Preface
On November 1st 2021, the Personal Information Protection Law (“PIPL”) took effect. PIPL is a major piece of legislation that aims at protecting personal information in China, it establishes a framework for handling personal information in one of the largest markets in the world together with Cyber Security Laws (CSL) and Data Security Laws (DSL).
PIPL, in some ways, is similar to the European GDPR, a law that is by now familiar to most online entrepreneurs. However, there are some important differences between the two laws.
In this article we and TMO group, will share some specific points in PIPL that we think would have the biggest impact on eCommerce enterprises, together with our suggestions of how to handle those.
Background of PIPL
Chinese IT giants swiftly catching up with their western counterparts: in 2020 Chinese flagman Tencent overtook Facebook by its market capitalization. The digital economy accounts for nearly 40 percent of China's GDP, second largest GDP in the world.
In the past, the policies that regulated this immense segment of the Chinese economy were rather lax. As digital technologies develop, the risk of security breaches and data leaks gets higher too. It is impossible to ignore the impact of such incidents on society or on individuals.
Therefore, the Chinese government enacted the“Cybersecurity Law” (CSL), that dealt with internet infrastructure, internet service providers, and national cyber security. Next was the Data Security Law(DSL) and PIPl. These three laws will form a comprehensive legal framework for China to manage data processing and network security issues.
Basic terms
Let's look at some key terms that are used throughout the PIPL.
Personal information
Here’s the definition from article 4 of PIPL.
“Personal information is all kinds of information, recorded by electronic or other means,related to identified or identifiable natural persons, not including information after anonymization handling.”
That is things like email, telephone, creditcard number or address everything that is routinely used in eCommerce — are all personal information. And technically, PIPL is not limiting personal information to any particular format. If you collect images, sounds, or videos with people on them — you are handling personal information too. It isn’t limited to electronic form either: the law applies to any hard copies that contain personal information as well.
It is worth noting that Personal Information under PIPL has the same concept with “Personal Data” under GDPR; however, it does not mean the same with “Data” under DSL. Data under DSL means “any recording of information by electronic or other means” (article 3 under DSL) and is the expression form of personal information.
Anonymization and tokenization
Tokenization (de-identification) refers to aprocess, where all personal information is replaced with randomly generated strings (tokens). Such tokenized information in itself cannot be used toidentify individuals, but it still can be easily “deciphered” by someone who has a token-information key.
Anonymization, on the other hand, is the process of altering the personal information in a way that it is impossible to identify individuals in it, and also cannot be restored.
Sensitive personal information
PIPL also defines “Sensitive personal information” in the article 28:
Sensitive personal information means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal orproperty security, including information on biometric characteristics,religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
The law has extra requriements if your enterprise deals with medical information or information of underaged persons; or if youuse and store any location-tracking based information: for tracking foot traffic to your brick-and-mortar store, to display the nearest shop on the website, or something along these lines. You would need to obtain extra consent to handle such information and implement stricter protection measures to safeguard it.
Personal information processing handler
Under article 73, the term “Personal information processing handler” means
Organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling methods.
This is same as the term "datacontroller" in GDPR, which means an organization or a person who decides to collect and process personal information, sets the rules and defines procedures.
Similarly, what GDPR calls a “data processor”,in PIPL is referred to as an “entrusted party”.
However, when GDPR talking a lot about the different functions and responsibilities of “processor” and “controller”, PIPL is much more straight forward. It just says that the “entrusted party” should handle everything according to the agreement with the “data handler”, and the “entrustedparty” should review the agreement to check whether it is in compliance with PIPL on the basic requirements for information processor.
Where and to whom does PIPL apply?
As stated in article 3, PIPL applies to any activity of collecting and processing personal information within Chinese borders.
The law does not stop there, though: it also applies to any company or an individual outside of China that collects personal information, in two cases:
- The information is used to provide services to a “natural person” in China
- The information is used to analyze and evaluate behaviour of “natural persons” in China
These conditions seem to exclude such cases as personal use, or where the use of personal information is incidental, for example stock photos with Chinese people on them, but any business-related use of personal information is clearly a concern of PIPL.
Extra territorial approach is an importants imilarity between GDPR and PIPL. GDPR also applies to non-EU data operators when EU citizen’s data is handled.
Key concepts of PIPL
Basis for processing personal information
Whenever a company starts to collect and handlean individual's personal information, it should acquire a consent first(article 13). The below is a list of exceptions:
- You already have a legal contract with this individual and handling their personal information is a part of fulfilling the contract
- This is a public health/safety emergency
- The individual has already disclosed this information
- New reporting / public opinion polling
- Fulfilling statutory duties /obligations
Consent
“Inform-consent” isa key concept in PIPL. Article 14 of PIPL states:
Where personal information is handled based on individual consent, said consent shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement.
To express their consent, individuals should proactively make an oral, paper-based or electronic statement perform an “affirmative action”that explicitly authorizes the specific processing of his personal information.
Although currently there is no regulation that requires specific practical form of the “inform-consent”, the released draft of the"Guidelines for Information Security Technology Personal Information Notification Consent" can provide some explanation. After it takes effectit will serve as a legal basis for "inform-consent".
In addition, a company should provide an individual with the following information before it start processing personal information:
1. The name or personal name and contact method of the personal information handler;
2. The purpose of personal information handling and the handlingmethods, the categories of handled personal information, and the retention period;
3. Methods and procedures for individuals to exercise the rights provided in this Law;
Practicly, a company need to provide all these points next to its leadform, or (if it is a lot of text) to have a link to a page with all this information.
Also, individuals shall be notified where a change occurs in the matters provided in above, and the notification should bemade public and convenient to read and store.
Separate consents
There are five situations list in PIPL where a separate consent is needed, on top of the basic consent to process personal information:
- Processing sensitive personal information(article 29)
- Personal information is passed to another personal information handler (article 23)
- Personal information being disclosed (article 25)
- Processing personal images and distinguishing identity characteristic, except when it is done for the publicsecurity (article 26)
- Sending personal information outside of China (article 39).
At the moment there are no agreed standards onhow to do that, but there are similar administrative regulations we can referto. For example, in the "Measures for the Supervision and Administration of Online Transactions" implemented on May 1, 2021. Article 13 of thisregulation states: in case of collection and use of sensitive information such as personal biometrics, medical health, financial accounts, personal where abouts,etc., consumer consent shall be obtained item by item.
Speaking of the practical side, to follow PIPL requirements, separate consents should be explicit (clearly stated), itemized(each consent should be a separate item), not bundles (an action required foreach one, it can't be “wholesale”), and not generalized (describe the detailsof particular case).
Retention period
Note another thing PIPL introduces in the previous section: retention period. While the law does not define any hardlimits on the length of the retention period, in article 19 it states:
Personal information retention periods shall be the shortest period necessary to realizethe purpose of the personal information handling.
There is no hard limit on retention period inthe PIPL, but there are specific requiremetns in certain industries. For example, the Chinese Labor Contract Law has a “shortest period” standard which requires companies to keep the employment contract of the departing employee for at least 2 years. Therefore, it is recommended that personal information bestored in accordance with the “shortest time” standard under the precondition that it is not in violation of Chinese mandatory laws.
Personal Information protection principles
A company need to comply with few principles under PIPL when processing personal information. These are similar to principles listed in GDPR.
Below are the principles:
● Principles of “‘legality” and“sincerity” should be observed when handling personal information. Handling itin a “misleading” way is prohibited (article 5).
● Handling of personal information should be “clear and reasonable”, and limited to the smallest scope, required for the purpose (article 6).
● The next principle is “openness and transparency”. Purpose, scope and rules of handling personal information should be disclosed (article 7).
● Handling of personal information should ensure quality of the information. Individuals should not suffer adverse consequences from inaccurate or incomplete information (article8).
● Handlers should adapt proper security measures to safeguard personal information they have collected(article 9).
● Finally, any illegal collection, handling, selling, buying, disclosing of personal information is prohibited (article 10).
Legal right of Information subjects
PIPL establishes basic rights of information subjects (people, whose information is being collected), which similar to GDPR.
The article 50 of PIPL requires a company to setup a way for individuals to exercise the rights to get access to the information collected about them, delete or amend some or all of it, and/or withdraw the consent of handling personal information completely. However, there is not specific requirements of how to do it. Neither it sets anyspecific time limit on processing such applications, only mentioning it should happen “in a timely manner”.
Cross border transfer of personal information
In the case a company outside of Chinese bordersis planning to handle personal information of people in China, PIPL has a number of additional provisions in articles 38-43. Here are the things you need to have on top of regular requirements:
- Additional consent forcross-border transfer of personal information.
- Additional notifications, disclosing information of the foreign recipient of personal information: name of the receiving party, methods they will be using, ways to exercise individual’s information rights (review, amend, delete their personal information) with this foreign handler.
Additionally, for “Critical Information Infrastructure operators” (this signifies companies in communication, energy,finance, transport, water supply and other industries, that can potentially affect national security) and in cases where information transfer volume exceeds certain limits (at the moment it is not clear what those limits are), companies will have to undergo a government security assessment before they canstart transferring any information.
In other cases (for non-critical, under-limit information transfers) companies should either:
- Undergo a “personal information protection certification” with a special Government agency
- Make sure the contract with the foreign company, that handles the information, is “in accordance with astandard contract formulated by the State cyberspace and informatization department”.
The details of such certification or standard contract are not available at the moment, relevant provisions under GDPR may bereferred to.
Finally, if a personal information handler happens to be located outside of China, it must establish a “dedicated office”or appoint a “designated representative” within the borders of the People’sRepublic of China. Information about this office or representative should be filedwith government authorities.
Alternative solutions to cross-border personal information transfers
Provisions related to cross-border transfer of personal information can be one of the more difficult to follow correctly. When most ofthe solutions used today were developed, there were virtually no legal requirements concerning “personal information residency”. As a result, there is a chance you do transfer the personal information abroad, without even realizing it — for instance, if your cloud CRM solution is hosted outside of China.
There are solutions being developed to addressthis new “personal performation residency” concern on a technological level. SalesForce, for example, introduced Hyper Force — a solution that can bedelivered from major public clouds.
There are companies, offering Residency-as-a-service solutions, copying or limiting sensitive information tonationally-located servers.
Automated decision-making
As machine learning and artificial intelligence technologies become moreand more common in the field of e-commerce, their most common practical implementations are artificial intelligence-driven "recommended products" and "dynamic pricing" functions (a way to dynamically adjust prices to maximize profits based on certain behavioral characteristics of customers and other information).
Article 73 of PIPL defines it as:
Activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions.
The law allows using automated decision makingfor “reasonable” differential treatment that guarantees fairness and justice. “Unfair” and“unreasonable” treatment is not allowed.
Additionally, whenever the use of automated decision-making produces decisions with a major influence on the rights and interests of the individual, companies are required to have an explanation how the decision process works and provide an option for individuals to opt out ofthe machine-only process.
Other Information handlers’ duties
Let’s go through some additional duties that PIPL assigns to personal information handlers.
A company that handles personal information, should formulate correspondent internal structure, set up necessary rules andprotocols, and conduct employee training on this subject. It has to adopt appropriate technical security measures, have security incident plans in place etc.
If the amount of information reaches certain limits, determined by the authorities, a company should appoint a personal information protection officer, who would supervise all personal information related activities.
In case a company handles sensitive personal information, or if the personal information is transferred abroad, personal information handlers are required to conduct a personal information protection impact assessment. Such assessment should be conducted in advance and the records should be preserved.
Penalties in PIPL
The penalty for non-compliance with PIPL dependson the severity of the violation.
In case of a minor violation, as a first step,the government authority will issue a warning and a correction order. If youhave gained any unlawful income, connected to the violation, it will be confiscated.
If a company refuses to correct the problem,more serious consequences will ensue. Companies can be fined up to 1 millionRMB (150k USD); responsible individuals — up to 100.000 RMB (15k USD), plus avery China-specific penalty: a record in the social credit system.
In case of “serious violations” the size of thefine can go as high as 50 million RMB (7.5M USD), or 5% of the company'srevenue. Interestingly, the law does not specify, if it is the revenue generated in China, or the global one, that would be the basis for the fine calculation.
Final note on the non-compliance. According tothe law, violation does not necessarily mean you have unlawfully processed or handled personal information. Failing to take necessary steps to protect the personalinformation, implement proper security practices, also may be considered aviolation.
PIPL compliance checklist

Conclusion
There are undeniable good reasons to have a law like PIPL in place. It provides protection from abuse and mishandling of personal information. Information theft and illegal information trading would flourish in such a rich eco system if there were no regulations to stop them.
At the same time, it is difficult not to notice an eerie coincidence that two prominent internet companies, Yahoo and Linked Indecided to leave China exactly around the time the law was to be enacted.
One thing that is certainly refreshing about PIPL is its high-level approach, and, as a result — relatively small size: translated version is only about 5000 words long. Compare that to “mammoth”GDPR, almost 10 times the size, 50.000 words.
Conciseness, however, comes with a price of quite a few points still being left unclear. In upcoming months we can expectmore details providing explanations on how the law should be implemented.
Meanwhile, if you are collecting and processing personal information of natural persons in China, we highly recommend you implement steps outlined in this article. Feel free to contact HanSheng Law Offices todiscuss how we can help you build or enhance your eCommerce business, compliantto the new Chinese PIPL regulation.
Links
PIPL’s text (in Chinese):
http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml
English Translation by The DigiChina Project at Stanford University
https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/
Disclaimer: This article is not legal advice. To ensure your business and website is PIPL compliant we recommend you speak with a qualified legal professional.
On November 1st 2021, the Personal Information Protection Law (“PIPL”) took effect. PIPL is a major piece of legislation that aims at protecting personal information in China, it establishes a framework for handling personal information in one of the largest markets in the world together with Cyber Security Laws (CSL) and Data Security Laws (DSL).
PIPL, in some ways, is similar to the European GDPR, a law that is by now familiar to most online entrepreneurs. However, there are some important differences between the two laws.
In this article we and TMO group, will share some specific points in PIPL that we think would have the biggest impact on eCommerce enterprises, together with our suggestions of how to handle those.
Background of PIPL
Chinese IT giants swiftly catching up with their western counterparts: in 2020 Chinese flagman Tencent overtook Facebook by its market capitalization. The digital economy accounts for nearly 40 percent of China's GDP, second largest GDP in the world.
In the past, the policies that regulated this immense segment of the Chinese economy were rather lax. As digital technologies develop, the risk of security breaches and data leaks gets higher too. It is impossible to ignore the impact of such incidents on society or on individuals.
Therefore, the Chinese government enacted the“Cybersecurity Law” (CSL), that dealt with internet infrastructure, internet service providers, and national cyber security. Next was the Data Security Law(DSL) and PIPl. These three laws will form a comprehensive legal framework for China to manage data processing and network security issues.
Basic terms
Let's look at some key terms that are used throughout the PIPL.
Personal information
Here’s the definition from article 4 of PIPL.
“Personal information is all kinds of information, recorded by electronic or other means,related to identified or identifiable natural persons, not including information after anonymization handling.”
That is things like email, telephone, creditcard number or address everything that is routinely used in eCommerce — are all personal information. And technically, PIPL is not limiting personal information to any particular format. If you collect images, sounds, or videos with people on them — you are handling personal information too. It isn’t limited to electronic form either: the law applies to any hard copies that contain personal information as well.
It is worth noting that Personal Information under PIPL has the same concept with “Personal Data” under GDPR; however, it does not mean the same with “Data” under DSL. Data under DSL means “any recording of information by electronic or other means” (article 3 under DSL) and is the expression form of personal information.
Anonymization and tokenization
Tokenization (de-identification) refers to aprocess, where all personal information is replaced with randomly generated strings (tokens). Such tokenized information in itself cannot be used toidentify individuals, but it still can be easily “deciphered” by someone who has a token-information key.
Anonymization, on the other hand, is the process of altering the personal information in a way that it is impossible to identify individuals in it, and also cannot be restored.
Sensitive personal information
PIPL also defines “Sensitive personal information” in the article 28:
Sensitive personal information means personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal orproperty security, including information on biometric characteristics,religious beliefs, specially-designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
The law has extra requriements if your enterprise deals with medical information or information of underaged persons; or if youuse and store any location-tracking based information: for tracking foot traffic to your brick-and-mortar store, to display the nearest shop on the website, or something along these lines. You would need to obtain extra consent to handle such information and implement stricter protection measures to safeguard it.
Personal information processing handler
Under article 73, the term “Personal information processing handler” means
Organizations and individuals that, in personal information handling activities, autonomously decide handling purposes and handling methods.
This is same as the term "datacontroller" in GDPR, which means an organization or a person who decides to collect and process personal information, sets the rules and defines procedures.
Similarly, what GDPR calls a “data processor”,in PIPL is referred to as an “entrusted party”.
However, when GDPR talking a lot about the different functions and responsibilities of “processor” and “controller”, PIPL is much more straight forward. It just says that the “entrusted party” should handle everything according to the agreement with the “data handler”, and the “entrustedparty” should review the agreement to check whether it is in compliance with PIPL on the basic requirements for information processor.
Where and to whom does PIPL apply?
As stated in article 3, PIPL applies to any activity of collecting and processing personal information within Chinese borders.
The law does not stop there, though: it also applies to any company or an individual outside of China that collects personal information, in two cases:
- The information is used to provide services to a “natural person” in China
- The information is used to analyze and evaluate behaviour of “natural persons” in China
These conditions seem to exclude such cases as personal use, or where the use of personal information is incidental, for example stock photos with Chinese people on them, but any business-related use of personal information is clearly a concern of PIPL.
Extra territorial approach is an importants imilarity between GDPR and PIPL. GDPR also applies to non-EU data operators when EU citizen’s data is handled.
Key concepts of PIPL
Basis for processing personal information
Whenever a company starts to collect and handlean individual's personal information, it should acquire a consent first(article 13). The below is a list of exceptions:
- You already have a legal contract with this individual and handling their personal information is a part of fulfilling the contract
- This is a public health/safety emergency
- The individual has already disclosed this information
- New reporting / public opinion polling
- Fulfilling statutory duties /obligations
Consent
“Inform-consent” isa key concept in PIPL. Article 14 of PIPL states:
Where personal information is handled based on individual consent, said consent shall be given by individuals under the precondition of full knowledge, and in a voluntary and explicit statement.
To express their consent, individuals should proactively make an oral, paper-based or electronic statement perform an “affirmative action”that explicitly authorizes the specific processing of his personal information.
Although currently there is no regulation that requires specific practical form of the “inform-consent”, the released draft of the"Guidelines for Information Security Technology Personal Information Notification Consent" can provide some explanation. After it takes effectit will serve as a legal basis for "inform-consent".
In addition, a company should provide an individual with the following information before it start processing personal information:
1. The name or personal name and contact method of the personal information handler;
2. The purpose of personal information handling and the handlingmethods, the categories of handled personal information, and the retention period;
3. Methods and procedures for individuals to exercise the rights provided in this Law;
Practicly, a company need to provide all these points next to its leadform, or (if it is a lot of text) to have a link to a page with all this information.
Also, individuals shall be notified where a change occurs in the matters provided in above, and the notification should bemade public and convenient to read and store.
Separate consents
There are five situations list in PIPL where a separate consent is needed, on top of the basic consent to process personal information:
- Processing sensitive personal information(article 29)
- Personal information is passed to another personal information handler (article 23)
- Personal information being disclosed (article 25)
- Processing personal images and distinguishing identity characteristic, except when it is done for the publicsecurity (article 26)
- Sending personal information outside of China (article 39).
At the moment there are no agreed standards onhow to do that, but there are similar administrative regulations we can referto. For example, in the "Measures for the Supervision and Administration of Online Transactions" implemented on May 1, 2021. Article 13 of thisregulation states: in case of collection and use of sensitive information such as personal biometrics, medical health, financial accounts, personal where abouts,etc., consumer consent shall be obtained item by item.
Speaking of the practical side, to follow PIPL requirements, separate consents should be explicit (clearly stated), itemized(each consent should be a separate item), not bundles (an action required foreach one, it can't be “wholesale”), and not generalized (describe the detailsof particular case).
Retention period
Note another thing PIPL introduces in the previous section: retention period. While the law does not define any hardlimits on the length of the retention period, in article 19 it states:
Personal information retention periods shall be the shortest period necessary to realizethe purpose of the personal information handling.
There is no hard limit on retention period inthe PIPL, but there are specific requiremetns in certain industries. For example, the Chinese Labor Contract Law has a “shortest period” standard which requires companies to keep the employment contract of the departing employee for at least 2 years. Therefore, it is recommended that personal information bestored in accordance with the “shortest time” standard under the precondition that it is not in violation of Chinese mandatory laws.
Personal Information protection principles
A company need to comply with few principles under PIPL when processing personal information. These are similar to principles listed in GDPR.
Below are the principles:
● Principles of “‘legality” and“sincerity” should be observed when handling personal information. Handling itin a “misleading” way is prohibited (article 5).
● Handling of personal information should be “clear and reasonable”, and limited to the smallest scope, required for the purpose (article 6).
● The next principle is “openness and transparency”. Purpose, scope and rules of handling personal information should be disclosed (article 7).
● Handling of personal information should ensure quality of the information. Individuals should not suffer adverse consequences from inaccurate or incomplete information (article8).
● Handlers should adapt proper security measures to safeguard personal information they have collected(article 9).
● Finally, any illegal collection, handling, selling, buying, disclosing of personal information is prohibited (article 10).
Legal right of Information subjects
PIPL establishes basic rights of information subjects (people, whose information is being collected), which similar to GDPR.
The article 50 of PIPL requires a company to setup a way for individuals to exercise the rights to get access to the information collected about them, delete or amend some or all of it, and/or withdraw the consent of handling personal information completely. However, there is not specific requirements of how to do it. Neither it sets anyspecific time limit on processing such applications, only mentioning it should happen “in a timely manner”.
Cross border transfer of personal information
In the case a company outside of Chinese bordersis planning to handle personal information of people in China, PIPL has a number of additional provisions in articles 38-43. Here are the things you need to have on top of regular requirements:
- Additional consent forcross-border transfer of personal information.
- Additional notifications, disclosing information of the foreign recipient of personal information: name of the receiving party, methods they will be using, ways to exercise individual’s information rights (review, amend, delete their personal information) with this foreign handler.
Additionally, for “Critical Information Infrastructure operators” (this signifies companies in communication, energy,finance, transport, water supply and other industries, that can potentially affect national security) and in cases where information transfer volume exceeds certain limits (at the moment it is not clear what those limits are), companies will have to undergo a government security assessment before they canstart transferring any information.
In other cases (for non-critical, under-limit information transfers) companies should either:
- Undergo a “personal information protection certification” with a special Government agency
- Make sure the contract with the foreign company, that handles the information, is “in accordance with astandard contract formulated by the State cyberspace and informatization department”.
The details of such certification or standard contract are not available at the moment, relevant provisions under GDPR may bereferred to.
Finally, if a personal information handler happens to be located outside of China, it must establish a “dedicated office”or appoint a “designated representative” within the borders of the People’sRepublic of China. Information about this office or representative should be filedwith government authorities.
Alternative solutions to cross-border personal information transfers
Provisions related to cross-border transfer of personal information can be one of the more difficult to follow correctly. When most ofthe solutions used today were developed, there were virtually no legal requirements concerning “personal information residency”. As a result, there is a chance you do transfer the personal information abroad, without even realizing it — for instance, if your cloud CRM solution is hosted outside of China.
There are solutions being developed to addressthis new “personal performation residency” concern on a technological level. SalesForce, for example, introduced Hyper Force — a solution that can bedelivered from major public clouds.
There are companies, offering Residency-as-a-service solutions, copying or limiting sensitive information tonationally-located servers.
Automated decision-making
As machine learning and artificial intelligence technologies become moreand more common in the field of e-commerce, their most common practical implementations are artificial intelligence-driven "recommended products" and "dynamic pricing" functions (a way to dynamically adjust prices to maximize profits based on certain behavioral characteristics of customers and other information).
Article 73 of PIPL defines it as:
Activity of using computer programs to automatically analyze or assess personal behaviors, habits, interests, or hobbies, or financial, health, credit, or other status, and make decisions.
The law allows using automated decision makingfor “reasonable” differential treatment that guarantees fairness and justice. “Unfair” and“unreasonable” treatment is not allowed.
Additionally, whenever the use of automated decision-making produces decisions with a major influence on the rights and interests of the individual, companies are required to have an explanation how the decision process works and provide an option for individuals to opt out ofthe machine-only process.
Other Information handlers’ duties
Let’s go through some additional duties that PIPL assigns to personal information handlers.
A company that handles personal information, should formulate correspondent internal structure, set up necessary rules andprotocols, and conduct employee training on this subject. It has to adopt appropriate technical security measures, have security incident plans in place etc.
If the amount of information reaches certain limits, determined by the authorities, a company should appoint a personal information protection officer, who would supervise all personal information related activities.
In case a company handles sensitive personal information, or if the personal information is transferred abroad, personal information handlers are required to conduct a personal information protection impact assessment. Such assessment should be conducted in advance and the records should be preserved.
Penalties in PIPL
The penalty for non-compliance with PIPL dependson the severity of the violation.
In case of a minor violation, as a first step,the government authority will issue a warning and a correction order. If youhave gained any unlawful income, connected to the violation, it will be confiscated.
If a company refuses to correct the problem,more serious consequences will ensue. Companies can be fined up to 1 millionRMB (150k USD); responsible individuals — up to 100.000 RMB (15k USD), plus avery China-specific penalty: a record in the social credit system.
In case of “serious violations” the size of thefine can go as high as 50 million RMB (7.5M USD), or 5% of the company'srevenue. Interestingly, the law does not specify, if it is the revenue generated in China, or the global one, that would be the basis for the fine calculation.
Final note on the non-compliance. According tothe law, violation does not necessarily mean you have unlawfully processed or handled personal information. Failing to take necessary steps to protect the personalinformation, implement proper security practices, also may be considered aviolation.
PIPL compliance checklist

Conclusion
There are undeniable good reasons to have a law like PIPL in place. It provides protection from abuse and mishandling of personal information. Information theft and illegal information trading would flourish in such a rich eco system if there were no regulations to stop them.
At the same time, it is difficult not to notice an eerie coincidence that two prominent internet companies, Yahoo and Linked Indecided to leave China exactly around the time the law was to be enacted.
One thing that is certainly refreshing about PIPL is its high-level approach, and, as a result — relatively small size: translated version is only about 5000 words long. Compare that to “mammoth”GDPR, almost 10 times the size, 50.000 words.
Conciseness, however, comes with a price of quite a few points still being left unclear. In upcoming months we can expectmore details providing explanations on how the law should be implemented.
Meanwhile, if you are collecting and processing personal information of natural persons in China, we highly recommend you implement steps outlined in this article. Feel free to contact HanSheng Law Offices todiscuss how we can help you build or enhance your eCommerce business, compliantto the new Chinese PIPL regulation.
Links
PIPL’s text (in Chinese):
http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml
English Translation by The DigiChina Project at Stanford University
https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/
Disclaimer: This article is not legal advice. To ensure your business and website is PIPL compliant we recommend you speak with a qualified legal professional.
