Home / Publications / JunHe Legal Updates / details of junhe law review

THE China Personal Information Protection Law was Officially Promulgated-Comments and Analysis of The key Provisions and Compliance Highlights

2021.08.25 DONG, Xiao (Marissa)、Chao GUO、Jinghe GUO

I. Legislative Evolution and Significance


The Personal Information Protection Law of the People's Republic of China1 (“PIPL”) was adopted and issued on August 20, 2021 after a review by the 30th Session of the Standing Committee of the 13th National People’s Congress, and will come into effect on November 1, 2021.


The PIPL is the first law in China to specifically regulate the protection of personal information. It will have an immediate and profound impact on the protection of Chinese citizens’ rights and interests in their personal information by various entities and organizations. Meanwhile, the PIPL, in conjunction with the Cybersecurity Law and the Data Security Law, will build a more complete, comprehensive and systematic legal protection system and form the standard data and digital policy in the field of information protection and cybersecurity in China.


As the Data Security Law will come into effect on September 1 this year and the PIPL on November 1, all enterprises will need to fully research, analyze and evaluate how these basic laws and related regulations will apply to their operations. They will also need to design and build their compliance systems as soon as possible so as to ensure compliance with the requirements of the PIPL.


II. Overview of the Highlights


The PIPL consists of 74 articles in eight chapters. It comprehensively and systematically integrates the requirements of personal information protection previously scattered in the Civil Code, the Cybersecurity Law, the Information Security Technology - Personal Information Security Specification and other laws, regulations and standards. It further emphasizes the obligations and responsibilities for personal information protection, adds specific provisions to address hot issues in society, and increases the penalties for violations, based on the current critical issues in the field of personal information protection as well as the practical experience in data protection administration in China. We summarize the highlights of the PIPL below.


1.  Scope of Application


In addition to the provision that “this Law shall apply to the processing of personal information of individuals within the territory of the People’s Republic of China”, the PIPL also provides for certain extraterritorial applications. It is stipulated in Paragraph 2 of Article 3 that the PIPL shall also apply to the activities of processing the personal information of natural persons inside China which are carried out outside China “for the purpose of providing products or services to natural persons inside China” or constitute “analyzing or evaluating the behaviors of natural persons inside China”.  For personal information processors outside China, Article 53 of the PIPL further requires that a special agency or a representative shall be established or designated in China to handle matters related to personal information protection, and that the information of such an agency or representative shall be reported to the personal information protection authorities.


2. Important Definitions


Article 4 of the PIPL stipulates that “personal information” means “any kind of information related to an identified or identifiable individual as electronically or otherwise recorded, excluding information that has been anonymized.” The “processing of personal information” includes “the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information”.


Most statutory obligations under the PIPL are directed at personal information processors. According to Article 73 of the PIPL, a “personal information processor” refers to any organization or individual that independently determines the purpose and method of processing in their activities of processing personal information.


Article 62 of the PIPL provides that the national cyberspace authority shall organize and coordinate the relevant authorities to develop special rules and standards for personal information protection to govern “small-scale personal information processors”. The definition and scope of a “small-scale personal information processor” is not defined in the PIPL, which is therefore still subject to interpretation by the regulators.


3. Principles for Personal Information Processing


Articles 5 to 9 of the PIPL specify the basic principles for the processing of personal information. These principles will serve as general guidelines throughout personal information processing activities, including:


a)  Lawfulness, Justification, Necessity and Good Faith. Personal information shall be processed in accordance with the principles of lawfulness, justification, necessity and good faith, and not in any manner that is misleading, fraudulent or coercive. This principle, as the primary principle stipulated by the PIPL, is a prerequisite for the implementation of the processing activities by personal information processors.


b)  Specification and Relevancy. Personal information shall be processed for a specified and reasonable purpose and shall be directly relevant to the purpose of processing. This principle sets forth the criteria to evaluate the purpose of processing to control the processing activities to the extent that they are “directly relevant to the purpose of processing” based on Article 5.


c)  Minimum Extent. Article 6 of the PIPL limits the extent of personal information processing on two levels by requiring that, firstly, processing activities shall have the least impact on the rights and interests of individuals and, secondly, the personal information collection shall not be excessive and shall be limited to the minimum extent necessary to satisfy the purpose of processing (Article 6).


d) Openness and Transparency. Personal information shall be processed in accordance with the principles of openness and transparency. This article requires the personal information processors to disclose their rules of processing to the public and expressly indicate the purpose, method and scope of processing to the individual concerned (Article 7). The principle of openness and transparency protects the right of personal information subjects to be informed and to give consent, and is a prerequisite for personal information processors to fulfill the obligation of informed consent.


e) Completeness and Accuracy. Article 8 of the PIPL sets forth the criteria to evaluate the quality of personal information specifically in terms of two aspects including the completeness and accuracy of personal information. Personal information processors shall avoid damaging the rights and interests of individuals due to the inaccuracy and incompleteness of personal information.


f)  Security Protection. Article 9 of the PIPL specifies that personal information processors shall be directly responsible for their personal information processing activities, and all the legal obligations and responsibilities for their personal information processing activities shall be borne by the personal information processors. The personal information processors shall take necessary measures to protect the security of the personal information processed.


4. Basic Rules for Personal Information Processing


Chapter II of the PIPL sets out the rules for processing personal information, the key requirements and a brief analysis of which are set forth below:


a)  Legal Basis for Personal Information Processing. A personal information processor may process the personal information of an individual only under the following circumstances: (1) where consent is obtained from the individual; (2) where it is necessary for the conclusion or performance of a contract to which the individual is a party, or where it is necessary for carrying out human resource management under an employment policy legally established or a collective contract legally concluded; (3) where it is necessary for performing a statutory responsibility or statutory obligation; (4) where it is necessary in response to a public health emergency, or for protecting the life, health or property safety of a natural person in the case of an emergency; (5) where the personal information is processed within a reasonable scope to carry out any news reporting, supervision by public opinions or any other activity for public interest purposes; (6) where the personal information, which has already been disclosed by an individual or otherwise legally disclosed, is processed within a reasonable scope; or (7) any other circumstance as provided by law or administrative regulations (Article 13).


b)  Informed Consent Requirement on Personal Information Processing. In principle, the consent of an individual shall be obtained for the processing of their personal information, but where any of the preceding Paragraphs 2 to 7 in Article 13 is applicable, an individual’s consent is not required. Where personal information is to be processed based on the consent of an individual, such consent shall be a voluntary and explicit indication of intent given by such an individual on a fully informed basis. Where separate consent or written consent shall be obtained from individuals for the processing of their personal information as provided for by any law or administrative regulation, such provision shall prevail (Article 14). Prior to the processing of the personal information of an individual, a personal information processor shall inform the individual of the specified matters in a conspicuous way and in clear and easy-to-understand language, except when such matters shall be kept confidential or are not required to be disclosed according to law or administrative regulations (Articles 17 and 18).


c)  Retention Period of Personal Information. The retention period of personal information shall be the minimum period necessary for achieving the purpose of processing, unless any law or administrative regulation stipulates otherwise (Article 19).


d)  Joint Processing. Two or more personal information processors who jointly decide on the purpose and method of the processing of personal information shall agree on their respective rights and obligations in the joint processing. Personal information processors who jointly process personal information shall be liable jointly and severally under the law for any damages caused due to an infringement of personal rights and interests in their joint processing of personal information (Article 20). This is the first time to clearly stipulate in a law the situation of “joint processors of personal information” and their joint and several liability for infringement upon personal information in accordance with the law.


e)  Entrusted processing of Personal Information. Where a personal information processor entrusts the processing of personal information, it shall conclude an agreement with the entrusted party on the purpose, period, and method of the entrusted processing, the type of personal information to be processed, any protection measures to be taken, and the rights and obligations of both parties, etc., and shall supervise the personal information processing activities carried out by the entrusted party. The entrusted party shall process the personal information as agreed and shall not subcontract the entrusted processing of personal information to any other person without the consent of the personal information processor (Article 21).


f)  Transfer of Personal Information Due to Merger or Division. A personal information processor who needs to transfer personal information of any individual due to a merger, division, dissolution, declared bankruptcy or any other reason shall inform the individual of the organizational or personal name and the contact information of the recipient. The recipient shall continue to perform obligations as a personal information processor. Any change to the original purpose or method of processing by the recipient shall otherwise require the consent of the individual in accordance with the PIPL (Article 22).


g)  Sharing of Personal Information. A personal information processor who is to provide any personal information of an individual to any other personal information processor shall inform the individual of the organizational or personal name and the contact information of the recipient, the purpose and method of the processing, and the type of personal information involved, and shall obtain a separate consent from the individual. The recipient shall process the personal information so received within the scope of the said informed details (Article 23).


h)  Disclosure of Personal Information. Personal information processors shall not disclose any personal information of an individual processed by them, except with the separate consent obtained from the individual (Article 25). Personal information processors may process the personal information of an individual already disclosed by the individual to a reasonable extent without the consent of such an individual, unless such processing is expressly refused by the individual; provided that any such processing that may have a material impact on the rights or interests of the individual shall require consent from the individual (Article 27). 


5. Automated Decision-Making


a)  Big data-enabled Price Discrimination. Where personal information is used by personal information processors in automated decision-making, transparency of the decision-making and fairness and impartiality of the results shall be ensured, and no unreasonable differential treatment of individuals in terms of transaction prices or other transaction terms may be implemented (Paragraph 1 of Article 24).


b)  Provision of Other Options or Ways to Refuse. If business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option to not target the personal characteristics of the individual and a clearly understood way to refuse to receive shall be provided to the individual (Paragraph 2 of Article 24).


c)  Rights of the Individual. If a decision made by a personal information processor through automated decision-making has a material impact on an individual's rights and interests, the individual shall have the right to demand the personal information processor to provide an explanation, as well as the right to refuse the making of decisions by the personal information processor solely by means of automated decision- making (Paragraph 3 of Article 24).


6. Special Rules for Processing Sensitive Personal Information


The PIPL specifically provides rules for processing sensitive personal information. Sensitive personal information refers to personal information that, once leaked or illegally used, could easily lead to the infringement of human dignity or harm to the personal or property safety of an individual, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal whereabouts and other information of an individual, as well as any personal information of a minor under the age of 14 (Article 28).


The main rules required to be complied with in processing sensitive personal information include:


a)  Only where there is a specific purpose and sufficient necessity, and under circumstances where strict protection measures are taken, may personal information processors process sensitive personal information (Article 28).


b)  In the case of any processing of the sensitive personal information of any individual, separate consent shall be obtained from such an individual; where written consent shall be obtained for the processing of sensitive personal information as provided by law or administrative regulations, such provision shall prevail (Article 29 and Article 32).


c)  In terms of notification content, a personal information processor shall inform the individual of the necessity of processing such sensitive personal information and the impact thereof on the individual's rights and interests (Article 30).


7. Rules for Cross-Border Transfer of Personal Information


The PIPL specifically provides the rules for the cross-border transfer of personal information, mainly including:


a)  Statutory Conditions. As provided for in the PIPL, any cross-border transfer of personal information shall be subject to the condition that “where it is necessary for personal information to be provided by a personal information processor to a recipient outside the territory of China due to any business need or any other need”, as well as the satisfaction of at least one of the following conditions: (1) where a security assessment organized by the national cyberspace authority has been passed; (2) where a certification of personal information protection has been given by a professional institution; (3) where a contract has been concluded with the overseas recipient in accordance with a standard contract formulated by the national cyberspace authority; or (4) any other condition prescribed by law, administrative regulations or the national cyberspace authority (Paragraph 1 of Article 38). In addition, where any condition or other stipulation on the provision of personal information to a recipient outside the territory of China is contained in any international treaty or agreement concluded or acceded to by China, such stipulation may apply (Paragraph 2 of Article 38).


b)  Special Roles’ Obligation of Data Localization and Security Assessment. It is required by the PIPL that critical information infrastructure operators, and personal information processors who have processed personal information in an amount reaching a threshold prescribed by the national cyberspace authority, shall store the personal information collected or generated by them within the territory of China. Where it is necessary to provide such information to an overseas recipient, a security assessment organized by the national cyberspace authority shall be passed (Article 40).


c)  Informed Consent Requirements. The PIPL imposes clear, specific and stricter requirements on the cross-border transfer of personal information in terms of informed consent and separate consent from a legal perspective for the first time specifically as follows: a personal information processor who is to provide the personal information of any individual to a recipient outside the territory of China shall inform the individual of the organizational or personal name and contact information of the overseas recipient, the purpose and method of the processing, and the type of personal information involved, as well as the way the individual may exercise their rights provided for by this law against the overseas recipient, and shall obtain separate consent from the individual for such a transfer (Article 39).


d)  Standards of Protection. Personal information processors shall take any necessary measures to ensure that the overseas recipients process the personal information provided by them in compliance with the standards of personal information protection stipulated in the PIPL (Paragraph 3 of Article 38).


e)  Other Specific Scenarios for Cross-Border Data Transfer. It is stipulated by the PIPL that any transfer of any personal information stored within the territory of China by a personal information processor to a foreign judicial or law enforcement body shall require approval by the competent authorities, and any organization or individual outside China engaged in any personal information processing activity that infringes upon the rights and interests of any citizen of the PRC in their personal information will be included on a list of restricted or prohibited recipients. The PIPL also requires an equivalent measure be taken against any country or region that takes any unreasonable discriminatory measure against China in respect to personal information protection depending on the specific situation (Articles 41, 42 and 43).


8. Rights of Personal Information Subjects


The PIPL fully provides for the rights of individuals in the personal information processing activities which are one of the core elements of the legal system for personal information protection, including the right to be informed, the right to make decisions, the right to inquire, the right to copy, the right to portability, the right to request the personal information processor to correct, supplement or delete the personal information, and the right to request an explanation. In addition, the PIPL also emphasizes among others the rights of individuals to withdraw their consent to the processing of their personal information, the right to restrict or refuse the processing of their personal information, and the right to refuse automated decision-making. The PIPL also explicitly requires personal information processors to establish mechanisms for receiving and responding to requests from individuals for exercising their rights.


Article 49 of the PIPL specifies the requirements for the protection of a deceased individual’s personal information as follows: In the event of the death of an individual, a close relative of such an individual may exercise among others the right to access, make copies of, or have corrected or deleted, the relevant personal information of such an individual.


9. Strengthening the Personal Information Processors’ Obligations of Compliance Control


The PIPL specifies the obligations of personal information processors in terms of compliance control and personal information security protection, including: personal information processors shall take necessary measures to ensure the compliance of and security in their personal information processing activities in accordance with the laws and regulations; any personal information processor who has processed personal information in an amount reaching a threshold prescribed by the national cyberspace authority shall appoint a person in charge of personal information protection to supervise its personal information processing activities; personal information processors shall regularly audit the compliance of their personal information processing activities with the laws and regulations; any personal information processors who process sensitive personal information or use personal information in automated decision-making or transfer personal information to an overseas recipient or carry out other risky processing activities shall perform risk assessments before acting and keep a record of such processing activities; and upon the occurrence of any leakage of personal information or other security incidents, personal information processors shall perform notification obligations and take remedial measures.


10. Personal Information Protection Authorities and Their Duties


Chapter VI of the PIPL specifies the competent authorities performing personal information protection duties and builds a regulatory structure to govern personal information protection as follows: the national cyberspace authority coordinates and arranges the personal information protection; the competent authorities under the State Council govern, supervise and administer the personal information protection within the scope of their duties respectively; and the competent authorities under the local people’s government at the level above county level shall perform the duties to govern, supervise and administer the personal information protection as determined in accordance with the applicable laws and regulations. The foregoing authorities are collectively referred to as “personal information protection authorities”. In addition, the PIPL specifies the scope of duties of, and the relevant administrative measures that can be taken by, the personal information protection authorities.


11. Legal Liabilities


The PIPL increases penalties for violations and imposes strict legal liabilities. For example, if anyone processes personal information in violation of the PIPL or fails to perform any obligation of personal information protection as specified in the PIPL in processing personal information to the extent that such offence is of a grave nature, the personal information protection authorities at or above provincial level will order it to make correction, confiscate its illegal gains, and impose a fine up to RMB 50 million or 5% of its annual revenue the previous year, and may also order it to suspend any related business or shut down for rectification, and/or revoke any related business permit or its business license (Article 66). In addition, the PIPL adds a new penalty mechanism under which any illegal activity specified in it shall be entered into credit files (Article 67). Therefore, the PIPL increases the penalties for violations related to personal information, as compared with the Cybersecurity Law, the Civil Code and other applicable laws and regulations.


The PIPL also specifies provisions on civil damages, criminal liability and public interest litigation for infringement upon the rights and interests in personal information. Specifically, where any damages are caused due to an infringement upon personal information rights or interests in the processing of personal information, the infringing personal information processor if unable to prove no fault on their part shall bear tort liability, such as the liability for damages (Article 69). Any violation of the PIPL that constitutes a criminal offense shall be subject to criminal liability (Article 71). A people’s procuratorate, a consumer organization as specified by law, or an organization as determined by the national cyberspace authority, may legally bring a lawsuit before a people’s court against a personal information processor who infringes the rights and interests of a large number of individuals in violation of the PIPL (Article 70).


12. Other Requirements in Response to Heated Social Topics


The PIPL also includes the following new requirements and special provisions:


a)  Special requirements on capturing images or identification information in public places. The PIPL regulates the application of face recognition technology in public places, requiring that the installment of any image capturing or personal identification equipment in a public place shall be necessary for maintaining public security and be accompanied with a prominent sign indicating the equipment. Any personal image or personal identification information of an individual collected can only be used for the purpose of maintaining public security, and shall not be used for any other purpose, except with separate consent obtained from the individual (Article 26


b)  Protection of minors’ information. As provided in the PIPL, the processing of the personal information of a minor under the age of 14 shall be subject to consent by a parent or a guardian of the minor, and special rules of processing of personal information shall be established. (Article 31) Responding to calls for the strengthening of the protection of personal information of minors, the PIPL provides stringent protection of the personal information of minors under the age of 14 as sensitive personal information, and on this basis sets forth special requirements such as being subject to a guardian’s consent and special rules for the processing of the personal information of such minors.


c)  Obligations for important internet platforms to protect personal information. Article 58 of the PIPL provides for the obligations of “personal information processors who provide important internet platform services, have a large user base or operate a complex type of business” to protect personal information, which include: (1) establishing an independent body that is mainly composed of external members to supervise the protection of personal information; (2) developing platform rules, specifying the standards for the processing of personal information and the obligations of personal information protection to be met by product or service providers operating on their platform; (3) ceasing the provision of any service to any product or service provider operating on their platform who commits a serious violation of any law in the processing of personal information; and (4) publishing social responsibility reports on personal information protection on a regular basis.


d)  Processing personal information by state authorities expressly brought under the regulation. The PIPL expressly covers the activities of processing personal information by state authorities for the first time and provides for the basic rules of processing of personal information by a state authority for the purpose of performing its statutory duties, including: such processing shall not exceed the scope or limit necessary for the performance of its statutory duties; the state authority shall perform the obligation of disclosure; and personal information processed by the state authority shall generally be stored within the territory of the People’s Republic of China, and where it is necessary to provide such information to an overseas recipient, a security assessment shall be conducted (Articles 33 to 36.


III. Key Changes in the PIPL vs. Second Review Draft


The PIPL and its Draft for Second Review (“Second Review Draft”) are almost identical in terms of framework and style and have the same chapter and section headings. However, from a substance perspective, the PIPL not only amends and improves the wordings of several provisions of the Second Review Draft, but also contains substantive amendments and changes to rules in the following nine aspects:


1Specifies the obligations, regulatory measures and responsibilities for personal information protection that are applicable to apps, including: (a) the collection of personal information shall not be excessive; (b) the personal information protection authorities shall organize the testing and evaluation of apps for personal information protection, and publish the results; and (c) any app that illegally processes personal information will be ordered to suspend or terminate its services.


2Prohibits “big data-enabled price discrimination” through automated decision-making.


3Incorporates “personal information of minors under the age of 14” into sensitive personal information, and requires personal information processors to establish special rules for the processing of personal information of minors under the age of 14.


4Includes the circumstance of carrying out human resources management into the legal basis for processing personal information, and exempts personal information processors from obtaining the consent of data subjects under such circumstance.


5Improves the rules of the cross-border transfer of personal information, which requires that the activities of processing personal information carried out by overseas recipients must meet the standards of personal information protection provided in the PIPL.


6Specifies the obligations of the entrusted party in the case of entrusting the processing of personal information, which include taking any necessary measure to protect the security of the personal information processed and assisting the entrusting party to comply with the PIPL.


7Further perfects the rights of personal information subjects, including:


7.1 Adds provisions on the right to personal information portability.

7.2 Improves the requirements on the exercise of relevant rights to the personal information of the deceased.

7.3 Adds provisions that individuals may bring a lawsuit against a personal information processor for the latter’s denial of their request to exercise their rights.


8Perfects the obligations of personal information protection by important internet platforms, especially including the obligation on developing platform rules to specify the standards for the processing of personal information and the obligations of personal information protection to be met by product or service providers operating on their platform.


9Revises specific requirements on the processing of disclosed personal information, in harmony with the Civil Code.


 

IV. Our Observations and Suggestions


As the first law specifically developed for personal information protection in China, the PIPL becomes an important legal foundation for the establishment of the legal system for personal information protection in the country.


The Cybersecurity Law, the Data Security Law, the Law on Protection of Consumers’ Rights and Interests, the Civil Code and other laws as well as the regulatory documents issued by the CAC, the MIIT and the MPS provide a general legal basis for compliance with laws and regulations by enterprises and law enforcement by public authorities. Particularly, telecommunication and internet enterprises and internet products such as apps have become a key focus of law enforcement and regulation in recent years. With the promulgation of the PIPL, we believe that law enforcement standards will become stricter and more in-depth and will extend to cover all industries. The PIPL sets out many common requirements for enterprises in different industries and sectors, including establishing a compliance system, and identifying data processing and collection requirements. Meanwhile, such enterprises may be exposed to different risks and compliance challenges. Enterprises need to establish strategies and systems for compliance with the laws and regulations in accordance with the new requirements of the PIPL. Certain key requirements and compliance steps that need to be taken into consideration by all enterprises include:


1Identifying personal information collection and usage scenarios. Enterprises should understand the circumstances and scenarios in which they collect, store, process, transfer and share information, and have an all-round and in-depth understanding of the compliance status under each circumstance.


2Amending relevant personal information collection consent forms and privacy policies. Enterprises should inform personal information subjects of the details of information collection and other statutory matters in a truthful, accurate and complete manner, and improve and update the relevant legal documents according to adjustments to their collection and processing practices.


3Improving the process for obtaining consent for information collection and adding a mechanism for obtaining separate consent. Enterprises should evaluate various scenarios, both online (e.g. websites, apps and mini programs) and offline, where they collect information, and consider whether the relevant processes and the mechanisms for obtaining consent to information collection needs to be modified.


4Establishing a special mechanism for the protection of sensitive information and special information collection circumstances. The collection, use and storage of sensitive personal information or information through face recognition or identification equipment and children’s personal information should be specifically evaluated and recorded and meet the conditions required by law.


5Preventing the multiple legal risks that may arise in connection with the transmission and sharing of information. A key focus should be given to this issue and preventative measures should be taken. In the case of a transfer or obtainment of personal information, compliance with laws and regulations should be a focus in the relevant examinations and the definition of rights and obligations should be sought.


6Designing an appropriate mechanism to ensure that personal information subjects can exercise their rights. Enterprises should ensure that personal information subjects can exercise their rights easily, such as providing relatives of a deceased natural person with the approach and channel for exercising their rights to the personal information of such natural person.


7An evaluation of the impact of personal information protection should become an important factor in enterprises’ decision-making. It is suggested that an evaluation of the impact of personal information protection be incorporated into the product and service design stage. Prior to any information collection, the necessity for the collection of the relevant information, the impact on personal rights and interests and security risks as well as the legitimacy and validity of the measures for security protection should be evaluated.


8Automated decision-making tools should be used with care in credit evaluation, business marketing and other activities. A security impact evaluation should be made before applying an automated decision-making approach to evaluate an individual’s financial or credit status, and upon request by the individual, an explanation of such an application and alternative solutions should be provided. If business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeted at the personal characteristics of the individual or an easy way to refuse to receive the information shall be provided to the individual.


9Strengthening the internal control management of personal information protection. The stored personal information and relevant internal systems should be sorted out, and information protection measures in terms of technology and management should be strengthened. Personal information should be managed based on its classification; appropriate technical security measures such as encryption and de-identification should be taken; the authorities deemed to operate the processing of personal information should be reasonably determined, and security education and training for employees should be conducted on a regular basis; and a person in charge of personal information protection should be appointed.


10Amending the provisions on the circumstances where employee information can be collected. Under the PIPL, an individual’s consent is not required when collecting personal information if such collection is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded. But the enterprise should consider the necessity and lawfulness of the collection of employees’ personal information and inform the employees of such collection and use of their personal information.


For those enterprises in the medical and pharmaceutical, finance, telecommunications, automobile, smart manufacturing, Internet of Things and other industries and sectors, the characteristics of the corresponding industry and special regulatory requirements (e.g. the Several Provisions on the Management of Automobile Data Security applicable to the automobile industry, which was recently promulgated and will come into effect soon) should also be considered in the compliance-related work.


We will continue to keep an eye on the further requirements and measures for the implementation of the PIPL.


1、The PRC or China.


JunHe is the only Chinese law firm to be admitted as a member of Lex Mundi and Multilaw, two international networks of independent law firms. JunHe and selected top law firms in major European and Asian jurisdictions are “best friends.” Through these connections, we provide high quality legal services to clients doing business throughout the world.