The Washington Post recently reported that Didi Global, a ride-hailing company which also operates in Australia, was fined US$1.2 billion (or around AU$1.7 billion) for unlawfully processing 64.7 billion pieces of personal information, including excessively accumulating 107 million pieces of passenger facial recognition information.1 Two executives of Didi Global were also found personally liable.
The People’s Republic of China’s Personal Information Protection Law (PIP Law) came into force in November last year. It is the first piece of legislation that sets up China’s privacy framework.
Like the European General Data Protection Regulations (GDPR), the PIP Law has extraterritorial application that may capture foreign entities which conduct business in China or deal with Chinese residents, regardless of whether these foreign entities have a physical presence in China or not. In this context, the PIP Law is particularly relevant to multinational corporations.
How might the PIP Law affect Australian businesses?
The scope of the PIP Law mirrors that of the GDPR in some aspects. Article 3 of the PIP Law states that the law applies to personal information handling (or in some translations, processing) activities within the People’s Republic of China and personal information handling activities outside the territory of China that involve:
- the provision of goods or services to residents in China;
- the analysis or evaluation of the behaviour of residents in China; or
- any other purpose as prescribed by law or regulations.
‘Personal information handling’ refers to the collection, retention, use, processing, transmission, provision, disclosure, and erasure etc. of personal information. ‘Personal information’ means all kinds of information, recorded electronically or in other forms, that relates to identified or identifiable natural persons, but excludes anonymised information.
Article 73 of the PIP Law vaguely defines ‘personal information handler’ (or processor) as any organisation or individual that is able to decide, on its own, the purpose, means of, and other matters relating to, the handling or processing of personal information.
Personal information handlers outside of China that are captured by the application of the PIP Law are required to establish or designate a representative in China who will be responsible for the protection of personal information pursuant to Article 53.
Key features of the PIP Law
The PIP Law sets up a framework for:
- the handling of personal information and sensitive information (Chapter II);
- cross-border transfer of personal information (Chapter III);
- individuals’ rights in respect of personal information handling activities (Chapter IV); and
- personal information handlers and their obligations (Chapter V)
Among other things, Chapter II requires personal information handlers to only process personal information for prescribed purposes (such as the performance of contract) and with the consent of the individuals (or the guardian of a minor if the individual is below the age of 14). The PIP Law states that personal information can only be retained for the minimum period necessary for those purposes. Article 55 also requires personal information protection impact assessment to be undertaken for the processing of sensitive personal information.
Chapter III establishes a regime for cross-border transfer of personal information out of the People’s Republic of China. A personal information protection impact assessment is also required to be undertaken prior to carrying out such transfer. In addition, the individuals to whom the personal information relates must consent to the transfer. There is also a separate requirement for the personal information handlers to satisfy either one of the following conditions:
- where the personal information handler meets the prescribed threshold or is a critical information infrastructure operator and the transfer of localised data is strictly necessary – pass the security assessment measures, which came into effect on 1 September 2022. Pre-existing cross-border data export activities will be given a grace period until 1 March 2023;
- where there is a contract between the personal information handler and the overseas recipient – the adoption of standard contract terms formulated by the relevant Chinese regulator;
- in all other cases – obtain the Specification for Certification of Cross-Border Personal Information Transfer; or
- other conditions as prescribed by law or regulations.
Breaches of the PIP Law entail hefty fines of up to RMB 50 million (or around AU$10 million) or 5% annual turnover of the previous year. Businesses that have a presence in China may also have their permit or licence revoked. In some instances, contravention of the PIP may also carry criminal responsibility.
What this means
The broad scope and application of the PIP Law means businesses should conduct an internal assessment to determine if they could be captured by the PIP Law. Entities that conduct business with China or Chinese residents should consider their data residency plan and evaluate their privacy practices to ensure compliance with the PIP Law. Businesses should not assume that they can rely on pre-existing contracts to process data of Chinese residents.
If you have any queries or concerns regarding the potential impact of the PIP Law on your business, please contact a member of our IP, Technology & Media team for advice and assistance.
This article was written by Luke Dale, Partner and Paul Sigar, Solicitor.
Additional disclaimer: the official text of the legislation is only available in Mandarin, and sources of English translations may not always accurately capture the original meaning of the law.