Background:
On 20 August 2021, the Personal Information Protection Law of the People's Republic of China (hereinafter as the “PIPL”) was adopted at the 30th session of the Standing Committee of the 13th National People's Congress, effective as of 1 November 2021. The PIPL is the fundamental law in personal information (“PI”) protection sphere and together with the Cybersecurity law (hereinafter as the “CSL”) and the Data Security Law (hereinafter as the “DSL”), it outlines the data regulatory framework in China. The PIPL embraces the new era of PI protection as well as corporate compliance and may materially change product design and compliance setting practices. In this article, we will analyze the key contents of the PIPL and provide you with a practical compliance guideline for a better grasp of the implication of the law on your businesses.
1. Basic concepts of the PIPL
1.1. Applicable scope
The PIPL applies to any handling of PI which is carried out within the territory of the People's Republic of China.[1] That is to say, any organization or individual conducting PI handling activities within the territory of China is subject to the PIPL. This law also possesses extra-territorial effect. Art.3 para.2 specifies that any handling of PI of individuals residing in China which is carried out outside the territory of China is subject to the law where any of the following circumstances exists, i.e., where the handling activities are related to the offering of goods or services to natural persons residing in China, where the handling activities are related to the analyzing and assessing of behaviors of natural persons residing in China, or as otherwise provided by law and administrative regulations. For instance, overseas online shopping websites with setting option of Chinese language, Chinese currency, direct shipping services or even local marketing promotions engagement may be deemed as meeting the criteria of Art.3 para2 and therefore subject to the PIPL.
For organizations or individuals subject to the PIPL due to Art.3 para 2, the law also requires the establishment of specific agency or delegated representative (equivalent to the Representatives under Art.27 of the GDPR) within China to fulfil related PI protection obligations and the contact detail of such specific agency or delegated representative shall be filed to relevant authorities for records.[2]
1.2. Legal accordance
The very first article of the PIPL states that the law is enacted in accordance with the Constitution to protect PI rights and interests, regulate activities of PI handling and promote reasonable use of PI, which duly reflects that China respects and protects human rights and the dignity of citizens from any violations. The freedom and confidentiality of communications of citizens are protected by law.
1.3. Key definitions
The PIPL makes definitions of key concepts relating to PI handling.
Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized.[3]
Handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of PI.[4]
PI handler under the PIPL refers to any organization or individual that independently determines the purpose and method of handling in their activities of processing of personal information which is substantially equivalent to the concept of controller under the GDPR.[5]
It is worth noticing that the PIPL newly proposes the notion of “small-scale PI handler”, we understand that the CAC together with relevant authorities will issue specific PI protection rules with respect to such handlers in the near future.[6] Though the definition of small-scale PI handler would require further clarification.
2. Seven principles relating to the handling of PI
The principles relating to the handling of PI shall be implemented throughout the full lifecycle of PI handling activities and are greatly related to the PI protection obligations as well as internal PI compliance management of PI handlers. In this section we will elaborate each of the principles especially with regard to compliance practices and law enforcement focuses.

Chart 1. Principles PIPL v. GDPR
Lawfulness, legitimacy, necessity and good faith. Art.5 specifies that PI shall be handled in accordance with the principle of lawfulness, legitimacy, necessity and good faith, and not in any manner that is misleading, fraudulent or coercive. It is worth noticing that the PIPL set necessity as an equivalence of lawfulness, legitimacy and good faith, demonstrating that necessity has become the focus of PI protection administration. Combining with the recently released Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications by the Cyberspace Administration of China (“CAC”) as well as the principle of purpose limitation and data minimisation below, companies shall ensure that the PI handling is directly related to the purposes thereof and the PI collection frequency and amount shall be limited to the minimum scope necessary for achieving the purpose.
Purpose limitation and data minimisation. Art.6 stipulates that PI handling shall be conducted for explicit and reasonable purposes, the handling shall be directly relevant to the purpose thereof. Though the determination of “directly related” will need further clarification.[8]In addition, PI collected shall be limited to what is necessary in relation to the purposes to which they are processed.
Transparency. Art.7 and Art.17 (information to be provided) lays down the transparency fundamentals under the PIPL. Such requirements are generally performed through the making of privacy policy by companies. Art. 17 stresses that information relating to PI handling shall be provided prior to the handling activities in a complete manner, which indicates that companies should avoid using wording of “etc.” or “such as” in their privacy policy and relevant documents. In terms of the content, company shall include all items required under the Art. 17 in its privacy policy and the PIPL puts additional disclosure requirements for specific scenarios such as PI transmission under merger, acquisition, dissolution and etc.,[9]sharing of PI,[10]handling of sensitive PI[11]and PI cross-border transfer.[12]In terms of modality, such privacy policy shall be delivered to each individuals prior to the handling activities in a notable manner, e.g., at account registration page via tick box or pop-up window. Besides, privacy policy shall be easily accessible, e.g., to be placed at website homepage, App user setting section and etc.
PI quality. The quality of PI shall be ensured to avoid any negative impact on personal rights and interests due to any inaccuracy or incompleteness of the PI handled.
Accountability and data security. Art.9 is the underlying cornerstone of Chapter V “PI handler obligations”, especially regarding the development of internal data security management system and operating procedures, access control, compliance awareness training etc. at both technical and organizational[13], as well as the designation of PI protection officer.[14]
3. Legal bases for PI handling
The PIPL provides seven legal bases for PI handling as listed in the chart below and breaks through the situation set by the CSL where consent was the only legal basis recognized.[15]The PIPL, as opposed to the GDPR, innovatively proposed the legal bases of “necessary for the performance of human resource management under labor rules or collective labor contract made in accordance with the laws” and “utilization of public PI (self-disclosed PI and PI otherwise disclosed legitimately) within reasonable scope”.

Chart 2. Legal bases PIPL v. GDPR
3.1. Conditions for valid consent
The PIPL specifies that valid consent shall be fully informed, freely given, specific and easy to withdraw.[16] “Tying” the provision of a contract or a service to a request for consent to process PI that are not necessary for the performance of that contract or service is not allowed.[17] Where PI handling activities are conducted on the basis of consent, PI subjects have the right to withdraw their consent and PI handlers shall provide convenient channel for such withdrawal. Validity of any PI handling activity conducted based on consent prior to such withdrawal would not be affected.[18] Companies shall establish internal standard for valid consent obtainment and review, provide effective method for withdrawal of consent. Though the PIPL, as opposed to the GDPR, does not require yet that withdrawal shall be as easy as the granting of consent, good industrial practice such as providing direct withdrawal option at App account setting page and etc. is highly suggested.
3.2. Separate consent
The PIPL sets separate consent requirement for various scenarios such as sharing of PI, handling of sensitive PI and PI cross-border transfer. Though what truly constitutes separate consent under the PIPL will require further specification, we understand that PI handler shall at least ensure that PI subjects are allowed to give consent for such handling activities respectively, rather than having to consent to a bundle of handling purposes. The separate consent requirement will have great impact on PI handlers especially with respect to the legality of handling activities concerned as well as product compliance settings. We recommended that companies sort out the scenarios of its services that require separate consent in advance and pay close attention to the latest good industrial practices.
4. Specific scenarios relating to PI handling
Sharing of PI. Article 20 and 21 specifies requirements with respect to joint handling and entrusted handling under the PIPL which resembles those of the GDPR. Joint handlers shall determine respective compliance responsibilities through arrangement and shall bear joint liabilities for damages caused by infringing upon personal information rights and interests. Entrusted parties (substantially equivalent to Processor under the GDPR) shall conduct data handing as instructed and shall also fulfill PI security and assistance obligations as required by the law.[19]
Automated decision making. Article 24 of the PIPL, echoing the social concerns, specifies that where PI handlers make use of PI to make automatic decision, it shall ensure the transparency and fairness of such decision and shall not impose unreasonable discriminatory treatment on individuals in respect of transaction price and other transaction conditions. Convenient exit option or non-targeted option shall be provided to users when conducting promotional marketing or message push via automated decision making. Individuals have the right to require PI handlers to make explanation and reject the decision solely made through automatic decision-making.
Handling of sensitive PI. Sensitive PI as defined in Art 28 refers to personal information that is likely to cause detriment to dignity of natural persons or damage to one’s personal or property safety once leaked or illegally used. The PIPL specifically includes PI of minors under the age of 14 as sensitive PI, PI handlers shall obtain parental consent and set specific PI handling rules.[20]In addition, handling of sensitive PI shall meet specific transparency requirement regarding necessity of the handling concerned as well as the impact of such handling on one’s personal rights and interests, obtain separate consent and conduct PI protection impact assessment. In practice, we recommend companies based on PI classification take more stringent measures concerning sensitive PI protection, develop minor mode with respect to its products and services and incorporate verifiable parental consent setting for example via email and publicize children privacy statement respectively.
In addition, the PIPL also sets specific rules with regard to PI handling at public places necessary for maintaining public security and handling of public PI, which further indicates that the PIPL responding to social development continuously improve its administration of PI handling activities.[21]
5. Cross-border transfer of PI
The cross-border transfer of PI has always been the compliance focus. The PIPL considering China’s national conditions proposes a set of comprehensive PI cross-border transfer paths. It is worth noticing that the PIPL stresses that PI handlers shall ensure that any PI cross-border transfer will not compromise the PI protection level prescribed by this law, which puts out substantial compliance requirements on PI handlers.[22]

Picture 1. PI cross-border transfer mechanism
5.1. General requirements
Companies involved in cross-border transfer of PI shall take necessary measures to ensure that PI handling activities by the overseas recipients meet the standards for PI protection as prescribed by this law. In practice, such substantial requirement can be fulfilled through contractual arrangements, regular review and audits and technical monitoring. In addition, PI handlers shall meet the transparency requirement and provide adequate information with respect such cross-border transfer activities (e.g., name of the overseas recipient, contact information, purpose and method of handling, type of PI and etc. as required in Art.39 of the PIPL) and conduct PI protection impact assessment (equivalent to DPIA under the GDPR) prior to the conduct of any PI cross-border transfer activities.
As regard the obtainment of separate consent, one interpretation is that separate consent is only required where such handling is conducted on the basis of consent, as Art.13 para.2 specifies that where other legal bases suffice, consent is not required. Another interpretation is that separate consent herein prevails other legal bases. Further clarification may need to be provided.
In addition to the general requirements above, companies shall also pay attention to industrial specific regulations, for instance that newly released Several Provisions on Automotive Data Security Management (for Trial Implementation) stipulates that PI of more than 100,000 PI subjects belongs to Important Data and is subject to localization requirements.
5.2. Localization of storage
The PIPL Article 40 specifies that Critical Information Infrastructure Operators (“CIIOs”) and data handlers reaching the threshold of the amount of PI under processing prescribed by the State Cyberspace Administrative Departments shall store the PI generated and collected in China within the territory of China and shall pass the security assessment by the State Cyberspace Administrative Departments when such PI is truly necessary to be transferred outside the territory of China. That is to say, companies, especially MNCs with global system, can no longer transfer the regulated data subject to localization requirements to its servers overseas directly. The needs to set up local IT infrastructure and data center are getting unavoidable. In addition, remote access by parent company to data center of its subsidiaries located within the territory of China would also fall into the regulatory scope of cross-border transfer.
In term of the determination of Critical Information Infrastructure (“CII”), the newly released Security Protection Regulations for Critical Information Infrastructure (hereinafter as the “Regulations”) would shed some light with CII definition.[23]In accordance with the Regulations, relevant authorities in light of the actual conditions of respective industries and fields shall develop specific rules for the identification of CII and file with the public security departments under the State Council for records.[24]Further specification regarding the security assessment, for instance whether such assessment should be conducted on annual basis or in accordance with related PI handling purposes, will need to be clarified. We recommend companies keep a close eye on any legislative developments.
5.3. Chinese SCCs and certification
The PIPL Article 38 states that besides as provided in Article 40, data handlers shall either enter into contracts with the overseas recipients in accordance with the Standard Contracts to be formulated by the State Cyberspace Administration Departments (substantially equivalent to SCCs under the GDPR) or conduct personal information protection certification by designated institutions unless otherwise prescribed by laws, administrative regulations or by the State Cyberspace Administrative Departments. The Chinese Standard Contracts was not yet released, we understand that, with reference to EU SCCs and ASEAN MCCs, at least the nature and scope of handlings, method and frequency of handlings as well as respective rights and obligations of parties involved shall be specified.
6. China’s blocking provision and others
The PIPL imposes control on request of data by foreign judicial or law enforcement agencies. The PIPL Article 41 stipulates that no organization or individual within the territory of China can provide foreign judicial or law enforcement authorities with data stored within the territory of China without the approval of competent authorities. The PIPL sets substantial liabilities for violating this provision, competent authorities may order for rectification, suspension or termination of violating App or services, confiscate illegal gains, revoke related business licenses and permits, make fines for 50 million yuan or 5% of its turnover of the previous year at most at company level and 1 million yuan at most for directly responsible person in charge.[25]When confronting unreasonable request by foreign judicial or law enforcement agencies, companies can resort to this provision as legal basis, therefore the approval mechanism under Article 41 is taken as important system to protect data sovereignty and the legitimate rights and interests of companies and individuals. Yet it is worth noticing that such provision may affect domestic companies or MNCs involving in evidence disclosure and information gathering requests for foreign criminal proceedings, civil proceedings, and administrative investigations. The specific approval procedures are left to be further specified.
The PIPL Article 43 echoing the current international situations states that China may adopt equivalent countermeasures against any prohibitive or restrictive measures imposed by any country or region in terms of data related investment or trade. Where any overseas organization or individual engages in the PI processing activities infringing upon the PI rights and interests of citizens of China or endangering the national security and public interests of China, the CAC may include such organization or individual in the restrictive or prohibitive lists of subjects and take corresponding measures.[26]
7. Rights of PI subject
The PIPL in its Chapter IV comprehensively prescribes the ten rights by PI subject as shown in the chart below. The PIPL incorporates the right to data portability which states that where PI subjects request to transfer his/her personal information to another designated PI handler, such request shall be fulfilled by PI handlers when conditions stipulated by the CAC are met.[27]Such provision may help improve the current data monopoly or “data island” situation. Article 50 of the PIPL requires that PI handlers shall establish convenient response mechanism for request of PI subjects to exercise their rights. Where PI handlers refuse such request, PI subjects may file a lawsuit with the People's Court in accordance with the law.

Chart 3. Right by PI subjects PIPL v. GDPR v. CCPA
Article 49 of the PIPL specifies that where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as accessing, copying, rectifying and deleting the relevant PI of the deceased as prescribed herein, unless otherwise arranged by the deceased prior to his/her death. Companies responding to such request can require the close relatives of the deceased to specify their purposes and at the same time review whether the deceased has made other arrangements.
8. Obligations of PI handlers
Article 51 to 57 describes the basic obligations of PI handlers, which specifies that companies shall set up internal PI protection scheme with the guarantee of organizational structuring and policy making on the basis of PI security. Obligations of PI handlers are categorized as shown in the picture below.

Picture 2. Basic obligations of PI handlers
Article 58 of the PIPL innovatively proposes obligations on PI handlers providing important Internet platform services with a large number of users and complicated business types. Such larger internet platform services provider shall for example establish independent supervisory body mainly composed of external members to supervise its PI protection work, formulate platform rules specifying the standards for PI handling by products or operators within the platform and corresponding obligations, monitor related conducts of on-platform operators and regularly release social responsibility reports on PI protection for social supervision.
[Note]
[1]Personal Information Protection Law of the People's Republic of China, Art.3 para1.
[2]Personal Information Protection Law of the People's Republic of China, Art.53.
[3]Personal Information Protection Law of the People's Republic of China, Art.4.
[4]Ibid.
[5] Personal Information Protection Law of the People's Republic of China, Art.73.
[6]Personal Information Protection Law of the People's Republic of China, Art.62.
[7]Though the PIPL, as opposed to the GDPR, does not include storage limitation in the principles relating to PI handling, it specifies in its Art.19 that PI shall be the minimum period necessary for achieving the purpose of handling, unless any law or administrative regulations stipulate otherwise.
[8]The GB/T 35273—2020 PI Specification defines “directly connected” as the function of the product or service cannot be realized without the PI collect.
[9]Personal Information Protection Law of the People's Republic of China, Art.22.
[10]Personal Information Protection Law of the People's Republic of China, Art.23.
[11]Personal Information Protection Law of the People's Republic of China, Art.30.
[12]Personal Information Protection Law of the People's Republic of China, Art.39.
[13]Personal Information Protection Law of the People's Republic of China, Art.51.
[14]Personal Information Protection Law of the People's Republic of China, Art.52.
[15]Personal Information Protection Law of the People's Republic of China, Art.13.
[16]Personal Information Protection Law of the People's Republic of China, Art.14, Art.15.
[17]Personal Information Protection Law of the People's Republic of China, Art.16.
[18]Personal Information Protection Law of the People's Republic of China, Art.15.
[19]Personal Information Protection Law of the People's Republic of China, Art.59.
[20]Personal Information Protection Law of the People's Republic of China, Art.31.
[21]Personal Information Protection Law of the People's Republic of China, Art.26, Art.28.
[22]Personal Information Protection Law of the People's Republic of China, Art.38.
[23]Security Protection Regulations for Critical Information Infrastructure, Article 2.
[24]Security Protection Regulations for Critical Information Infrastructure, Article 9.
[25]Personal Information Protection Law of the People's Republic of China, Art.66.
[26]Personal Information Protection Law of the People's Republic of China, Art.42.
[27]Personal Information Protection Law of the People's Republic of China, Art.45, para.2.
On 20 August 2021, the Personal Information Protection Law of the People's Republic of China (hereinafter as the “PIPL”) was adopted at the 30th session of the Standing Committee of the 13th National People's Congress, effective as of 1 November 2021. The PIPL is the fundamental law in personal information (“PI”) protection sphere and together with the Cybersecurity law (hereinafter as the “CSL”) and the Data Security Law (hereinafter as the “DSL”), it outlines the data regulatory framework in China. The PIPL embraces the new era of PI protection as well as corporate compliance and may materially change product design and compliance setting practices. In this article, we will analyze the key contents of the PIPL and provide you with a practical compliance guideline for a better grasp of the implication of the law on your businesses.
1. Basic concepts of the PIPL
1.1. Applicable scope
The PIPL applies to any handling of PI which is carried out within the territory of the People's Republic of China.[1] That is to say, any organization or individual conducting PI handling activities within the territory of China is subject to the PIPL. This law also possesses extra-territorial effect. Art.3 para.2 specifies that any handling of PI of individuals residing in China which is carried out outside the territory of China is subject to the law where any of the following circumstances exists, i.e., where the handling activities are related to the offering of goods or services to natural persons residing in China, where the handling activities are related to the analyzing and assessing of behaviors of natural persons residing in China, or as otherwise provided by law and administrative regulations. For instance, overseas online shopping websites with setting option of Chinese language, Chinese currency, direct shipping services or even local marketing promotions engagement may be deemed as meeting the criteria of Art.3 para2 and therefore subject to the PIPL.
For organizations or individuals subject to the PIPL due to Art.3 para 2, the law also requires the establishment of specific agency or delegated representative (equivalent to the Representatives under Art.27 of the GDPR) within China to fulfil related PI protection obligations and the contact detail of such specific agency or delegated representative shall be filed to relevant authorities for records.[2]
1.2. Legal accordance
The very first article of the PIPL states that the law is enacted in accordance with the Constitution to protect PI rights and interests, regulate activities of PI handling and promote reasonable use of PI, which duly reflects that China respects and protects human rights and the dignity of citizens from any violations. The freedom and confidentiality of communications of citizens are protected by law.
1.3. Key definitions
The PIPL makes definitions of key concepts relating to PI handling.
Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized.[3]
Handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of PI.[4]
PI handler under the PIPL refers to any organization or individual that independently determines the purpose and method of handling in their activities of processing of personal information which is substantially equivalent to the concept of controller under the GDPR.[5]
It is worth noticing that the PIPL newly proposes the notion of “small-scale PI handler”, we understand that the CAC together with relevant authorities will issue specific PI protection rules with respect to such handlers in the near future.[6] Though the definition of small-scale PI handler would require further clarification.
2. Seven principles relating to the handling of PI
The principles relating to the handling of PI shall be implemented throughout the full lifecycle of PI handling activities and are greatly related to the PI protection obligations as well as internal PI compliance management of PI handlers. In this section we will elaborate each of the principles especially with regard to compliance practices and law enforcement focuses.

Chart 1. Principles PIPL v. GDPR
Lawfulness, legitimacy, necessity and good faith. Art.5 specifies that PI shall be handled in accordance with the principle of lawfulness, legitimacy, necessity and good faith, and not in any manner that is misleading, fraudulent or coercive. It is worth noticing that the PIPL set necessity as an equivalence of lawfulness, legitimacy and good faith, demonstrating that necessity has become the focus of PI protection administration. Combining with the recently released Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications by the Cyberspace Administration of China (“CAC”) as well as the principle of purpose limitation and data minimisation below, companies shall ensure that the PI handling is directly related to the purposes thereof and the PI collection frequency and amount shall be limited to the minimum scope necessary for achieving the purpose.
Purpose limitation and data minimisation. Art.6 stipulates that PI handling shall be conducted for explicit and reasonable purposes, the handling shall be directly relevant to the purpose thereof. Though the determination of “directly related” will need further clarification.[8]In addition, PI collected shall be limited to what is necessary in relation to the purposes to which they are processed.
Transparency. Art.7 and Art.17 (information to be provided) lays down the transparency fundamentals under the PIPL. Such requirements are generally performed through the making of privacy policy by companies. Art. 17 stresses that information relating to PI handling shall be provided prior to the handling activities in a complete manner, which indicates that companies should avoid using wording of “etc.” or “such as” in their privacy policy and relevant documents. In terms of the content, company shall include all items required under the Art. 17 in its privacy policy and the PIPL puts additional disclosure requirements for specific scenarios such as PI transmission under merger, acquisition, dissolution and etc.,[9]sharing of PI,[10]handling of sensitive PI[11]and PI cross-border transfer.[12]In terms of modality, such privacy policy shall be delivered to each individuals prior to the handling activities in a notable manner, e.g., at account registration page via tick box or pop-up window. Besides, privacy policy shall be easily accessible, e.g., to be placed at website homepage, App user setting section and etc.
PI quality. The quality of PI shall be ensured to avoid any negative impact on personal rights and interests due to any inaccuracy or incompleteness of the PI handled.
Accountability and data security. Art.9 is the underlying cornerstone of Chapter V “PI handler obligations”, especially regarding the development of internal data security management system and operating procedures, access control, compliance awareness training etc. at both technical and organizational[13], as well as the designation of PI protection officer.[14]
3. Legal bases for PI handling
The PIPL provides seven legal bases for PI handling as listed in the chart below and breaks through the situation set by the CSL where consent was the only legal basis recognized.[15]The PIPL, as opposed to the GDPR, innovatively proposed the legal bases of “necessary for the performance of human resource management under labor rules or collective labor contract made in accordance with the laws” and “utilization of public PI (self-disclosed PI and PI otherwise disclosed legitimately) within reasonable scope”.

Chart 2. Legal bases PIPL v. GDPR
3.1. Conditions for valid consent
The PIPL specifies that valid consent shall be fully informed, freely given, specific and easy to withdraw.[16] “Tying” the provision of a contract or a service to a request for consent to process PI that are not necessary for the performance of that contract or service is not allowed.[17] Where PI handling activities are conducted on the basis of consent, PI subjects have the right to withdraw their consent and PI handlers shall provide convenient channel for such withdrawal. Validity of any PI handling activity conducted based on consent prior to such withdrawal would not be affected.[18] Companies shall establish internal standard for valid consent obtainment and review, provide effective method for withdrawal of consent. Though the PIPL, as opposed to the GDPR, does not require yet that withdrawal shall be as easy as the granting of consent, good industrial practice such as providing direct withdrawal option at App account setting page and etc. is highly suggested.
3.2. Separate consent
The PIPL sets separate consent requirement for various scenarios such as sharing of PI, handling of sensitive PI and PI cross-border transfer. Though what truly constitutes separate consent under the PIPL will require further specification, we understand that PI handler shall at least ensure that PI subjects are allowed to give consent for such handling activities respectively, rather than having to consent to a bundle of handling purposes. The separate consent requirement will have great impact on PI handlers especially with respect to the legality of handling activities concerned as well as product compliance settings. We recommended that companies sort out the scenarios of its services that require separate consent in advance and pay close attention to the latest good industrial practices.
4. Specific scenarios relating to PI handling
Sharing of PI. Article 20 and 21 specifies requirements with respect to joint handling and entrusted handling under the PIPL which resembles those of the GDPR. Joint handlers shall determine respective compliance responsibilities through arrangement and shall bear joint liabilities for damages caused by infringing upon personal information rights and interests. Entrusted parties (substantially equivalent to Processor under the GDPR) shall conduct data handing as instructed and shall also fulfill PI security and assistance obligations as required by the law.[19]
Automated decision making. Article 24 of the PIPL, echoing the social concerns, specifies that where PI handlers make use of PI to make automatic decision, it shall ensure the transparency and fairness of such decision and shall not impose unreasonable discriminatory treatment on individuals in respect of transaction price and other transaction conditions. Convenient exit option or non-targeted option shall be provided to users when conducting promotional marketing or message push via automated decision making. Individuals have the right to require PI handlers to make explanation and reject the decision solely made through automatic decision-making.
Handling of sensitive PI. Sensitive PI as defined in Art 28 refers to personal information that is likely to cause detriment to dignity of natural persons or damage to one’s personal or property safety once leaked or illegally used. The PIPL specifically includes PI of minors under the age of 14 as sensitive PI, PI handlers shall obtain parental consent and set specific PI handling rules.[20]In addition, handling of sensitive PI shall meet specific transparency requirement regarding necessity of the handling concerned as well as the impact of such handling on one’s personal rights and interests, obtain separate consent and conduct PI protection impact assessment. In practice, we recommend companies based on PI classification take more stringent measures concerning sensitive PI protection, develop minor mode with respect to its products and services and incorporate verifiable parental consent setting for example via email and publicize children privacy statement respectively.
In addition, the PIPL also sets specific rules with regard to PI handling at public places necessary for maintaining public security and handling of public PI, which further indicates that the PIPL responding to social development continuously improve its administration of PI handling activities.[21]
5. Cross-border transfer of PI
The cross-border transfer of PI has always been the compliance focus. The PIPL considering China’s national conditions proposes a set of comprehensive PI cross-border transfer paths. It is worth noticing that the PIPL stresses that PI handlers shall ensure that any PI cross-border transfer will not compromise the PI protection level prescribed by this law, which puts out substantial compliance requirements on PI handlers.[22]

Picture 1. PI cross-border transfer mechanism
5.1. General requirements
Companies involved in cross-border transfer of PI shall take necessary measures to ensure that PI handling activities by the overseas recipients meet the standards for PI protection as prescribed by this law. In practice, such substantial requirement can be fulfilled through contractual arrangements, regular review and audits and technical monitoring. In addition, PI handlers shall meet the transparency requirement and provide adequate information with respect such cross-border transfer activities (e.g., name of the overseas recipient, contact information, purpose and method of handling, type of PI and etc. as required in Art.39 of the PIPL) and conduct PI protection impact assessment (equivalent to DPIA under the GDPR) prior to the conduct of any PI cross-border transfer activities.
As regard the obtainment of separate consent, one interpretation is that separate consent is only required where such handling is conducted on the basis of consent, as Art.13 para.2 specifies that where other legal bases suffice, consent is not required. Another interpretation is that separate consent herein prevails other legal bases. Further clarification may need to be provided.
In addition to the general requirements above, companies shall also pay attention to industrial specific regulations, for instance that newly released Several Provisions on Automotive Data Security Management (for Trial Implementation) stipulates that PI of more than 100,000 PI subjects belongs to Important Data and is subject to localization requirements.
5.2. Localization of storage
The PIPL Article 40 specifies that Critical Information Infrastructure Operators (“CIIOs”) and data handlers reaching the threshold of the amount of PI under processing prescribed by the State Cyberspace Administrative Departments shall store the PI generated and collected in China within the territory of China and shall pass the security assessment by the State Cyberspace Administrative Departments when such PI is truly necessary to be transferred outside the territory of China. That is to say, companies, especially MNCs with global system, can no longer transfer the regulated data subject to localization requirements to its servers overseas directly. The needs to set up local IT infrastructure and data center are getting unavoidable. In addition, remote access by parent company to data center of its subsidiaries located within the territory of China would also fall into the regulatory scope of cross-border transfer.
In term of the determination of Critical Information Infrastructure (“CII”), the newly released Security Protection Regulations for Critical Information Infrastructure (hereinafter as the “Regulations”) would shed some light with CII definition.[23]In accordance with the Regulations, relevant authorities in light of the actual conditions of respective industries and fields shall develop specific rules for the identification of CII and file with the public security departments under the State Council for records.[24]Further specification regarding the security assessment, for instance whether such assessment should be conducted on annual basis or in accordance with related PI handling purposes, will need to be clarified. We recommend companies keep a close eye on any legislative developments.
5.3. Chinese SCCs and certification
The PIPL Article 38 states that besides as provided in Article 40, data handlers shall either enter into contracts with the overseas recipients in accordance with the Standard Contracts to be formulated by the State Cyberspace Administration Departments (substantially equivalent to SCCs under the GDPR) or conduct personal information protection certification by designated institutions unless otherwise prescribed by laws, administrative regulations or by the State Cyberspace Administrative Departments. The Chinese Standard Contracts was not yet released, we understand that, with reference to EU SCCs and ASEAN MCCs, at least the nature and scope of handlings, method and frequency of handlings as well as respective rights and obligations of parties involved shall be specified.
6. China’s blocking provision and others
The PIPL imposes control on request of data by foreign judicial or law enforcement agencies. The PIPL Article 41 stipulates that no organization or individual within the territory of China can provide foreign judicial or law enforcement authorities with data stored within the territory of China without the approval of competent authorities. The PIPL sets substantial liabilities for violating this provision, competent authorities may order for rectification, suspension or termination of violating App or services, confiscate illegal gains, revoke related business licenses and permits, make fines for 50 million yuan or 5% of its turnover of the previous year at most at company level and 1 million yuan at most for directly responsible person in charge.[25]When confronting unreasonable request by foreign judicial or law enforcement agencies, companies can resort to this provision as legal basis, therefore the approval mechanism under Article 41 is taken as important system to protect data sovereignty and the legitimate rights and interests of companies and individuals. Yet it is worth noticing that such provision may affect domestic companies or MNCs involving in evidence disclosure and information gathering requests for foreign criminal proceedings, civil proceedings, and administrative investigations. The specific approval procedures are left to be further specified.
The PIPL Article 43 echoing the current international situations states that China may adopt equivalent countermeasures against any prohibitive or restrictive measures imposed by any country or region in terms of data related investment or trade. Where any overseas organization or individual engages in the PI processing activities infringing upon the PI rights and interests of citizens of China or endangering the national security and public interests of China, the CAC may include such organization or individual in the restrictive or prohibitive lists of subjects and take corresponding measures.[26]
7. Rights of PI subject
The PIPL in its Chapter IV comprehensively prescribes the ten rights by PI subject as shown in the chart below. The PIPL incorporates the right to data portability which states that where PI subjects request to transfer his/her personal information to another designated PI handler, such request shall be fulfilled by PI handlers when conditions stipulated by the CAC are met.[27]Such provision may help improve the current data monopoly or “data island” situation. Article 50 of the PIPL requires that PI handlers shall establish convenient response mechanism for request of PI subjects to exercise their rights. Where PI handlers refuse such request, PI subjects may file a lawsuit with the People's Court in accordance with the law.

Chart 3. Right by PI subjects PIPL v. GDPR v. CCPA
Article 49 of the PIPL specifies that where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as accessing, copying, rectifying and deleting the relevant PI of the deceased as prescribed herein, unless otherwise arranged by the deceased prior to his/her death. Companies responding to such request can require the close relatives of the deceased to specify their purposes and at the same time review whether the deceased has made other arrangements.
8. Obligations of PI handlers
Article 51 to 57 describes the basic obligations of PI handlers, which specifies that companies shall set up internal PI protection scheme with the guarantee of organizational structuring and policy making on the basis of PI security. Obligations of PI handlers are categorized as shown in the picture below.

Picture 2. Basic obligations of PI handlers
Article 58 of the PIPL innovatively proposes obligations on PI handlers providing important Internet platform services with a large number of users and complicated business types. Such larger internet platform services provider shall for example establish independent supervisory body mainly composed of external members to supervise its PI protection work, formulate platform rules specifying the standards for PI handling by products or operators within the platform and corresponding obligations, monitor related conducts of on-platform operators and regularly release social responsibility reports on PI protection for social supervision.
[Note]
[1]Personal Information Protection Law of the People's Republic of China, Art.3 para1.
[2]Personal Information Protection Law of the People's Republic of China, Art.53.
[3]Personal Information Protection Law of the People's Republic of China, Art.4.
[4]Ibid.
[5] Personal Information Protection Law of the People's Republic of China, Art.73.
[6]Personal Information Protection Law of the People's Republic of China, Art.62.
[7]Though the PIPL, as opposed to the GDPR, does not include storage limitation in the principles relating to PI handling, it specifies in its Art.19 that PI shall be the minimum period necessary for achieving the purpose of handling, unless any law or administrative regulations stipulate otherwise.
[8]The GB/T 35273—2020 PI Specification defines “directly connected” as the function of the product or service cannot be realized without the PI collect.
[9]Personal Information Protection Law of the People's Republic of China, Art.22.
[10]Personal Information Protection Law of the People's Republic of China, Art.23.
[11]Personal Information Protection Law of the People's Republic of China, Art.30.
[12]Personal Information Protection Law of the People's Republic of China, Art.39.
[13]Personal Information Protection Law of the People's Republic of China, Art.51.
[14]Personal Information Protection Law of the People's Republic of China, Art.52.
[15]Personal Information Protection Law of the People's Republic of China, Art.13.
[16]Personal Information Protection Law of the People's Republic of China, Art.14, Art.15.
[17]Personal Information Protection Law of the People's Republic of China, Art.16.
[18]Personal Information Protection Law of the People's Republic of China, Art.15.
[19]Personal Information Protection Law of the People's Republic of China, Art.59.
[20]Personal Information Protection Law of the People's Republic of China, Art.31.
[21]Personal Information Protection Law of the People's Republic of China, Art.26, Art.28.
[22]Personal Information Protection Law of the People's Republic of China, Art.38.
[23]Security Protection Regulations for Critical Information Infrastructure, Article 2.
[24]Security Protection Regulations for Critical Information Infrastructure, Article 9.
[25]Personal Information Protection Law of the People's Republic of China, Art.66.
[26]Personal Information Protection Law of the People's Republic of China, Art.42.
[27]Personal Information Protection Law of the People's Republic of China, Art.45, para.2.
