Personal information: another brick in the wall

by Karen Wang

In very few and very recent years Chinese legislators have caught up with the development of a modern framework of laws, regulations authorities and practices to protect data and privacy. 

Here comes the last “member of the family": The Personal Information Protection Law of the People's Republic of China (the "Personal Information Protection Law" or “PIPL”). 

PIPL was deliberated and adopted at the 30th meeting of the Standing Committee of the 13th National People's Congress on August 20, 2021, and it will come into force on November 1, 2021.

The Personal Information Protection Law has 8 chapters and 74 articles. The law establishes the rules for personal information protection from the aspects of personal information processing, and the rights and obligations of individuals and processors, legal responsibilities in personal information processing. 

Let 's take look the main spotlights of this brand-new law together.

Click on the picture to enlarge

Rules of “Notice and Consent”

Based on the principles of lawfulness, legitimacy, necessity and good faith that is clearly stressed by the Personal Information Protection Law, the Law requires that personal consent shall be obtained on the premise of full notification in advance for the processing of personal information. 

In case of any change in important items of personal information processing, the individual shall be informed and consent shall be obtained again. 

Furthermore, the Law also points out that the personal information processors shall obtain a separate consent especially in processing sensitive personal information, including but not limited to biometric recognition, religious belief, specific identity, medical and health, financial account, etc.

It is worth mentioning that the Supreme People's Court stressed that face recognition is the personal information with the strongest sociability and the easiest to collect in biometric information, which is unique and unchangeable. If the data of face recognition is leaked, it will cause great harm to individual and property, and may even threaten public safety. 

This is consistent with the Personal Information Protection law that clearly classifies biometric information as sensitive personal information and the processors shall obtain individual consent when processing such information.

Prohibit “Big data-enabled price discrimination against existing customers”

Online shopping has become the daily necessity in our life. However, some e-commerce companies implement discrimination on consumers in terms of transaction prices by mastering consumers' economic status, consumption habits, price sensitivity and other information to mislead and fraud the consumers. 

In regard of this, the Personal Information Protection Law imposes special restrictions on "automatic decision-making" (that is, an activity of conducting any analysis or assessment of the behavior and habits, interests and hobbies, financial, health or credit status or other information of an individual, as well as any decision-making automatically through a computer program) to restrict "big data-enabled price discrimination against existing customers", and makes clear that the impact of personal information protection should be evaluated before using personal information for automatic decision-making. 

Meanwhile, it is clearly prohibited for companies to impose unreasonable differential treatment on consumers on transaction conditions such as transaction prices through automatic decision-making. 

Strengthen the obligation of personal information processors

One of the members of Legislative Affairs Committee of the National People's Congress states that the personal information processor is the first-hand responsible person for personal information protection.

In addition, the Personal Information Protection Law sets up an independent chapter to clarify the compliance management and personal information security obligations of personal information processors that requiring such processors to formulate internal management systems and operating procedures, take security technical measures, designate a person in charge to supervise their personal information processing activities, and regularly conduct compliance audit on their personal information activities, etc.

Increasing the punishment

Firstly, the Personal Information Protection Law specifically stipulates the measures of "ordering to suspend or terminate the services" for the APP that illegally processes personal information.

Moreover, for "severe" violations, the illegal income will be confiscated and a fine of less than 50 million yuan or less than 5% of the turnover of the previous year will be imposed. At the same time, the first-hand person in charge will be fined up to one million yuan, and will be prohibited from serving as senior executive and person in charge of personal information protection for a certain time. 

It is not hard to see that this punishment measure is obviously to remind companies that personal information compliance will become the top priority in the process of company operation in the future.

At this point, we want to give you a warm remind that the establishment and improvement of the compliance system for personal information processing is an urgent task for all the companies, otherwise it will eventually be eliminated by this digital world.