China's Personal Information Protection Law set to come into force

China’s Personal Information Protection Law (PIPL) - which will form a major part of the legal framework governing data protection, cyber security, and data security in China - is set to come into force on November 1st, 2020.

The new law regulates the processing of personal information of individuals within China. It also covers the processing of personal information conducted outside China, if the purpose of this processing is  (i) to provide products or services to individuals in China, (ii) to “analyze” or “assess” the behavior of individuals in China, or (iii) for other purposes to be specified by laws and regulations. Similar to the requirement to appoint an “EU representative” for offshore controllers under GDPR, the PIPL also requires that a “dedicated office” or “designated representative” within China is appointed by offshore entities.

Under GDPR, a company can collect data if it considers that it has a “legitimate interest” to do so, even if the data subject does not give consent. This basis for processing does not exist in the PIPL. As outlined here, under Article 13 of PIPL data controllers can only process personal information if:

1. The data subject has provided their consent;
2. The processing is necessary: (a) for the conclusion or performance of a contract to which the data subject is a party; or (b) to conduct human resources management in accordance with labour rules and regulations established by the employer in accordance with the laws or collective contracts signed under law;
3. The processing is necessary for the fulfilment of duties or obligations imposed under laws or regulations;
4. There is a need to respond to public health emergencies or to protect an individual's life, health or property in an emergency situation;
5. The personal information is being processed for the purposes of conducting news reporting, supervising public opinion or other such activities that are in the public interest and the processing is within a reasonable scope;
6. The personal information is already publicly available (either disclosed by the data subject or has otherwise legally disclosed), and the processing is within a reasonable scope and in compliance with the PIPL; or
7. The processing is permitted pursuant to other laws and regulations.

Consent must be informed, freely given, demonstrated by a clear act of the individual and can be withdrawn later on. However there is separate consent required in a number of other instances, for example if the processing entity intends to publicly disclose personal information, transfer personal information overseas or process personal information (medical details, financial accounts, religious beliefs, etc).

Individuals have a number of rights regarding their own personal information, including the right to request processors explain processing rules as well as to correct and delete their personal information.

You can read some useful pieces on the new law here, here, here and here.