An Anatomy Of The New Personal Information Protection Law – Data Protection



To print this text, all you want is to be registered or login on Mondaq.com.

On August 20, 2021, China’s legislature, the Standing
Committee of the National People’s Congress, lastly handed the
Personal Information Protection Law (the “PIPL”) after
three rounds of overview. Effective on November 1, 2021, the PIPL,
along with the Cybersecurity Law (the “CSL”, efficient
on June 1, 2017) and the Data Security Law (the “DSL”,
efficient on September 1, 2021), additional completes China’s
authorized infrastructure within the subject of cyber safety.

Here we’re going to take a contemporary glimpse into the
PIPL’s rationale and key guidelines, after which, to supply some
preliminary ideas and ideas for compliance.

RATIONALE OF THE PIPL

1. Multi-layer Approach to Personal Information Protection

The PIPL adopts a differentiated safety technique primarily based on
the varieties of private info and processing actions. For
normal private info and routine processing actions, the
PIPL requires ample notification and express consent, or
different lawful foundation. For delicate private info and
excessive-danger processing of knowledge, processors are required to fulfill
particular necessities along with normal obligations. For
occasion, processing of delicate private info have to be
primarily based upon particular goals with ample necessity, and such
necessity and affect on private rights and curiosity needs to be
notified to the people concerned. In instances the place consent is the
base for legitimacy, such consent needs to be within the types of
separate consent or written consent, and evaluation of affect on
private info safety needs to be performed previous to
processing. Personal info of minors getting older underneath 14 needs to be
uniformly thought to be delicate private info and any
processing of such info needs to be primarily based on consent from the
minors’ guardians. Stricter necessities of compliance are available
for sure actions, together with the automated determination-making
course of primarily based on private info and the set up of picture
assortment or private identification gear.

2. Uniform Application to Online and Offline Activities

Unlike the private info safety guidelines underneath the CSL
which solely apply to our on-line world, the PIPL doesn’t shut doorways for
the safety of non-digital private info, nor does it
distinguish between on-line and offline private info
processing actions. In brief, the PIPL supplies a unified
safety mechanism for varied types of on-line and offline
private info. Activities of processing private info
by conventional means (resembling by paper or manually), and by means
of mixing on-line and offline (e.g. O2O), are each topic to the
PIPL.

3. Shift in direction of Diversified Lawful Bases

Both the Decision on Strengthening Protection of Network
Information promulgated by the Standing Committee of the National
People’s Congress and the CSL present that particular person consent
is the one lawful foundation for processing private info.
However, it’s neither needed nor sensible to solely depend on
particular person consent because the lawful foundation for processing private
info, and it is usually inconsistent with related international
follow. In order to ease the rigidity of related provisions
underneath the CSL, Articles 5.6 and 9.5 of the Information Security
Technology-Personal Information Security Specification (the
“Personal Information Security Specification”) arrange
exemption guidelines when it comes to particular person consent. Although the
Personal Information Security Specification meets the wants in
follow to some extent, as a beneficial nationwide requirements at a
low stage, it’s not in a position to present a strong authorized foundation for lawful
processing of private info. It is precisely the case for
lawsuits the place the Personal Information Security Specification
can’t be used as an efficient protection.

Against this background, Article 13 of the PIPL, by reference to
international legislations, expands the lawful bases of processing
private info containing:

  1. the place consent is obtained from the person;

  2. the place it’s needed for getting into into or performing a
    contract to which a person is a celebration, or for implementing
    human sources administration pursuant to employment insurance policies legally
    established and collective contracts legally concluded;

  3. the place it’s needed for fulfilling statutory duties or
    obligations;

  4. the place it’s needed for responding to public well being
    emergencies or defending life, well being and property security of a
    pure individual in case of emergency;

  5. the place the private info has been made public both by
    the person or by different lawful means and the processing of such
    info is proscribed to an affordable scope in accordance with
    this Law; and

  6. different circumstances stipulated by legal guidelines and administrative
    laws.

Under the EU’s General Data Protection Regulation (the
“GDPR”), probably the most versatile lawful foundation is that
processing is critical for the needs of the official
pursuits pursued by the controller or by a 3rd get together except
official pursuits are overridden by the pursuits or basic
rights and freedoms of the information topic. The PIPL has not
explicitly introduce such mechanism, however the time period “the place it’s
needed for implementing human sources administration pursuant to
employment insurance policies legally established and collective contracts
legally concluded” is added to the lawful foundation of
“needed for getting into into or performing a contract”
underneath merchandise b, which might be thought of as introduction of the
“official pursuits” clauses within the subject of labor and
human sources. In addition, the catch-all provision of
“different circumstances stipulated by legal guidelines and administrative
laws” underneath Item (f) additionally leaves room for additional
increasing lawful bases primarily based on future follow.

The diversification of lawful bases is likely one of the main modifications
caused by the PIPL, which supplies extra flexibility for
accumulating, utilizing and sharing information for enterprises, and is predicted
to have a constructive affect on related industries. However, it additionally
raises new points, particularly, the way to precisely outline, correctly
select and fairly assemble lawful bases in follow, and the way
to keep away from the lawful bases being held invalid.

4. Coverage of the general public sector

On the idea of stipulating the foundations of processing private
info that each one varieties of processors should usually abide by,
the PIPL additionally units forth particular provisions for processing of
private info by state organs. While satisfying the wants of
state organs to carry out their duties, their processing of private
info is appropriately restricted, in order that state organs may
not excessively use technical means and state equipment to
intrude with non-public lives.

Article 37 of the PIPL stipulates that the provisions of this
Law regarding the processing of private info by state
organs shall apply to the processing of private info by any
group with public affairs administration perform licensed by
legislation or laws.

5. Comprehensive inner and exterior safety

When the worldwide scramble for information sovereignty is heating up, the
PIPL, primarily based on the DSL, additionally pays consideration to strengthening the
cross-border information supervision by setting forth a particular chapter on
the cross-border provision of private info.

Article 36 of the PIPL requires that home processors take
needed measures to make sure that the processing of private
info by abroad recipients meet the PRC’s private
info safety requirements. This requirement is principally
in step with GDPR’s rules and goals for
cross-border supervision of private information. However, completely different from
GDPR, the PIPL, primarily based on the precise conditions of the PRC, doesn’t
introduce the “whitelist” system of European Union.

On the idea of Articles 25 and 26 of the DSL, Articles 42 and
43 of the PIPL additional stipulate the management system on exporting
private info and extraterritorial reciprocal safety
mechanism, clarifying that China’s National Cyberspace
Administration could put abroad entities that endanger the nationwide
safety, social public pursuits and private info rights
into the record to which provision of private info is
restricted or prohibited, and should take countermeasures in response
to nations that take discriminatory prohibitions, restrictions or
different comparable measures in opposition to the PRC in respect of private
info safety.

KEY RULES OF THE PIPL

1. Rules on Notification and Consent

The PIPL reconstructs the notification and consent guidelines to a
massive extent with almost one third of the entire textual content, which can be
one of many main modifications caused by the PIPL.

Article 18 clarifies the essential content material and efficient type of
notification, and Article 14 clarifies the essential that means of
official and legitimate consent. These two provisions principally comply with
the sensible guidelines established by the Personal Information
Security Specification. On this foundation, Article 18 provides exemption
from notification, particularly, it’s allowed to not inform the
particular person if such matter shall be stored confidential or shouldn’t be
required to be disclosed in keeping with legal guidelines and administrative
laws present that info shall be stored confidential or
it’s not essential to notify the related people; nevertheless,
if, for the safety of life, well being or property security of a
pure private within the occasion of emergency, the person shall be
knowledgeable in a well timed method after the emergency is cleared. We
imagine that notification and consent are the 2 obligations of
processors akin to the people’ rights to know and
make choices respectively. The relationship between these two is
that notification is a prerequisite for consent, the appropriate to know
is previous to the appropriate to make choices, and within the absence of
notification there will be no consent however not vice versa. As a
consequence, the circumstances underneath which notification is exempted are
fewer than these the place consent shouldn’t be required (i.e. by utility
of different lawful bases). If notification is exempted, the
particular person’s consent shouldn’t be required naturally; nevertheless, if
consent shouldn’t be required, the appropriate to be told won’t be
actually launched except it’s underneath the actual circumstance
underneath which notification is exempted.

Article 14 of the PIPL stipulates that the types of consent
embrace voluntary and specific consent, separate consent and written
consent. Voluntary and specific consent is a normal requirement for
consent, whereas separate consent and written consent are particular
necessities. The utility circumstances are as follows:

1191660a.jpg

The PIPL doesn’t specify what “separate consent”
means. In literal phrases, separate consent needs to be distinguished
from package deal consent that binds a number of enterprise capabilities or
varieties of info, and the specific commonplace shall be met.

The PIPL neither specify what “written consent” means.
In accordance with Article 469 of the Civil Code, along with
the varieties by which any content material carried will be represented in a
tangible method, resembling a written contract, letter, telegram or
telex, and many others., “written type” additionally embrace information messages
that may tangibly symbolize the contents contained by way of
digital information alternate, e-mail, and many others., and will be accessed for
reference at any time. According to this definition, when a person
clicks and checks the field of “Agree” on the web site or
APP web page, such types of community operation data can be saved in
the server within the type of information and will be accessed for reference at
any time thereafter. It appears to fulfill the requirement of written
type. However, there is no such thing as a completely different from consent generally type.
The significance of emphasizing written consent within the PIPL
warrants additional dialogue. In addition, it must be additional
clarified whether or not written consent additionally contains consent given by an
particular person in phone recordings or movies.

Under the PIPL, the foundations of notification and consent underneath
particular circumstances are as follows:

1191660b.jpg

2. Rules on Installation of Image Collection and Personal
Identification Equipment in Public Places

Article 26 of the PIPL supplies that, the set up of picture
assortment gear and private identification gear in
public locations shall fulfill all the next necessities:

  1. Restriction on goal: needed for sustaining public
    safety;

  2. Additional requirement on notification: distinguished indicators shall
    be arrange;

  3. Restriction on utilizing private info for different functions:
    shall receive people’ separate consent.

Image assortment gear and private identification gear
as offered herein will not be restricted to facial recognition gear,
as a result of picture assortment gear and private identification
gear don’t essentially use facial recognition know-how. For
instance, safety surveillance video can accumulate private pictures,
however don’t use facial recognition know-how for evaluation,
verification and identification; and private identification
gear could use both facial recognition know-how, gait
recognition or voice recognition know-how. Therefore, the scope
of utility of Article 26 is outwardly broader than Provisions
of the Supreme People’s Court on Several Issues in regards to the
Application of Law in Hearing Civil Cases with Respect to Using
Facial Recognition Technology to Process Personal Information (the
“Judicial Interpretation on Facial Recognition”).

Article 26 is relevant solely in public locations. As to what
public locations means, the PIPL doesn’t present clear
interpretation. Referencing to Article 2 of Regulations on
Sanitation Management of Public Places and normal guidelines of thumb,
locations which can be accessible to unspecified people, together with
inns, eating places, barbershops, magnificence salons, cinemas, theaters,
parks, buying malls, bookstores, ready rooms in hospitals,
ready rooms for bus stations (airports and piers), and public
transportation automobiles, ought to all be thought to be public locations.
Item 1 of Article 2 of the Judicial Interpretation on Facial
Recognition and Appendix D of the Guidelines on Notification and
Consent for Personal Information (Draft for Comments) present
comparable definitions of public locations. However, each terminology of
“enterprise premises” and “public locations” are
used within the Judicial Interpretation on Facial Recognition. It
stays to be seen whether or not there’s any distinction between the
two.

With regard to the restriction on goal, there are three
potentialities: there is no such thing as a goal to take care of public safety,
just for the aim of sustaining public safety, and each to
keep public safety and different functions. However, within the first
state of affairs, the aim restriction shouldn’t be glad even when
people’ consent is obtained; whereas within the latter two
situations, the aim restriction is glad.

In phrases of the that means of “public safety”,
referencing to the weather of the crimes of endangering public
safety, public safety refers back to the life and well being of
unspecified majority of individuals, the security of main public and
non-public property and the security of public manufacturing and dwelling,
the core of which lies within the non-specificity of the protected
object.

As for organising distinguished reminding indicators, making certain that
people have a “normal menace notion” of the
info collected by the units shall be taken because the
requirements. That is, the realm lined by the machine will be recognized by
the general public, and such machine can’t be put in in a secret place
unknown to the general public. It emphasizes that abnormal cheap
individuals can understand the specter of invasion of privateness and won’t
have any cheap expectation of privateness. In addition, organising
distinguished reminding indicators is simply an extra notification
requirement, which can not exchange the notification and acquiring
consent processing by the processors, which nonetheless must abide by
the overall guidelines of notification and consent.1

Under the multi-layer restrictions set by Article 26, using
facial recognition know-how for exact advertising and marketing and different
functions in sensible retail situations will face extreme compliance
challenges.

3. Rules for Using Personal Information in Automated
Decision-Making

Based on the reference to GDPR and home follow, Article 24
of the PIPL places ahead the essential regulatory necessities for
automated determination making and customized show, which
preliminarily responds to the social concern about “massive information
killing”. It is a restricted exploration of algorithm
supervision. However, algorithm supervision is a scientific and
reducing-edge challenge. The present legal guidelines solely sporadically contain
this subject, and it wants extra analysis, exploration and total
design.

Article 24 supplies for each automated determination-making and
customized show. The two are associated, however are two varieties of
actions.

According to Article 73, automated determination-making refers back to the
exercise of robotically conducting any evaluation or evaluation of
the conduct and habits, pursuits and hobbies, monetary, well being
or credit score standing or different info of a person, and make
choices by means of a pc program. Further referring to Article
22 of the GDPR and the Guidelines on Automated particular person
determination-making and Profiling for the needs of Regulation
2016/679 revealed by the WP29 Working Group, automated
determination-making could rely both on the information of person profiling or
different information. No matter what sort of information the automated
determination-making relies on, the underside line is that, it’s primarily based
on know-how to assist private info processors to make
choices, and such choices could have a major affect on the
people’ rights and pursuits of the private info
topic, particularly damaging affect, for instance, the choice made
primarily based on automated determination-making is to refuse to grant loans to a
borrower. Therefore, the processor ought to make sure the transparency
of its determination making and the equity and impartiality of its
outcomes, and shouldn’t make unreasonably differentiated remedies
to people with respect to transaction situations resembling
value. When the processor makes choices which have vital
affect on people’ rights and pursuits, the people
have the appropriate to request explanations from the processor, and likewise
the appropriate to reject the choice made by the processor solely by means of
automated determination-making.

With regard to customized show, by reference to Article
3.16 of the Personal Information Security Specification,
“customized show” means exercise of displaying
info or offering search outcomes for services or products to
private info topics primarily based on their private info,
together with their internet looking historical past, pursuits, consumption
data and habits The goal of customized show is to
affect the selection and determination of the person, not the
determination of the processor itself. As for this, Article 24 (2) of
the PIPL requires that people be given autonomous management,
which is, processors ought to present choices not tailor-made to
private traits or present handy technique of rejection
to people.

4. Rules for Cross-border Transfer of Personal Information

Article 38 of the PIPL expands the scope of entities topic to
guidelines regulating cross-border switch of private info from
essential info infrastructure operations
(“CIIO“) as stipulated by the CSL to all
private info processors.

According to Article 39, cross-border provision of private
info should fulfill the next preconditions:

  1. Personal info topics shall learn of the
    scenario of cross-border provision of private info, such
    because the recipient of private info, the kind recipient of
    private info, the varieties of private info offered,
    and many others. However, whether it is throughout the scope of exemption from
    notification, the get together shouldn’t be required to satisfy its obligation of
    notification;

  2. If consent is used because the lawful foundation of processing private
    info, separate consent of the person is required. If
    different lawful foundation is relied on, no consent is required;

  3. The abroad recipient shouldn’t be included by the nationwide
    our on-line world administration authority within the record of entities which
    provision of private info is restricted or prohibited.

Subject to the satisfaction of the preconditions, cross-border
provision of private info additionally requires to comply with the
applicable authorized path in accordance with Article 38:

  1. For CIIO and private info processors whose processing
    of private info reaches the brink quantity prescribed by
    the nationwide our on-line world administration authority: On the idea of
    native storage, whether it is certainly needed to supply private
    info to abroad recipients, safety evaluation organized
    by the our on-line world administration authority shall be performed,
    except in any other case prescribed;

  2. Other private info processors: they could select one from
    the next 3 ways, move the certification technique of
    private info safety {of professional} companies, enter
    into the usual contract formulated by the our on-line world
    administration with the abroad recipient, or comply with different
    statutory paths.

5. Rights of private info topics

According to Articles 44 to 47 of the PIPL, private info
topics get pleasure from many rights, which will be roughly divided into the
following two elements:

  1. Basic rights: the rights to be told, to make choices, to
    prohibit and refuse private info processing actions. The
    proper to be told is the premise and foundation for the appropriate to make
    determination and different rights; the appropriate to limit and reject
    processing is the dissemination of the choice-making proper.

  2. Specific rights: proper of entry, proper to acquire copies, proper
    of rectification, proper of deletion and proper of portability of
    private info.

Compared with present guidelines, the PIPL provides the portability
proper and preparations for the family members of the deceased to
train the private info rights of the deceased.

Whether to introduce the portability proper was controversial
through the legislating technique of the PIPL. Article 45 stipulates
that if a person requests to switch his private info
to a private info processor designated by him, which meets
the situations prescribed by the nationwide our on-line world administration
authority, the processor requested shall present a channel for
switch. While introducing the portability proper, it provides the
restriction of “meet[ing] the situations prescribed by the
nationwide our on-line world administration authority”, which supplies
flexibility. If there are difficulties in technical realization and
price tolerance at current, the our on-line world administration authority
could restrict the scope of utility and impose extra situations,
which can be progressively relaxed sooner or later.

As for the private info of the deceased, Article 49
stipulates that, upon the demise of a pure individual, his/her shut
family members could, for their very own official and rightful pursuits,
train the rights to entry, receive copies, rectification and
delete of the related private info of the deceased, except
in any other case organized by the deceased throughout his/her lifetime.
Compared with the Draft of the PIPL, this association higher
balances the pursuits of the deceased and his/her shut family members.
However, Article 994 of the Civil Code stipulates that the
persona rights and pursuits of the deceased, resembling privateness,
are nonetheless protected by legislation. If the shut family members of the deceased
train the rights to the private info of the deceased for
their very own pursuits, they could battle with the persona
pursuits of the deceased, the pursuits or will of different shut
family members. How to coordinate the conflicts among the many three stays
to be examined in judicial follow.

6. Special Obligations of the “Gatekeeper”

Article 58 of the PIPL provides “gatekeepers’
obligations” for giant web platforms to guard private
info, requiring private info processors that are
suppliers of vital web platform companies, have a big
person base and function a posh enterprise sort to satisfy the
following obligations:

  1. Establish a sound private info safety compliance
    system in accordance with state laws, and set up an
    impartial physique primarily composed of exterior members to oversee
    private info safety;

  2. Follow the rules of openness, equity and impartiality,
    formulate platform guidelines and make clear the obligations of product or
    service suppliers throughout the platform to control processing of
    private info and to guard private info;

  3. Cease to supply companies for merchandise or service suppliers on
    the platform which course of private info in critical
    violation of legal guidelines and administrative laws;

  4. Release studies on social duty of private
    info safety frequently, and settle for public
    supervision.

These “gatekeepers” are key to non-public info
processing in web ecosystem. They supply the suppliers of
services or products on their platforms (resembling App, mini program,
public account and SDK, hereinafter known as the
“service suppliers throughout the platforms”) with entry
companies (together with distribution, downloading, replace, and many others.),
operations, technical sources and knowledge assortment
channels, in addition to market and customers entry channels. Large
web platforms might be the primary line of protection to handle and
management private info compliance of the service suppliers
throughout the platforms primarily based on its know-how and operation
atmosphere restrictions imposed on the service suppliers inside
the platforms.2

However, the PIPL doesn’t clearly outline the requirements for
figuring out “vital web platforms”, “have a
massive person base” and “function a posh enterprise
sort”. In reference to the Interim Provisions on the
Administration of Personal Information Protection of Mobile
Internet Applications (Draft for Consultation), Daodou v. Baizan
and WeChat Case and Professor Zhang Xinbao’s opinion, the
following varieties of web platforms can be recognized as
“gatekeepers”:

  1. Mobile utility distribution platforms;

  2. Intelligent terminal working system service suppliers;
    and

  3. Internet platforms that present fundamental community companies, resembling
    platform-primarily based APPs offering automated community entry or automated
    transmission service, resembling WeChat with mini
    packages.3

7. Penalties and Remedies for Violations

Chapter 7 of the PIPL correctly hyperlinks up with civil legislation,
administrative legislation and legal legislation, and clarifies the authorized
liabilities for violation of private info safety
obligations. The highlights embrace:

  1. The administrative penalty stipulated by Article 66 of the PIPL
    has a substantial deterrence impact. According to this Article,
    the violator which commits unlawful processing of private
    info or fails to satisfy the duty of defending
    private info might be imposed a nice as much as 50 million yuan
    or as much as 5% of final 12 months’s annual income. The objects topic
    to such penalties embrace each the processors and the brokers
    entrusted to course of private info

  2. Article 69 of the PIPL establishes the rule of constructive
    fault, that’s, if the processor can not show that it’s not at
    fault when it infringes private info rights and pursuits,
    it ought to bear tort legal responsibility resembling paying damages. This Article
    additionally clarifies the compensation standards for infringement of
    private info rights and pursuits. If the private
    info rights and pursuits are infringed as a result of
    processing of private info, the legal responsibility for damages shall
    be borne by the processor decided primarily based on the loss incurred to
    the infringed particular person, or the positive factors derived from the
    infringement by the processor. If the loss or advantages are
    tough to be ascertained, the People’s Court could decide
    the quantity of compensation in keeping with the precise scenario

  3. Article 70 of the PIPL additionally supplies for public curiosity
    litigation. A individuals’s procuratorate, a shopper group
    as specified by legislation, or a corporation as decided by the
    nationwide our on-line world authority could file a lawsuit with a
    individuals’s court docket in accordance with legislation in opposition to a private
    info processor whose processing of private info
    violates this Law and infringes the rights and pursuits of a giant
    variety of people. Before the promulgation of the PIPL, Article
    55 of the Civil Procedure Law and Articles 1 and a pair of of the
    Interpretation of the Supreme People’s Court on Several Issues
    in regards to the Application of Law within the Trial of Civil Public
    Interest Litigation regarding Consumer Rights and Interests have
    offered authorized assist for public curiosity litigations in opposition to
    infringement of private info. It is publicly reported that
    prosecutors in 14 provinces and municipalities, together with
    Guangdong, Jiangsu, Zhejiang and Shanghai, have successively
    explored the potential of together with private info
    safety into the scope of public curiosity litigation. Some
    prosecutors in Shenzhen, Fujian and Sichuan have filed public
    curiosity litigations collateral to legal proceedings.

The above provisions of the PIPL will reverse the scenario of
weak safety of private info brought on by the excessive price of
rights safety, the issue of proving causation, and the low
quantity of damages.

TIPS FOR COMPLIANCE FOR BUSINESS ENTITIES

The PIPL supplies diversified authorized bases for processing
private info and thus supplies enterprises with extra
flexibility to lawfully course of private info. Enterprises
could alter to make use of different lawful foundation, in keeping with the precise
scenario and upon complete authorized reasoning, the place it’s
unable to tough to acquire people’ consent at current.
Businesses could even construct a lawful foundation throughout the scope of legislation
primarily based on the traits of the enterprise.

The PIPL reconstructs the foundations of notification and consent to a
massive extent, particularly for delicate private info and
excessive-danger processing actions, and places ahead the requirement
of separate consent. How to know “separate
consent”, the way to harmonize “separate consent” for
particular varieties of information or particular processing actions with the
present follow of notification and consent primarily based on enterprise
capabilities, the way to obtain “separate consent” by means of
product design, and whether or not it may be acknowledged by competent
authorities and judicial authorities are main challenges confronted by
many enterprises, which should be adjusted after complete
consideration upon product options.

The PIPL doesn’t introduce the rule that “sharing of
de-recognized info doesn’t require people’
consent”, which challenges the legality of knowledge circulation
companies that beforehand relied on this rule. In this regard,
enterprises can select different lawful bases, or add person consent, or
alter the enterprise mannequin in keeping with the precise scenario of
enterprise.

The PIPL establishes a complete mechanism for managing
cross-border switch of private info, and the beforehand
pending administration system on the cross-border switch of private
info for non-CIIO enterprises turns into a authorized requirement.
Businesses shall kind out the issues regarding the cross-border
switch of knowledge, inform people of the data to be
transmitted overseas by amending privateness notices or by different means,
and acquire their consent except different lawful bases will be relied
on. On prime of this, the enterprise shall enter into a regular
contract (at the moment formulated by the nationwide our on-line world
administration authority) with the abroad recipient, and take
needed measures (resembling contractual constraints, technical
restrictions, common critiques, compliance audits) to make sure that
the recipient correctly protects the private info. After the
state points guidelines on certification of private info
safety sooner or later, private info may be
transmitted overseas by way of certification.

Enterprises shall set up and enhance response and course of
mechanisms for people’ requests to train their rights,
arrange handy channels for them exercising their rights, and
well timed reply to the requests of private info topics and
the shut family members of the deceased to train rights. The
portability rights newly added by the PIPL could also be tried out with
clear guidelines to the extent that’s technically possible and
reasonably priced; if there’s problem in implementation, they could be
put into follow after the competent authorities make clear the
relevant situations.

If abroad enterprises course of private info for
offering home pure individuals with services or products, or
course of private info for the aim of analyzing or
evaluating the behaviors of home pure individuals, no matter
whether or not they have any entities within the PRC, they shall arrange a
particular company or designate a consultant within the PRC to be
accountable for related issues of private info
safety, and report the identify of the company or the consultant
and the contact info to the competent authorities. This places
ahead new necessities for abroad enterprises participating in
enterprise operations in China. If such abroad enterprises have any
entities within the PRC, they could designate the home entity to
deal with issues of private info safety on their behalf;
if such abroad enterprises haven’t any entities within the PRC, they could
appoint a lawyer or different service suppliers to deal with issues of
private info safety on their behalf.

The PIPL requires enterprises not solely to carry out varied
private info safety obligations, but additionally to ascertain
a complete inner governance system, together with preparations
of accountable personnel for private info safety,
inner administration system and operational procedures, technical
measures of safety, personnel administration, emergency response and
administration, compliance audit, affect evaluation, and many others. These are
comparatively excessive necessities for small and medium enterprises. Only
by taking these measures, can enterprises construct a
“bulwark”, and set up a “protected harbor” to
stop dangers.

Footnotes

1. Zhang Xinping, “Embedded
Governance of Law and Technology in Intelligent Video
Surveillance”, in Legal and Social Development, No. 5,
2020.

2. Zhang Xinbao, Research on Setting
Special Obligations for “Gatekeepers” of Internet Ecology
to Protect the Personal Information of Personal Information, Volume
3, 2021.

3. Hangzhou Daodou Network Technology
Co., Ltd., Changsha Baizan Network Technology Co., Ltd. and
Shenzhen Tencent Computer System Co., Ltd. over the infringement
upon the appropriate to community dissemination of works and knowledge,
Civil Judgment (2018) Zhe 0192 Min Chu No.7184) of the Hangzhou
Internet Court; Zhang Xinbao, Research on Setting Special
Obligations for Internet Ecological “Gatekeeper” Personal
Information Protection, Comparative Law Research, Issue 3,
2021.

The content material of this text is meant to supply a normal
information to the subject material. Specialist recommendation needs to be sought
about your particular circumstances.


Leave a Reply

Your email address will not be published.

Friday MEGA MILLIONS® jackpot is $660 million