What does the newly implemented Personal Information Protection Act in China do?

Answer: The “Personal Information Protection Act” (“the Act”) fills the legislative gap in China’s personal information protection. The General Data Protection Regulation (GDPR), enacted by the European Union in 2018, aims to protect personal information security, privacy, and dignity. The first article of China’s “Information Protection Law” specifies that the purpose of the Act is to safeguard the rights and interests of personal information, regulate personal information processing activities, and promote the reasonable utilization of personal information.


According to Article 4 of the Act on the Protection of Personal Information, personal information refers to all kinds of information relating to an identified or identifiable natural person, recorded electronically or by other means, excluding information after anonymisation. In other words, all information relating to identifying a specific natural person (including Chinese and foreigners, whether or not located in China), such as identity, contact information, qualifications, occupation, personal characteristics, property information, credit information, health and physical information, and things done, is personal information.


The basic principles of personal information protection are the consent of the individual and to the extent necessary. In principle, the use of personal information requires the consent of the individual, especially in the case of sensitive personal information, personal information outbound transferring China, etc. The use of another person’s personal information should be limited to what is necessary and should not exceed this limit. Among these, sensitive information is personal information that, if leaked or used illegally, could easily lead to the violation of a natural person’s human dignity or endanger the safety of his or her person or property, including biometric, religious beliefs, specific identity, medical and health care, financial accounts, whereabouts and trajectories, and other information, as well as the personal information of minors under 14 years of age (Article 28 of the Act).


As a result, all businesses as well as individuals currently in China may be affected by the Act.


The employment management by companies may be affected. Although, the Act has exceptions for information related to the management of employees, from a strict compliance perspective, the collection and storage of personal information such as the name, date of birth and curriculum vitae of employees should be included in the employment process management. Any employment contract  and company policies should stipulate that the company has the right to collect and store personal information about the employee and report it to affiliate companies for the purpose of staff management.


The Act is particularly relevant to businesses that provide products or services to, or analyse and assess the behaviour of, natural persons in China, typically including businesses and individuals that have products or services for sale to natural persons in China (e.g. car companies such as Tesla), any business or individual that provides registration or subscription for natural-person users in China (e.g. WeChat, mobile application software companies, website platforms, etc.).


We are preparing a series of articles on this topic involving the outbound transfer of information, standard contracts and registration for personal information, and civil, administrative and criminal liability for breaching the Act. Please stay tuned.