Feature Articles On China’s Personal Information Protection Law (2) – The Impact Of “personal Information Protection Law” On Foreign Information-Processors.

3 November 2021
 

With the advancement of globalization and digitization, cross-border collection of personal information is increasingly frequent.  To fully protect the rights and interests of individuals in the country and curb digital giants’ abusive collection of personal information, China’s 13th National People’s Congress Standing Committee has passed on its 30th meeting the Personal Information Protection Law (“PIPL”), which goes into effect on November 1, 2021.  The PIPL extends the scope of the law to include foreign activities conducted by foreign entities, requiring “foreign information-processors”, who provide goods or services to natural persons within China or analyze or assess the behavior of natural persons within China, to follow the rules under the PIPL.  In the era of advanced Internet, all foreign businesses with close economic and trade relations with the mainland and its people are highly likely to fall into the scope of the PIPL.  As such, it is recommended that relevant foreign businesses check whether they’re under the PIPL’s regulation as soon as possible so to take corresponding measures.  The following is a summary of the potential effects on foreign information-processors after the law goes into effect:

1. Foreign Information-Processors’ Scope and Definition
 

(1) Regulations

Article 3, Paragraph 2 of the PIPL stipulates that foreign processing of personal information^[2] of natural persons within the territory of the People’s Republic of China is within its scope if any of the following applies: (i) the information processing is aimed to provide goods or services to natural persons within China; (ii) the information processing involves analyzing or evaluating the behaviors of natural persons in China; and (iii) any other circumstances as stipulated by the law and administrative regulations (hereinafter referred to as “Foreign Information-Processors”).  According to the “Explanation Regarding People’s Republic of China’s PIPL (Draft)”^[3] issued by the Deputy Director of the Legislative Affairs Committee of the Standing Committee of the National People’s Congress at the 22nd Meeting of the Standing Committee of the 13th National People’s Congress on October 13, 2020, by using other countries’ practices as references, this article aims to endow the PIPL with the necessary extraterritorial applicability to fully protect the rights and interests of individuals in the country.
 

(2) What constitutes “information processing aimed to provide goods or services to natural persons within China” or “analyzing or evaluating the behaviors of natural persons in China ” ?
 

Although the PIPL states that Foreign Information-Processors — including those who directly process information for the provision of goods or services, and who indirectly conduct behavioral analysis and assessment — are within the confines of its regulations, as of the writing of this article, no notices or opinions have been issued by the relevant competent authority to clarify the scope of Article 3, Paragraph 2.  Therefore, the specific criteria for determining what constitute “information processing aimed to provide goods or services to natural persons within China” or “analyzing or evaluating the behaviors of natural persons in China ” is still unclear.
 

In light of the fact that Article 3 of EU’s General Data Protection Regulation (“GDPR”)^[4] was used as a reference for this Article 3, Paragraph 2 of the PIPL, the “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)” issued by EU (hereinafter referred to as “EU Guide”)^[5] should be of considerable reference value for PIPL’s future enforcement and definitions regarding Foreign Information-Processors.
 

According to the EU Guide, whether a foreign information –processor is processing data “aimed to provide goods or services to natural persons within the EU (regardless of their nationality or place of residence)” or to “monitor the behaviors of natural persons within the EU” shall be determined on a case-by-case basis and by taking into consideration the following factors:
 

Determining Factors for what constitutes “data processing aimed to provide goods or services to natural persons within the EU”

Determining Factors for what constitutes “activities monitoring the behaviors of natural persons within the EU”

Whether the relevant data regarding the goods or services provided indicates the EU or name of at least one Member States; Whether the information-processor pays search engine operators to facilitate EU users’ access; or whether its marketing activities are directed toward EU users; Whether the activity is international in nature, for example, tourism; Whether a phone number or address related to the goods or services is provided to be linked to the EU’s territory; Whether a top-level domain name involves the EU or its Member State.  For example, URLs that contain “.de” or “.eu”; Whether relevant travel instructions from one or more Member States to the service’s location are provided; Whether it mentions international clients that consist of clients resided in different Member States; Whether it uses the language or currency of a Member State.

Whether it delivers advertisement; Whether it conducts geolocation activities for marketing purposes, especially online tracking through the use of cookies or other tracking technologies (such as fingerprints); Whether it provides online services for personalized diet and health analysis; Whether it conducts market and other behavior research using personal information; Whether it monitors or requests periodic reports on personal health.

(3) Summary
 

In consideration of the lack of more detailed guidance regarding the scope of Article 3, Paragraph 2 of the PIPL from the regulatory agency, we recommend using the factors in the aforementioned EU Guide as references for determining whether an activity is within the confines of the PIPL before further detailed regulations are issued; and beware of any future legislative trend from the regulatory agency to make adjustments at any time.

2. Obligations and Responsibilities of Foreign Information-Processors
 

(1) General Obligations and Responsibilities of Information-Processors
 

Article 51 of the PIPL stipulates that information processors shall take into account the purpose and methods of processing personal information; the type of personal information to be processed and its impact on the rights of the information subject; and potential safety risks when taking the following measures to ensure that the information processing is in line with the law and administrative regulation, and implementing measures to prevent unauthorized access, tampering, loss, or leakage of personal information: (1) establish internal management system and operating procedures; (2) implement classified management of personal information; (3) adopt proportionate security technology measures such as encryption and de-identification; (4) reasonably determine the operating privileges of personal information, and regularly conduct safety education and training for employees; (5) formulate and organize the implementation of emergency plans for personal information security incidents; and (6) other measures as stipulated by the law and administrative regulations.
 

For other laws and regulations to be followed by personal information processors, please refer to the article: “Feature Articles on China’s Personal Information Protection Law (1) – Personal Information Protection Law Summary (Mainland China)”.
 

(2) Foreign Information-Processors’ Special Obligations
 

Pursuant to Article 53 of the PIPL, Foreign Information -Processors shall also establish a special institution or designate a representative responsible for matters related to personal information protection and report such institution or representative’s name, contact information to the department responsible for personal information protection.  According to the EU practices, the main obligation of such designated representative is to preserve the relevant records of information processing and cooperate with the domestic supervisory authority responsible for information protection.
 

The PIPL has no qualification requirements for the above-mentioned special institution or representative, nor does it stipulate the legal responsibilities that Foreign Information-Processors shall bear if they do not establish such institution or representative.  Thus, how the requirements under this regulation may be met in practice will be clear only after the issuance of more detailed rules.
 

(3) Legal Responsibilities of Foreign Information-Processors Violating the PIPL
 

Those who violate the provisions of the PIPL, including Foreign Information-Processors, may be subject to the liabilities stated under Article 66 to 71 of the PIPL, which includes, but is not limited to:
 

• Having the illegal acts in the credit files and make them public;

• Being ordered to suspend or terminate the provision of services for applications that illegally process personal information;

• Being ordered to rectify the violation and having illegal gains confiscated; those that fail to rectify shall be imposed a fine less than 1 million RMB; those directly responsible and liable shall be fined at least RMB 10,000 and up to RMB 100,000. In addition, those in severe violations may be imposed a fine of less than RMB 50 million or less than 5% of the previous year’s turnover, its related business operations may be suspended or paused for rectification, and appropriate authorities may revoke its relevant business permits or licenses; and

• Where the personal information processing infringes individuals’ information rights and interests and causes damages, being liable for the damages and other tort liabilities.
   

Further, the directly responsible person in charge and other directly responsible personnel are to be fined at least RMB 100,000 and up to RMB 1 million, and may be prohibited from serving as related businesses’ directors, supervisors, senior managers, or person in charge of personal information protection for a period of time.
 

With the increased fines and liabilities for violating the PIPL, Foreign Information-Processors should continue to monitor the legal developments for additional guidance on compliance and requirements of the PIPL and heighten their compliance oversight in the handling personal information to limit the potential exposure under the PIPL.