In a bid to further strengthen the current protection regime for China’s fast-growing digital economy, China has passed the Personal Information Protection Law (PIPL), which lays out for the first time a comprehensive set of rules for data collection and it is to take effect on 1st November 2021, while its recently enacted Data Security Law entered into effect on 1st September 2021, following its enactment on 10th June 2021 and regulates data processing activities associated with personal and non-personal data.
Data Security Law
The Data Security Law regulates data processing activities, ensures data security, as well as protects the legitimate rights and interests of individuals and organisations, among other things.
The Data Security Law applies to data processing activities and safety supervision within the territory of the People’s Republic of China and anyone who conducts data processing activities outside the People’s Republic of China that harms the national security, public interests, or the legitimate rights and interests of citizens or organizations of the People’s Republic of China shall be investigated for legal responsibility in accordance with the law.
Personal Information Protection Law
The Personal Information Protection Law is China’s first comprehensive data protection law and it is modeled, in part, on other jurisdictions’ data protection regimes, including the EU General Data Protection Regulation (“GDPR”). The law states that handling of personal information must have a clear and reasonable purpose and shall be limited to the “minimum scope necessary to achieve the goals of handling” data and handling of personal information must follow the principles of lawfulness, fairness, necessity, and good faith, and shall not process personal information through misleading, fraudulent, coercive and other methods.
According to the PIPL, the legal basis for processing personal data are as follows:
- Obtain personal consent;
- Necessary for the conclusion and performance of a contract in which an individual is a party, or necessary for implementing human resource management in accordance with the labour rules and regulations established in accordance with the law and the collective contract signed in accordance with the law;
- It is necessary to perform statutory duties or statutory obligations;
- It is necessary to respond to public health emergencies or to protect the life, health, and property safety of natural persons in an emergency;
- Carry out news reports, public opinion supervision, and other acts for the public interest, and handle personal information within a reasonable range;
- Processing personal information disclosed by individuals or other legally disclosed personal information within a reasonable scope in accordance with the provisions of the law;
- Other circumstances stipulated by laws and administrative regulations.
China is building data privacy and security frameworks to ensure better secure storage of user data, and it is expected that these laws will have a profound effect upon business operations in China regarding data management, security, and privacy concerns just like the European Union’s General Data Protection Regulations (GDPR) have in the rest of the world.