China's Personal Information Protection Law creates challenges for compliance

China's Personal Information Protection Law ("PIPL") was passed on 20 August 2021. PIPL presents certain challenges for compliance, which is required when it comes into force on 1 November 2021.

1. Overview
2. Lack of clarity over what constitutes consent
3. Lack of clarity over "contract necessity" as a complete exception to consent
4. Safeguards for transferring personal information outside China
5. Restrictions in relation to automated individual decision-making
6. Our China data and cyber law offering

Overview

PIPL is a generally applicable data protection law governing the processing of personal information being introduced in China.

Similar to the General Data Protection Regulation ("GDPR"), it also contains an express extra-territorial scope provision, provides data subjects with enhanced data subject rights, and the administrative fine for non-compliance is linked to a percentage of annual turnover.

However, despite these similarities, there are also notable differences which render compliance with PIPL challenging and burdensome, particularly in relation to consent and applying certain exceptions, stringent safeguards for transferring personal information outside China and restrictions on automated individual decision-making. See further below.

Lack of clarity over what constitutes consent

China already has a consent-based regime in relation to personal information, and PIPL is consistent in that regard.

Under PIPL, consent remains the only legal basis for processing personal information.

There are a number of exceptions to this under PIPL, which resemble the alternative legal basis under GDPR, e.g. processing being necessary for:

• the conclusion or performance of a contract (namely the "contract necessity exception");
• performing legal obligations; or
• protecting the life, health and property safety (i.e. vital interests) of individuals during emergencies.

However, PIPL does not have an equivalent to the controllers' legitimate interests exception under GDPR.

The consent-based approach has also been adopted by the 2020 version of the Information Security Technology—Personal Information Security Specification (“Specification”), which remains relevant as the recommended best practice on processing of personal information in China. The terminology used in the Specification is more consistent with GDPR, e.g. "controller" is used in the Specification and GDPR, whereas "processor" is used in PIPL to refer to the concept of "controller" under GDPR.  Another notable example is that "explicit consent" is used in the Specification and GDPR, whereas "consent" and "separate consent" are used in PIPL.

Under PIPL, various types of data processing activities require either "consent" or "separate consent" to be obtained. For example:

• entrusting a third party to process personal information requires "consent" to be obtained; and
• "separate consent" is required for (i) disclosure of personal information to other personal information processors, (ii) publicizing personal information, (iii) using personal images and identification information collected from CCTV for purposes other than maintaining public safety, (iv) processing sensitive personal information, or (v) transferring personal information outside China.

The terms "consent' and "separate consent" have not been defined in PIPL. In particular, PIPL does not contain any details of what constitutes "separate consent".

Until further guidance is provided by the competent PRC authorities, it may make sense to equate "separate consent" with "explicit consent", which is the higher standard of consent required for processing sensitive personal data under GDPR. Under GDPR, the term "explicit" refers to the way consent is expressed by the data subject.

Lack of clarity over "contract necessity" as a complete exception to consent

It is not entirely clear to what extent the contract necessity exception could trump requirements for "consent" or "separate consent" under PIPL.

For example, given that various data processing activities under PIPL specifically require "separate consent" to be given, if the contract necessity exception was interpreted narrowly then it may be that "separate consent" would still be required (or required to some extent) even in the case of contractual necessity.

Safeguards for transferring personal information outside China

Unlike the global approach for data privacy laws which only requires one of the appropriate safeguards to be in place before personal information can be transferred overseas, PIPL requires each of the following.

The data exporter must meet one of the three conditions linked to the Cyberspace Administration of China ("CAC"), namely it must:

• pass the security review organised by the CAC;
• conduct personal information protection certification via professional institutions in accordance with the regulations of the CAC; or
• adopt the standard contract formulated by the CAC in its data transfer contract with the overseas data recipient to stipulate the rights and obligation of both parties.

There is a data localisation requirement imposed on Critical Information Infrastructure Operators ("CIIO"), or organisations which process large amounts of personal information (with the exact threshold to be stipulated by the CAC). The personal information collected and generated by them in China must be stored within China. If the personal information is required to be transferred overseas, a security assessment organised by the CAC must be passed (see the first condition above).

As regards the threshold for organisations to be regarded as high-volume processor, while the threshold is still pending guidance from the CAC, our view (based on two draft Measures published for the Cybersecurity Law and the Data Security Law, and the Specification) is that the threshold is likely to fall between 500,000 and 1,000,000 for personal information, and the threshold for sensitive personal information is likely to be even lower.

The data exporter must inform the individual of the details of the overseas data recipient, and obtain the individual's separate consent.

A personal information impact assessment must be conducted before personal information is transferred outside of China.

PIPL is unique globally because it requires several safeguards to be provided at the same time so compliance could be burdensome.

Please note that we have summarised the major Chinese laws which affect the transfer of data/personal information out of China in our previous article.

Restrictions in relation to automated individual decision-making

Not only does PIPL provide individuals with a right to object to their personal information being used in automated individual decision-making which would have a significant impact on their interests, PIPL also requires organisations to:

• observe the transparency principle and keep individuals informed of such use of their personal information; and
• ensure that the outcome of automated decision-making would be fair to individuals who are subject to such processing.

In addition:

• preferential pricing based on automated individual decision-making is not allowed by PIPL; and
• individuals must be provided with a convenient way to opt-out from online behavioural advertising or given other alternatives which are not generated by automated individual decision-making.

All of these new restrictions on the use of artificial intelligence in pricing/marketing would significantly impact the way online e-commerce platforms currently conduct businesses in China.

Businesses operating in China should review their online marketing strategy in light of these requirements.

Our China data and cyber law offering

We are an award-winning data and cybersecurity team globally and in China.

We have extensive experience assisting companies in complying with data and cybersecurity laws, and dealing with data and cybersecurity issues, in China and across Asia Pacific and the world.

We have been helping clients understand how the new laws in China impact their business, identify key risk areas and gaps, and make recommendations on their data strategy and action plans.

We are also partnering with clients in this evolving area to anticipate and support their needs.

One of a limited number of firms to do so, our Joint Operation, Herbert Smith Freehills Kewei, enables us to provide an end-to-end legal service integrating PRC law and international law and legal service standards.

It also gives us a deeper understanding of Chinese business methods and corporate culture, and an in-depth knowledge of China’s complex regulatory and political environment.