulations stipulated by the CAC, underlining the rights and obligations of both parties.
3. The processor must obtain a personal information protection certificate as per the rules of the CAC.
4. Any other circumstance where the laws and administrative regulations prevail as per the CAC.
5. PIPL requires clear consent from the data subjects in situations where a cross-border transfer of personal information is needed.

However, even after following the legal basis and getting consent, publishers operating in China are not allowed to share personal information with judicial and law enforcement authorities outside of China, without prior approval of Chinese authorities. This can cause problems for MNCs having legal obligations with administrative authorities in their home country. 

Administrative authorities in charge of upholding PIPL regulations

PIPL highlights the relevant authorities and judicial departments that are responsible for performing the duties and regulating the protection of personal information. 

• The Cyberspace Administration of China (CAC) is in charge of extensive planning and management of regulatory and administrative activities relating to personal information protection.  
• The corresponding ministries and administrative agencies of the State Council are responsible for regulating and monitoring the protection of personal information processing within their jurisdictions. 
• The relevant authorities of local governments shall also be responsible for the supervision and administration of personal information protections as per state regulations.

What are the penalties and punishments for violations under PIPL?

In the event of a violation of the regulations stipulated in PIPL, the organization or person(s) involved may face legal consequences and other penalties as stated in the legislation. 

Here are the legal liabilities in case of a violation under PIPL: 

1. In case of a violation, the relevant authorities may order for rectification, warning, acquisition of unlawful gains, suspending or discontinuation of operation for correction, and revocation of permits.
2. If rectification is refused, a fine up to RMB 1 Million shall be imposed on the publisher in addition to a fine between RMB 10,000 to RMB 100,000 on the person assigned for handling personal information protection by the organization.
3. In case of proven illegal activity or serious nature, fines may be imposed up to RMB 50 Million or 5% of the organization’s turnover in the previous year.
4. Under serious circumstances, the relevant authorities may also revoke the relevant business license of the company and prohibit the person directly in charge from serving the role of director, supervisor, senior manager, or any other role in charge of handling personal information protection for a certain period.
5. In case the processing violation infringes the rights of a significant number of people, criminal prosecution under public interest may be initiated by consumer protection organizations or other designated authorities in accordance with the CAC. 

What’s Next?

With new privacy regulations coming up ever so frequently, it becomes difficult for publishers to accommodate them into their pre-existing frameworks. China already has a reputation for having one of the most strenuous laws and regulations, therefore you wouldn’t want to be on the wrong side of the law.

As of now, PIPL has been in effect since 1st November 2021, and therefore it is essential for any publisher operating in the country to conduct a thorough audit of its privacy policies and data processing techniques in accordance with PIPL. You can refer to our article on Thailand’s PDPA to understand more about compliance and privacy policies in Asian countries.

Related Read: A Complete Guide To Privacy Laws