On August 20, 2021, China released the “Personal Information Protection Law”, which will become effective from Nov 1, 2021. In recent years, personal information protection legislation has been widely deployed worldwide, and it is reported that more than 120 countries have passed legislations to protect personal privacy. Among them, you may have heard about EU’s General Data Protection Regulation (GDPR), the U.S.’s California Privacy Act (CPRA), the California Consumer Privacy Act (CCPA), Network Security Law, and above law just released by China Government.
As large as an internet-based public service platform or a logistic service provider, as small as a factory or even a trading company, they may all be under the supervision of one or more privacy-related laws or regulations.
According to China’s “Personal Information Protection Law”, personal information is a variety of information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymized information. The processing of personal information includes, but is not limited to, the collection, storage, use, processing, transmission, provision, disclosure, deletion of personal information.
Taking into account the EU GDPR framework, China’s “Personal Information Protection Law” provides a localized approach for personal privacy protection, on the basis of the important principles of the internationally prevailing regulations. Similar to the principles of GDPR, the “Personal Information Protection Law” is not limited to activities within Mainland China in terms of its scope of application.
This law in China has similar requirements to GDPR in the following perspectives: the definition of personal information, application scope, principle of minimal impact from processing approaches, principle of minimum scope of collection, principle of shortest storage period, processing of sensitive information, handling of personal information of minors, anonymization, processing of de-identified information, obligation for security protection, right to know, right to object, right to modify and delete, privacy impact assessment, data protection officer (DPO) appointment, control of contracted processing, notification of data leakage, restrictions on automated decision-making and on face recognition, etc.
This law in China may has higher requirements than GDPR in the following perspectives: the legal basis of personal information processing, consent rules, personal information protection of the deceased, data localization requirements, additional obligations for large-scale personal information processors, cross-border data transfer security assessment, cross-border evidence retrieval, and administrative supervision.
China’s “Personal Information Protection Law” sets out four conditions under which personal information can be provided overseas from the perspective of network security and data sovereignty, as well as data localization requirements under certain circumstances.
Important obligations for personal information processors include: security controls, contracted processing controls, notification of data security incidents, privacy protection impact assessment, appointment of data protection officers, etc.
Relevant government departments will promote the construction of a social service system for personal information protection, and support relevant agencies to carry out personal information protection evaluation and certification services.
The liabilities for violations of personal information protection law cover civil, administrative and criminal areas, and are quite stringent, supported with a multi-authority enforcement mechanism.
In terms of administrative penalties, an offended organization may be subject to suspension or termination of services, or a fine of up to RMB 50 million or 5% of the previous year’s turnover. In addition, the directly responsible persons or supervising persons may be subject to industry-access prohibition, a fine of up to RMB 1 million, or even criminal responsibility.
This new law in China will lead to long-lasting impact to different kinds of organizations. It is challenging to many organizations to make and keep their operations risk-free in terms of compliance with these personal information-related laws and regulations. In practice, some large international companies were fined heavily by certain regulatory agencies like that in EU. To address and reduce the risks and challenges in a systematic way, some organizations have adopted or are considering to adopt the international standard ISO 27701:2019 to establish a privacy information management system and go for certification.
DQS is providing ISO 27001:2013 Information Security Management System (ISMS) and ISO 27701:219 Privacy Information Management System (PIMS) audit and certification services with accreditation recognized by the International Accreditation Forum (IAF).
This artical is for reference only to an organization planning a management system and doesn’t serve as the purpose for legal advice. For a decision or action associated with the law or regulation, you shall consult your lawyer in advance.
2021年8月 20日，中国内地颁布《个人信息保护法》，并将于2021 年11月1日起正式实施。近年来，个人信息保护立法在世界范围内广泛展开，据报道目前已经有超过120个国家通过立法保护个人隐私。当中包括较具影响力的欧盟的《通用数据保护条例》(GDPR）、美国的《加州隐私权法》(CPRA)、《加州消费者隐私法》(CCPA）、中国的《网络安全法》及刚发布的《个人信息保护法》。大至互联网公众服务平台，物流服务商、小至一个工厂、乃至一个贸易公司，都可能在某一或多个私隐相关法规的监管范围。
此法对多种组织的运作带来深远的影响。要长期确保运作完全符合这些个人信息相关法规对组织来说带来的挑战相当大。在实践中，有一些大型国际性公司已经被欧盟等监管机构处以大额罚款。为系统性地应对和降低不同个人信息相关法规的合规性带来的风险和挑战，一些组织已经或正在考虑依据国际标准 ISO 27701:2019 建立私隐信息管理体系，并取得认证。