Answer: Yes. While generally, a violation of the Personal Information Law leads to civil infringement and administrative penalties, under certain conditions and to a certain extent, it may also constitute a crime as per Article 235 of the ‘Criminal Law.’ This crime involves infringing upon the personal information of citizens, and the legal consequences include potential imprisonment for up to three years or detention, along with a fine or a single fine.
Answer: Violations of the Personal Information Protection Act may be subject to administrative penalties. At present, the legal database of PKU Law does not publish any administrative litigation cases involving administrative penalties under the Act.
Answer: The purpose of the Personal Information Protection Act is to protect the security of personal information and individual privacy, and therefore the subject of personal information is entitled to seek civil liability in tort from the perpetrator of a breach of the Act.
Answer: Foreign representative offices and foreign-funded enterprises may have concerns about signing standard contracts and filing registrations, as it may potentially disclose customer information and other trade secrets. This concern is not entirely unfounded. According to the Personal Information Protection Act, any company, including foreign-funded enterprises, is indeed required to disclose their affiliated companies, suppliers, or customers abroad when filing registrations with the Chinese government.
Answer: Currently, the signing and filing of personal information standard contracts should be the channel for personal information outbound compliance that the vast majority of companies, including domestic and foreign-funded enterprises, must follow.
Answer: Many businesses now have close communication with offshore customers, suppliers or parent companies. The manager of a business may talk to the parent company about an employee who is ill and calls in sick, or he may report a client’s personal issue. This potentially involves the cross-border provision of personal information. The Personal Information Protection Act requires that companies in China should follow one of the three pathways when providing personal information outside of China.
Answer: The “Personal Information Protection Act” (“the Act”) fills the legislative gap in China’s personal information protection. The General Data Protection Regulation (GDPR), enacted by the European Union in 2018, aims to protect personal information security, privacy, and dignity. The first article of China’s “Information Protection Law” specifies that the purpose of the Act is to safeguard the rights and interests of personal information, regulate personal information processing activities, and promote the reasonable utilization of personal information.