Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
- Chine – Personal Information Protection Law (PIPL)
- Indonesie – Personal Data Protection Law (PDPL)
- Singapour – Personal Data Protection Act (PDPC)
- Viêt Nam – Personal Data Protection (DPDP
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
- Brief Introduction of Personal Data Protection in China
The Personal Information Protection Law (“PIPL”) of the People’s Republic of China (“PRC”), which came into effect on 1 November 2021 is known as “Chinese GDPR” due to its similarities with the EU General Data Protection Regulation (“GDPR”).
Foreign invested enterprises (“FIEs”) familiar with the European approach to data protection would have some advantages in implementing the “Chinese GDPR”, as some of the best practices established under the GDPR hold significant value as a model. However, as influenced by the GDPR as the PIPL might be, one cannot simply rely on their knowledge of the GDPR while approaching the PIPL and must take into account the distinctive features of data controllers/processors in China.
Although the PIPL follows a similar framework than the GDPR, it gradually shows more of its own unique features through both its supporting regulations, implementing rules, national standards and compliance practices recommended by competent authorities. Before the PIPL came into effect, provisions related to data protection were scattered across different laws and regulations, including but not limited to the PRC Civil Code, Criminal Law, Cybersecurity Law, the Law on the Protection of Minors and E-commerce Law.
For certain strategic industries, industry-specific regulations, standards, and guidelines that may impose further obligations concerning data security and other related matters should not be overlooked. In addition to meeting the duties outlined by PIPL and PRC Data Security Law for processing data, controllers/processors may also encounter tougher cybersecurity demands and extra data processing requirements. Therefore, data controllers and processors must adapt data compliance projects by considering their target for compliance and organizational traits.
Data controllers/processors should however not ignore the importance of cybersecurity laws in China, especially the PRC Cybersecurity Law which is closely intertwined with the PIPL. Indeed, some cybersecurity law infringement cases relate to violations on personal data protection as personal data compliance should have been built upon cybersecurity compliance. Data compliance cannot be complete or effective without cybersecurity compliance.
Considering the evolving legal landscape in China, it is advisable for data controllers and processors to take a comprehensive approach in creating and implementing compliance projects. Additionally, it is critical to keep up with legal updates and adjust plans accordingly. In particular, FIEs should balance the compliance requirements imposed by their parent companies in other countries with the compliance targets established for their subsidiaries/FIEs in China.
- Latest Updates on Data Protection in China
Following the implementation of the PIPL, various national standards, regulations, and guides have been gradually released or updated. These legal instruments provide specific instructions on key aspects of data protection, including consent management, cross border data transfer (“CBDT”), facial recognition, and personal data audit. Below is a brief introduction to the main legal instruments related to these topics.
- Consent Management
Obtaining consent is one of the legal obligations under the PIPL to process personal data. For certain significant personal data processes, obtaining separate consent from the concerned individuals is also necessary. The Chinese laws and regulations do not explicitly explain how to collect and maintain such consent, but a recommended national standard sets out the general principles regarding consent.
The Information Security Technology—Implementation Guidelines for Notices and Consent in Personal Information Processing (Reference No. GB/T 42574-2023) deals with:
- Information of data subjects (form and content of notice);
- Requirements to obtain consent (including separate consent) and exemptions;
- Refusals and withdrawal of consent; and,
- Preservation of consent as evidence.
- CBDT
The Chinese CBDT regime is primarily based on and further detailed by two regulations respectively specifying the scenarios and requirements where security assessments and Chinese Standard Contracts are applicable as CBDT compliance tools:
- Measures for the Security Assessment of Outbound Data Transfers (released on July 7th, 2022 and effective on September 1st, 2022);
- Measures for the Standard Contract for Outbound Cross-Border Transfer of Personal Information (released on February 22nd, 2023 and effective on June 1st, 2023).
The former regulates CBDT as well as personal data, whereas the latter only supervises CBDT relating to personal data. The former appears to have more stringent requirements compared to the latter, which in practice put data exporters in a challenging situation, A recently issued draft regulation, the Draft Provisions on Regulating and Facilitating Cross-border Data Flow (“DPRF CBDT”), released on 28th September 2023, provides exemptions to the two aforementioned regulations. which, if passed, will facilitate the CBDT and, notably, reduce the compliance burden for data exporters.
However, it is important to note that not all compliance obligations on personal data protection can be exempted through possible exemptions. The DPRF CBDT only pertains to CBDT compliance in later stages of an all-encompassing personal data compliance program. There is much work to be done prior to the implementation of the CBDT compliance tool, including data mapping and corrective measures to ensure lawful processing of personal data, particularly with regard to the principles of data minimization and necessity, which should be diligently observed.
Data controllers have another CBDT compliance tool at their disposal, the Personal Information Protection Certification. Due to its complexity and cost, this option is currently not widely adopted by data controllers.
- Facial Recognition
Facial information obtained through facial recognition is registered as biometric data/personal sensitive data in accordance with Chinese data protection laws, therefore those in charge of data processing must comply with more rigorous regulations. Before the PIPL, a judicial interpretation called the Provisions of the Supreme People’s Court on Several Issues concerning the Application of Law in the Trial of Civil Cases involving the Processing of Personal Information Using Facial Recognition Technology, released on August 1st, 2021, provided examples of common civil disputes relating to facial recognition together with criteria on how courts will solve them.
A draft regulation on facial recognition, the Provisions on Security Management of the Application of Face Recognition Technology (for Trial Implementation), was released in August 2023 for public review. The draft document regulates the application of facial recognition and sets out the key responsibilities of data controllers. In particular, it mentions that facial recognition used in public places and processing of personal data of/over 10k data subjects should be filed with the local competent authority. Besides the basic compliance obligations on data, facial recognition service providers targeting the public have stricter requirements on its Multi-Level Protection Scheme (“MLPS”) under the PRC Cybersecurity Law.
- Personal Data Audit
The PIPL mandates that all data controllers conduct a personal data audit, either voluntarily or upon order of competent authorities. However, it does not specify the audit procedures, frequency or routines. In August 2023, a draft regulation, the Administrative Measures for Personal Information Protection Compliance Auditing, was published for public comment and provides guidance on personal data audits.
Conducting a personal data protection audit is an essential task for data controllers in the initial stages of a personal data compliance project. This will enable data controllers to assess any shortcomings in meeting compliance requirements. It is advisable to use this draft as a reference and commence the audit promptly, as achieving personal data compliance can be a lengthy process.
If they possess adequate resources, personal data audits can be done by the data controllers themselves. This should occur at least once every two years, or once per year if personal data for over 1 million data subjects is processed.
Data breaches or other data incidents may also trigger an audit, in which case a qualified audit service provider registered with the competent authorities should be engaged. Data controllers should implement corrective measures based on the findings of the first audit report. A second audit will be conducted to determine whether the situation has been improved, and whether the compliance target has been reached. The final report will be submitted to the competent authority.
Furthermore, the draft regulation also outlines essential elements that require auditing, as well as the obligations of audit service providers. Additionally, it stipulates the penalties for non-compliance.
Summary of the PIPL
| Aspects\Laws | Personal Information Protection Law (“PIPL”) |
| Effective Date | November 1st, 2021 |
| Definition of personal data/personal information (“PI”) | Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized (Article 4, PIPL). Personal information is the information recorded electronically or in other ways that can be used, by itself or in combination with other information, to identify a natural person, including the name, date of birth, identification number, biometric information, residential address, telephone number, email address, health information, whereabouts, and the like, of the person (Article 1034, PRC Civil Code). |
| Minors’ personal data/personal information | Any personal information of minors under 14 years old is considered as sensitive personal information. Processing personal information of minors should also comply with other applicable laws and regulations, including but not limited to, the Law of the People’s Republic of China on the Protection of Minors, Regulations on the Protection of Minors Online, and the Provisions on the Protection of Minors at School, etc. |
| Parties involved in data processing | Data Processor: term used in PIPL to designate the data controller (hereinafter referred to as “data controller”/ “controller”) Entrusted Processor: term used in PIPL to designate the data processor (hereinafter referred to as “data processor”/ “processor”) |
| Scope | Territorial principle: PIPL applies to data processing activities occurring in China. Targeting principle: PIPL applies to data processing activities occurring outside China but targeting natural persons in China: 1. For provision of products and/or service; or 2. for analyzing their behavior. |
| General principles of processing | 1. Lawfulness, legitimacy, necessity and good faith; 2. Legitimate purpose; 3. Data minimization; 4. Openness and transparency; 5. Accuracy and completeness; 6. Security. |
| Legal Basis for processing | PIPL require controllers to meet at least one of the following conditions for PI processing: 1. Informed consent; 2. Contract and labor management; 3. Legal obligation; 4. Emergency (public health/vital interest of individuals); 5. News reporting, or 6. for public interest purposes; 7. PI disclosed to the public; and, 8. other legal basis specified by other laws and regulations. PIPL specifies that processing PI legally disclosed to the public does not require the consent from the data subject, however the data subject has the right to refuse such processing. In such case, the processing should be stopped. |
| Rights of data subjects | 1. Right to information; 2. Right to access; 3. Right to rectification; 4. Right to erasure/to be forgotten; 5. Right to restriction of processing; 6. Right to data portability; 7. Right to object; 8. Right to not be subject to automated decision-making. 9. Right to make copies(associated to the right to access); 10. Right to decide on the processing activities (associated to the right to restriction and the right to deny). |
| Protection Measures | PIPL requires that controllers keep a registry of important data processing activities (the scenarios listed in the impact assessment below). Most of the mandatory obligations in protection of personal data and data subjects are undertaken and led by controllers, who should take appropriate technical and organizational measures to ensure the lawful processing of personal data. Processors are responsible for securing data, processing data as agreed in contractual arrangements and assisting controllers. |
| Impact Assessment | Personal Information Protection Impact Assessment (“PIPIA”)is required in the following scenarios: 1. Cross-border transfer; 2. Process sensitive personal information; 3. Process personal information for decision-making; 4. Providing personal information to 3rd parties; 5. Publicize personal information; 6. Any other scenarios where data subjects’ rights and interests will be greatly impacted. PIPIA report shall be kept for at least 3 years. As to the approaches, they are provided in relevant Chinese national standards. Besides, PIPIA report for cross-border transfer shall follow an official template and be submitted to the competent authority for record-filing. |
| CBFT | Informing data subjects, obtaining separate consent if applicable and choosing one to legitimize the transfer: 1. Security Assessment organized by competent authority (in some scenarios this is mandatory and not optional for data exporters); 2. Obtained Personal Information Protection Certification issued by licensed service providers; 3. Concluding Standard Contract between data exporter and data importer. |
| Breach Notification | Report data breach to the competent authority/authorities within 24 hours/immediately. Per a draft regulation released on December 8, 2023, the Administrative Measures for the Reporting of Cybersecurity Incidents, any serious cyber incident should be reported within 1 hour to the competent authority, with any key details reported within 24 hours; and, the cyber incident disposal report should also be submitted within 5 working days after it is solved. |
| Remedies | Data subjects may take legal actions against the infringing party, and the qualified organizations could also take civil legal actions for public interests. |
- Details of Administrative Penalties for Violation of PIPL
| Scenarios | Penalties |
| Minor violations | Order of rectification; Warning; Confiscating illegal gains (if any); (for software applications) order of suspension or termination of the service. |
| Where the violator refuses to rectify the illegal activities | Beside the above, Pecuniary fine (RMB below 1 million) upon the violator; Pecuniary fine (RMB 10k to RMB 100k) upon the person directly in charge of the violator. |
| Severe violations | Order of rectification by the competent authority in provincial level; Confiscating illegal gains (if any); Pecuniary fine of maximum RMB 50 million or 5% of the previous year’s turnover; Suspension or termination of business, and cancellation of the relevant approvals or business license; Pecuniary fine of minimum RMB 100k to maximum RMB 1 million to the person directly in charge; and, Such person directly in charge of the violator can be banned for a certain period of time from serving as director, supervisor, senior officer or PI protection officer of a relevant enterprise. |
