On August 20, 2021, China released the “Personal Information Protection Law”, which will become effective from Nov 1, 2021. In recent years, personal information protection legislation has been widely deployed worldwide, and it is reported that more than 120 countries have passed legislations to protect personal privacy. Among them, you may have heard about EU’s General Data Protection Regulation (GDPR), the U.S.’s California Privacy Act (CPRA), the California Consumer Privacy Act (CCPA), Network Security Law, and above law just released by China Government.

As large as an internet-based public service platform or a logistic service provider, as small as a factory or even a trading company, they may all be under the supervision of one or more privacy-related laws or  regulations.

Important Contents

According to China’s “Personal Information Protection Law”, personal information is a variety of information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymized information. The processing of personal information includes, but is not limited to, the collection, storage, use, processing, transmission, provision, disclosure, deletion of personal information.

Taking into account the EU GDPR framework,  China’s “Personal Information Protection Law” provides a localized approach for personal privacy protection, on the basis of the important principles of the internationally prevailing regulations. Similar to the principles of GDPR, the “Personal Information Protection Law” is not limited to activities within Mainland China in terms of its scope of application.

This law in China has similar requirements to GDPR in the following perspectives: the definition of personal information, application scope, principle of minimal impact from processing approaches, principle of minimum scope of collection, principle of shortest storage period, processing of sensitive information, handling of personal information of minors, anonymization, processing of de-identified information, obligation for security protection, right to know, right to object, right to modify and delete, privacy impact assessment, data protection officer (DPO) appointment, control of contracted processing, notification of data leakage, restrictions on automated decision-making and on face recognition, etc.

This law in China may has higher requirements than GDPR in the following perspectives: the legal basis of personal information processing, consent rules, personal information protection of the deceased, data localization requirements, additional obligations for large-scale personal information processors, cross-border data transfer security assessment, cross-border evidence retrieval, and administrative supervision.

China’s “Personal Information Protection Law” sets out four conditions under which personal information can be provided overseas from the perspective of network security and data sovereignty, as well as data localization requirements under certain circumstances.

Important obligations for personal information processors include: security controls, contracted processing controls, notification of data security incidents, privacy protection impact assessment, appointment of data protection officers, etc.

Relevant government departments will promote the construction of a social service system for personal information protection, and support relevant agencies to carry out personal information protection evaluation and certification services.

Legal Liabilities

The liabilities for violations of personal information protection law cover civil, administrative and criminal areas, and are quite stringent, supported with a multi-authority enforcement mechanism.

In terms of administrative penalties, an offended organization may be subject to suspension or termination of services, or a fine of up to RMB 50 million or 5% of the previous year’s turnover. In addition, the directly responsible persons or supervising persons may be subject to industry-access prohibition, a fine of up to RMB 1 million, or even criminal responsibility.

Challenges

This new law in China will lead to long-lasting impact to different kinds of organizations. It is challenging to many organizations to make and keep their operations risk-free in terms of compliance with these personal information-related laws and regulations. In practice, some large international companies were fined heavily by certain regulatory agencies like that in EU. To address and reduce the risks and challenges in a systematic way, some organizations have adopted or are considering to adopt the international standard ISO 27701:2019 to establish a privacy information management system and go for certification.

DQS Service

DQS is providing ISO 27001:2013 Information Security Management System (ISMS) and ISO 27701:219 Privacy Information Management System (PIMS) audit and certification services with accreditation recognized by the International Accreditation Forum (IAF).

Furthermore, DQS Academy is providing related training courses, covering Lead Auditors, Internal Auditors, Data Protection Officer, Cloud Security Manager, etc.

Note:

This artical is for reference only to an organization planning a management system and doesn’t serve as the purpose for legal advice. For a decision or action associated with the law or regulation, you shall consult your lawyer in advance.

2021年8月 20日,中国内地颁布《个人信息保护法》,并将于2021 年11月1日起正式实施。近年来,个人信息保护立法在世界范围内广泛展开,据报道目前已经有超过120个国家通过立法保护个人隐私。当中包括较具影响力的欧盟的《通用数据保护条例》(GDPR)、美国的《加州隐私权法》(CPRA)、《加州消费者隐私法》(CCPA)、中国的《网络安全法》及刚发布的《个人信息保护法》。大至互联网公众服务平台,物流服务商、小至一个工厂、乃至一个贸易公司,都可能在某一或多个私隐相关法规的监管范围。

重要内容

根据中国《个人信息保护法》,个人信息是以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息,不包括匿名化处理后的信息。个人信息的处理包括个人信息的收集、存储、使用、加工、传输、提供、公开、删除等。

中国的《个人信息保护法》参考了欧盟GDPR的框架,在吸收国际盛行规范的重要原则的基础上提出了本地化的个人私隐保护解决方案。类似GDPR的原则,在适用范围上,《个人信息保护法》并不限定于中国大陆境内的活动。

另外,该法与GDPR较类似的内容有:个人信息的定义、管制对象、处理方式的最小影响原则、收集的最小范围原则、储存期的最短原则、敏感信息的处理、未成年人个人信息的处理、匿名化、去识别化信息的处理、安全保障的义务、知情权、反对权、修改删除权、私隐影响评估、责任人(DPO)制度、委托处理的控制、数据泄露的通知、自动化决策和人脸识别的限制等。

在个人信息处理的合法性基础、同意规则、死者个人信息保护、数据本地化要求、大量个人信息处理者的额外义务、数据出境安全评估、跨境证据调取、行政监管方面,中国的《个人信息保护法》看起来比GDPR有更高的要求。

中国的《个人信息保护法》从网络安全和数据主权出发,规定了可以向境外提供个人信息的四种条件,以及特定情况下的数据本地化要求。

个人信息处理者的重要义务包括:采取安全保障措施、委托处理的控制、数据安全事件的通知、隐私保护影响评估、任命数据保护官等。

政府相关部门推进个人信息保护社会化服务体系建设,支持有关机构开展个人信息保护评估、认证服务。

法律责任

中国该法有关个人信息保护违法行为的责任追究涵盖了民事、行政与刑事领域,且十分严厉,并实行多部门执法机制。行政处罚方面,对违法主体可能处以暂停或终止服务、或高达5,000万元人民币或者上一年度营业额5%的罚款;另外对直接责任人或主管可能处以市场禁入、高达100万人民币的罚款或追究刑事责任。

挑战

此法对多种组织的运作带来深远的影响。要长期确保运作完全符合这些个人信息相关法规对组织来说带来的挑战相当大。在实践中,有一些大型国际性公司已经被欧盟等监管机构处以大额罚款。为系统性地应对和降低不同个人信息相关法规的合规性带来的风险和挑战,一些组织已经或正在考虑依据国际标准 ISO 27701:2019 建立私隐信息管理体系,并取得认证。

DQS的服务

DQS 提供获得国际认证联盟(IAF)成员机构认可的ISO 27001:2013信息安全管理体系和 ISO 27701:219私隐信息管理体系审核和认证。
DQS学堂 提供相关主任审核员内审员、数据保护官(Data Protection Officer)、云安全经理 等培训课程。

注:

本文仅供组织在管理体系策划时作为参考,不作为法律意见之目的。 在依据相关法规作出任何决定或行动前,你应先咨询律师的意见。