China has passed a new law on personal data protection which will take into effect on 1 November.
The Personal Information Protection Law (PIPL) lays out for the first time a comprehensive set of rules on data collection, processing and protection.
Under the law, personal information refers to all kinds of information relating to an identified or identifiable person, recorded electronically or by other means, excluding information that has been anonymised.
The law says that handling of personal information must have clear and reasonable purpose and should be limited to the "minimum scope necessary to achieve the goals of handling" data.
The consent of the individual should be obtained again if there is a change in the purpose of processing personal information, the manner of processing and the type of personal information to be processed.
Where personal information is processed based on the individual's consent, the individual has the right to withdraw their consent. Personal information should be kept for the minimum period of time necessary to achieve the purpose of processing.
The processor of personal information may only process sensitive personal information if there is a specific purpose and sufficient necessity with strict protection measures taken. Individual consent should be obtained from the individual for the processing of sensitive personal information.
Sensitive personal information includes information on biometrics, religious beliefs, specific identities, medical and health care, financial accounts, whereabouts, and personal information of minors under the age of 14.
Under the law, when pushing information and commercial marketing to individuals via automated decision-making, personal information processors should provide options that don't target personal characteristics at the same time or offer options to refuse.
The law also requires suspension or termination of services for applications that illegally process personal data.
The second draft of the PIPL was released publicly in April and the first draft was released in October 2020.
Leo Xin of Pinsent Masons, the law firm behind Out-Law, said: “The Personal Information Protection Law (PIPL) is a milestone in China’s data protection legal landscape. For multinationals, special attention shall be given to the rules on transfer of data out of China under Chapter 3 of the PIPL.”
“However, there are still certain areas which remain unclear and require detailed implementation rules, such as how the security assessment should be handled, what the model clauses for data transfer formulated by the China Cyberspace Administration look like, what approval procedure shall be went through in case there is request for personal information by overseas judicial organs or law enforcement agencies,” he said.
“It is advisable for multinationals to start to evaluate the potential impact of the new law on its IT infrastructure as well as data processing activities as early as possible,” Leo said.