Date: 24 August 2021
The Personal Information Protection Law, the first piece of legislation in the Mainland dedicated to the protection of personal information, was passed by the Standing Committee of the National People's Congress on 20 August 2021 and will be effective from 1 November 2021.
The Personal Information Protection Law establishes individuals’ consents as the principal legal basis for processing personal information. It requires that the processing of personal information shall abide by the principles of legality, fairness, good faith, minimum necessity, openness and transparency. There shall also be specific and reasonable purposes of processing[1].
Individuals shall have the right to access and obtain a copy of their personal information from the processors of personal information (similar to data users under the Personal Data (Privacy) Ordinance of Hong Kong). Individuals can also request the processors of personal information to rectify and delete their personal information, as well as to provide them with means to transfer their personal information to other processors[2].
When processing personal information of a minor under the age of 14, processors of personal information shall obtain the consent of the minor’s parent or guardian, and establish specific processing rules[3].
The Personal Information Protection Law prohibits the use of automated decision-making based on personal information if it leads to unreasonable price discrimination against individuals. In addition, when automated decision-making is used for push notification or marketing, individuals shall be provided with an option for not receiving personalised information or convenient opt-out channels[4].
Processors of personal information which need to transfer personal information out of the Mainland shall obtain separate consent from individuals, and meet certain requirements, such as passing the security assessment made by the state cyberspace authorities, obtaining the required certification, or entering into a standard contract as prescribed by the state cyberspace authorities[5].
The Personal Information Protection Law contains provisions on extraterritorial application. Foreign organisations which process personal information of individuals in the Mainland for the purposes of offering products or services to them, or analysing and assessing their behaviours, shall be subject to this law[6]. These foreign organisations shall also establish designated agencies or appoint representatives in the Mainland[7].
The state cyberspace authorities shall be responsible for coordinating the protection of personal information and the relevant regulation work. Ministries of the State Council shall be responsible for the protection of personal information and regulation work within their purview[8].
A processor of personal information which contravenes the requirements under the Personal Information Protection Law is liable to a maximum fine of RMB 50,000,000 or 5% of its annual turnover of the preceding year. Other penalties may include suspension of operation for rectification, cancellation of business permits or licenses, etc[9].
The full text of the Personal Information Protection Law (in Chinese only) is available on the website of the National People’s Congress: http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml
Watch out for other updates on the Personal Information Protection Law on our website.