Personal Information Protection Law
On November 1, 2021, China’s Personal Information Protection Law (“PIPL”) came into effect following its promulgation on August 20.
Under the PIPL, personal information as age, address, phone number, and sensitive personal data including biometric identification, religious beliefs, medical information and financial accounts are considered sensitive information. Employers must obtain their employees’ explicit written consent to collecting such data and must also clearly notify employees about the purposes of such data collection, how the data will be processed, and how long it will be retained.
In terms of transferring information outside China, companies collecting personal information to that prescribed by the authorities are required to conduct a cross-border transfer review of it before they can export it out of China. Without the approval of the competent authority, companies in China are forbidden from providing personal information stored within China to any foreign judicial or law enforcement authorities.
Notably, the PIPL significantly raises penalties for infringements. In severe cases, a violating organization may be fined up to RMB 50 million or 5% of its revenue of the preceding fiscal year. Individuals responsible are subject to a fine up to RMB 1 million, as well as being prohibited from serving as directors, supervisors, senior managers and personal information protection officers. If any illegal processing of personal information constitutes a criminal offence, administrative regulators will hand over the case to public security organs.
In order to protect individuals’ personal information, the PIPL introduces a public interest litigation mechanism. For violations of the rights of a large number of people, procuratorates, consumer rights organizations, and other competent organizations may bring a class action against the entity on behalf of the victims. It is worth noting that in addition to civil damages, liability can trigger administrative and criminal penalties.
Companies in China are now working to assess their compliance with the new provisions. The law is expected to bring about significant changes to internal management organization and rules, contracts, marketing materials, websites and to the transferal of information outside of China. In view of the impact of the PIPL companies are advised to carry out the relevant verifications and modifications. It is also important to improve the process of collection process of personal information of app users and employees.