Article
Key regulatory changes in China's new legislation on personal information protection
The new law is in essence an omnibus rulebook for those who process1the personal information of individuals located in China, regardless of whether those processors of personal information2are in China themselves or are outside of China. There are general rules for personal information processors (Chapter 2, part 1), as well as special rules for government organs (Chapter 2, part 3). There are also special rules for those that process sensitive personal information (Chapter 2, part 2). The new law also outlines the unified rules applicable to the provision of personal information across borders (Chapter 3). It articulates rights for individuals in connection with the activities of those who process personal information (Chapter 4) and spells out certain obligations for those who process personal information (Chapter 5). The law identifies those departments who are responsible for carrying out the protection of personal information (Chapter 6). Legal liability for violation of the law are set out in Chapter 7.
The term “personal information” is defined quite broadly in the law, leading the reader to consider other already existing laws and regulations in this area – “All kinds of information recorded electronically or through other methods related to identified or identifiable natural persons, not including information after being made anonymous (Article 4(1)).” A photograph of a person along with that person’s name would seem to be enough to qualify as personal information if it contains sufficient details for identifying the natural person. Or a name together with an email address might also seem to be enough, but a name alone would likely not be enough unless it was unique. Put another way, “personal information” looks to be any combination of information that allows someone to identify one person from another person. If this is the correct interpretation, multiple headaches are coming for those that hold or use the information of individuals in China.
Footnotes
1. Under the PIPL, the processing of personal information includes the collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information.
2. Please note that the definition of the personal information processor under the PIPL is similar to that of the data controller under the GDPR.
Key regulatory changes in Chinas new legislation on personal information protection Sept 21
Related capabilities