The Personal Information Protection Law of the People's Republic of China (hereby referred as the “Personal Information Protection Law”) was recently enacted and will come into effect on November 1st, 2021. This is the first law focusing on the protection of personal information in China.
Personal information refers to all kinds of information related to identified or identifiable natural persons recorded by electronic or other means excluding information after anonymization processing. The processing of personal information specifically encompasses collection, storage, use, handling, transmission, offering, disclosure, deletion, etc. The core principle is “Notice-Consent”, means that individual consent should be obtained with adequate prior notice, information processors should provide a convenient way to withdraw consent.
Regulate acts as excessive collection on APPs for personal information, big data bias and illegal trading and leaking personal information. Personal information processors using personal information for automated decision-making should ensure transparency in decision-making and fair and equitable results, and should not apply unreasonable differential treatment to individuals for transaction conditions as transaction prices.
The handling of sensitive personal information will become stricter. Sensitive personal information may include bio-identification, religious beliefs, specific identities, healthcare, financial accounts, location tracks, etc. Sensitive personal information may be handled only under specific purpose and sufficient necessity with strict protection measures, and an impact assessment should be conducted in advance and the individual should be informed of the necessity of the handling and the effects on the rights and interests of the individual. Also, personal information of minors under the age of fourteen is also sensitive personal information and the consent of the minor's parents or other guardians must be obtained.
Improve rules for cross-border offering of personal information. Operators of critical information infrastructures and personal information processors up to the amount specified by the State Internet Information department shall store personal information collected and generated in the People's Republic of China within the territory.
Special obligations will be set for the personal information processors and large-scale network platforms. The Personal Information Protection Law establishes special chapters to clarify the obligations of personal information processors and large-scale network platforms in terms of compliance management and safeguarding the security of personal information.
In addition, the Personal Information Protection Law makes special provisions for the protection for deceased persons, clarifies that under the premise of respecting the living arrangements of the deceased, their close relatives can exercise the right to access, copy, correct and delete the personal information of the deceased for their own legal and legitimate interests.
If you want to read the complete article, you can refer to the below link (in Chinese only): http://www.shanghaiinvest.com/cn/viewfile.php?id=16583
If you have any question, please contact me.
Mr. Mike Chang (Partner)