Understanding China's Personal Information Protection Law: From Its Background to Measures Japanese Companies Should Take

For legal professionals in companies that are planning to expand into China or have already done so, concerns about China’s personal information protection laws are likely common.

This article provides a comprehensive introduction to the legal regulations you need to be aware of when expanding your business into China. It also clearly explains the methods of compliance and the points that Japanese companies should address. Use this as a reference to understand China’s Personal Information Protection Law and start taking the necessary measures.

Background and Objectives of the Enactment of China’s Personal Information Protection Law

Until recently, China did not have a comprehensive law for the protection of personal information similar to the Japanese Personal Information Protection Law. However, there had been movements to formulate such a law, and on November 1, 2021, the ‘Chinese Personal Information Protection Law’ was enacted, marking the first comprehensive legal framework for personal information protection in China.

While laws such as the ‘Cybersecurity Law’ and the ‘Data Security Law’ have a strong emphasis on national security, the Chinese Personal Information Protection Law focuses more on the protection of individual rights.

The framework of China’s Personal Information Protection Law appears to be heavily influenced by recent international regulations, such as the EU General Data Protection Regulation (GDPR). However, the specifics regarding the legal basis for legitimacy and the rights of individuals are unique, necessitating tailored compliance strategies.

Scope of China’s Personal Information Protection Law

In this section, we will explain the scope of regulation under China’s Personal Information Protection Law.
If the following conditions are met, they will be subject to regulation, so it is important to be aware of them.

• When the purpose is to provide goods or services to individuals within China
• When the purpose is to analyze or evaluate the behavior of individuals within China
• Other cases as prescribed by laws and regulations

The Chinese Personal Information Protection Law may extend its effect not only within China but also to foreign countries in certain cases. Furthermore, even if the activities are conducted outside of China, if they involve the sale of products or analysis of behavior targeting ‘individuals’ within China, the law will apply. Therefore, it is crucial to take note of this.

Key Points to Understand the Chinese Personal Information Protection Law

In this section, we will explain eight key points for understanding the Chinese Personal Information Protection Law.

Legal Basis for Compliance

Companies may handle personal information only if they meet one of the legal bases defined by the Chinese Personal Information Protection Law.

The seven legal bases are as follows:

• Individual consent
• Contractual performance
• Compliance with legal obligations
• Public health
• Public interest
• Processing of disclosed personal information
• Other circumstances as stipulated by laws and regulations

As can be seen, the concept of “legitimate interests” found in the GDPR is not included. Therefore, it is anticipated that there will be more instances where personal information must be handled based on individual consent compared to the GDPR.

Furthermore, consent must be defined as something that “the individual can easily withdraw at any time.” Careful consideration is required to ensure that the user interface (UI) allows for easy withdrawal of consent and that the methods for withdrawal are clearly and concisely explained.

Information Provision

Before handling personal information, companies must notify the individual in clear and understandable language about the matters required by the Chinese Personal Information Protection Law (Japanese: 中国個人情報保護法).

In addition to the purpose of handling, detailed information provision is required, including the methods of processing, types of personal information, storage periods, and the methods and procedures for exercising rights.

Agreement with Service Providers

When entrusting the handling of personal information to a service provider, it is necessary to agree on the purpose of processing, deadlines, methods, and protective measures through a contractual agreement.

At the same time, you will also assume the responsibility for supervising the entrusted processing. When handling personal information jointly with other companies, just as with entrustment, it is essential to agree in advance on the purpose and method of handling the personal information, as well as the rights and obligations of both parties.

Regulations on Cross-Border Transfers

When providing personal information collected within China to third parties outside the country, two key responses are required.

The first is to notify the individual of the recipient’s name and contact information, the purpose and method of processing, the types of personal information, and how the individual can exercise their rights with the recipient. Additionally, it is necessary to obtain the individual’s consent separately.

The second is to implement one of the following four measures:

• Passing the national security assessment
• Obtaining certification for personal information protection from a specialized agency
• Entering into contracts with recipients outside the region based on standard contracts
• Meeting other conditions stipulated by the national internet information department

Depending on the content of the personal information being transferred, a national security assessment may be mandatory. Therefore, it is advisable to check the necessity of a national security assessment in accordance with the ‘Japanese Data Cross-Border Transfer Security Assessment Method’ before selecting the appropriate measures to take.

About Rights

The Chinese Personal Information Protection Law grants individuals various rights, including the right to be informed, the right to access, the right to copy, the right to withdraw consent, data portability, the right to rectification, and the right to erasure.

In addition, it recognizes the “rights of the deceased,” which are not acknowledged under the GDPR. The “rights of the deceased” refer to the ability of close relatives to exercise the rights on behalf of the deceased individual. Therefore, it is important to also be mindful of the protection of the deceased person’s information.

Obligation to Report Incidents

To prevent the leakage of personal information, companies are required to implement measures similar to those demanded by the Information Security Management System (ISMS).

The following are examples of the required responses:

• Establishment of internal regulations
• Classification management according to confidentiality levels
• Encryption as necessary
• Implementation of pseudonymization
• Conducting employee training
• Development of an incident response process, etc.

As measures for security management are also stipulated in the Cybersecurity Law and the Data Security Law, it is advisable to carefully organize the requirements of these three laws and confirm your strategies.

Related article: What is the Chinese Cybersecurity Law? Explaining the Key Points for Compliance[ja]

Related article: What is the Chinese Data Security Law? Explaining the Measures Japanese Companies Should Take[ja]

Obligation to Appoint a DPO and Local Representative

Companies are required to appoint a DPO (Data Protection Officer) when the volume of personal information they handle reaches a certain threshold.

Furthermore, companies subject to extraterritorial application must establish a representative within China and report their name and contact information to the competent authorities.

Obligation to Conduct Privacy Impact Assessments

Companies are required to conduct a preliminary risk assessment and appropriately control risks if they fall under any of the following five scenarios:

The cases where the implementation of an obligation is necessary are as follows:

• When handling sensitive information
• When making automated decisions
• When entrusting the handling of personal information or providing it to third parties
• When transferring personal information abroad
• When significantly impacting an individual’s rights and interests

Penalties for Violating the Personal Information Protection Law in China

In the event of a violation, there is a risk of incurring substantial sanctions, with penalties reaching up to 50 million yuan or 5% of the previous year’s sales. As the law also applies extraterritorially, Japanese companies conducting business with China must take prompt action to comply.

Measures Japanese Companies Should Take for Personal Information Protection Law Compliance

In this section, we will introduce four measures that Japanese companies should implement for personal information protection compliance.

Review Internal Systems

First, consider reviewing your internal systems. Due to the obligation to appoint a representative or a Data Protection Officer (DPO), it is necessary to reassess your company’s structure.

Examples include establishing specialized legal and technical departments responsible for compliance with data containing personal information, organizing business workflows, and conducting detailed data mapping, among various other measures.

Update Regulations and Policies

Updating regulations and policies is also crucial. It is necessary to revise your regulations and policies to comply with the Chinese Data Three Laws.

Beyond simply drafting regulations that reflect legal requirements, it is essential to establish operational procedures that all employees can execute.

Understand the Reality of Operations

Since the Personal Information Protection Law was enacted on November 1, 2021 (2021), it is still relatively new, and companies must continuously strategize while understanding the actual state of operations. Employees of the company are also required to handle personal information appropriately and strictly adhere to the laws as a rule.

Therefore, companies should conduct regular training for employees to deepen their understanding of the latest laws and procedures.

Build a Cooperative System with Experts

Building or strengthening a cooperative system with experts is indispensable. By establishing a cooperative system with experts familiar with Chinese regulatory laws, you can respond swiftly. Moreover, companies need to regularly monitor and evaluate their compliance status regarding personal information protection. Thus, building a cooperative system with external experts is essential.

Summary: Understanding Multiple Regulations and Ensuring Accurate Compliance

On November 1, 2021, China implemented its first comprehensive ‘Chinese Personal Information Protection Law’. For companies operating globally, Chinese data-related regulations (Cybersecurity Law, Data Security Law, and Personal Information Protection Law) are indispensable due to the significance of the market and the strictness of the regulations. Depending on the situation, it is essential to establish a system that can carry out the necessary practical work, possibly with the assistance of experts.

Guidance on Measures by Our Firm

Monolith Law Office is a legal practice with extensive experience in both IT, particularly the internet, and legal matters. In recent years, global business has been expanding increasingly, and the need for legal checks by specialists is growing more than ever. Our firm provides solutions related to international legal affairs.

Areas of practice at Monolith Law Office: International Legal Affairs & Overseas Business[ja]