The PIPL has extraterritorial effect, therefore governing the processing of personal information of individuals located in China, regardless of whether or not the entities processing that information are in China.

The PIPL is applicable to the following processing activities:

• processing, within China, of personal information of natural persons; and
• processing, outside of China, of personal information of natural persons who are in China, if such processing is:
  • for the purpose of providing products or services to natural persons in China;
  • to analyse/evaluate the behaviour of natural persons in China; or
  • other circumstances prescribed by laws and administrative regulations.

Cross-border transfers of personal information can only be made for legitimate purposes, such as business needs, and the transferring party is obligated to take the necessary measures to ensure that the processing activities of the overseas recipient satisfies the protection standards mentioned in the PIPL.

In addition, there are several requirements in order for such transfer to be lawful, namely:

Legal basis

The legal basis for cross-border transfers of personal information under the PIPL includes:

• obtaining a personal information protection certification from a professional agency in accordance with the rules of the Cybersecurity Administration of China ('CAC');
• passing a security review organised by the CAC if the transferring party is an operator of critical information infrastructure ('CII'), or the volume of the affected personal information reaches the threshold specified by the CAC;
• entering into an agreement with the overseas recipient based on a standard contract form provided by the CAC; or
• other conditions provided by laws, administrative regulations, or the CAC.

Separate consent

Data subjects must be notified of the following matters and give their separate consent to the cross-border transfer of their personal information:

• the name and contact details of the overseas recipient;
• the purposes and methods of the processing;
• the types of affected personal information; and
• the methods and procedures for exercising the rights provided in the PIPL with the overseas recipient.

Risk assessment

A personal information processor must evaluate the impact of such export in advance and keep relevant records. An evaluation must include:

• whether the purpose and means of processing are lawful, justified, and necessary;
• the impact on personal rights and interests, as well as security risks; and
• whether protective measures taken are lawful, effective, and proper for the risk level.

Localisation of data

The PIPL implements the requirement for personal information to be processed by CII operators, and provides that personal information collected within China must be stored locally. Where the export of personal information is necessary, such transfer must pass the security assessment organised by the CAC, unless exempted by laws or the CAC.

Other restrictions on data transfers

Authorities may prohibit a foreign individual or organisation from receiving personal information, if such recipients engage in processing activities that are deemed to harm personal interests and/or rights of Chinese citizens or harm national security or public interests.

Moreover, companies are strictly prohibited from providing personal information stored within China to foreign judicial or law enforcement institutions without the approval of Chinese authorities.

Impact of the PIPL on data transfers between Macau and China

If a Macau company processes personal data of individuals in China's territory to provide products or services to individuals in China or to analyse and evaluate the activities of individuals in China, the PIPL is applicable.

Institutions or individuals based in Macau must observe the abovementioned requirements when they process personal data within China or process personal data outside of China for purposes of providing products or services to individuals within China.

Institutions or individuals based in Macau will further need to obtain separate consent from individuals for the transfer of their personal information and must further agree to a standard contract, issued by authorities overseeing cyberspace matters and fulfilling requirements outlined in other laws and regulations established by those authorities.

It is also required to establish a domestic agent or designated representative within China to be responsible for matters related to personal information. Furthermore, the name and contact information of such agency or representative must be reported to the competent authorities.

Although the PIPL imposes obligations of implementing data security measures, risk assessment, and evaluation reports, the specification of a person in charge of the data security, and prior authorisation from the competent authorities in China before data transfers, it is expected that the impact will be mitigated since the principles of the PIPL and the PDPA are similar.

Differences in definitions between the PIPL and the PDPA

By comparison, the PIPL affords extra protection over sensitive personal information.

In the PIPL, sensitive data is defined as 'sensitive personal information', which refers to personal information that, once disclosed or used illegally, can offend the dignity of natural persons, human safety or security of individuals, and property of natural persons, including information about biometric identification, religious faith, specific identity, medical and health care, financial account, among others, as well as personal information of minors under the age of 14 years.

According to the PIPL, sensitive personal information may only be processed:

• if strict protection measures are put in place and there is sufficient necessity to justify the processing;
• if individuals are informed of
  • the necessity of processing; and
  • the impacts of processing on the rights and interests of individuals, unless the processing is required by law to be kept confidential or notification is otherwise not required.
• if separate consent is obtained (the processing of sensitive personal information requires separate consent from individuals, and where laws and administrative regulations so provide, written consent must be obtained and documented); and
• if a security impact assessment is made before processing sensitive personal information.

According to the PDPA, sensitive personal data is defined as personal data, such as philosophical or political beliefs, political society or trade union membership, religion, privacy and racial or ethnic origin, and data concerning health or sex life, including genetic data. Under the PDPA, the collection and processing of sensitive personal data, which includes health data, is admissible, namely, if the data subjecst provide their unambiguous consent; if there is an express authorisation by a legal provision or regulation; or if such processing is essential for exercising the legal or statutory rights of the controller, and if authorised by the public authority, based on public interest.

Differences in the scale of fines and reasons for fines between the PIPL and the PDPA

Regarding sanctions of infractions, both the PIPL and the PDPA define the sanctions according to the seriousness of the circumstances of the infractions. However, the PIPL significantly raises the level of penalties which can be imposed for illegal personal data processing activities.

The administrative sanctions provided for in the PIPL have a higher deterrent force, and the maximum fine is based on the total amount of revenue collected from the subject of the offence. The PIPL's fines are higher than those provided in the PDPA.

The PIPL provides severe penalties and fines for non-compliance and violation:

• for up to CNY 1 million (approx. €138,830) for relevant entities, and CNY 10,000 to CNY 100,000 (approx. €1,390 to €13,880) for in-charge and responsible individuals; and
• in serious cases, up to CNY 50 million (approx. €6,940,400) or 5% of the turnover of the previous year, as well as suspension or shutdown of business operations or revocation of business license for relevant entities, and a fine ranging from CNY 100,000 to CNY 1 million (approx. €13,880 to €138,830), plus additional restrictions for individuals in question.

In comparison, the PDPA maximum fine applicable is MOP 100,000 (approx. €13,881) for entities that fail to comply with the obligation to notify the authority of the processing of personal data; provide false information or, even after being notified by the public authority, maintain access to open data transmission networks to those responsible for processing personal data who do not comply with the provisions of the PDPA. The fine may be increased to double if the treatment of personal data is subject to prior authorisation (for example, for sensitive data).

Different methods of sanctions between the PIPL and the PDPA

Compared to the PDPA, the sanctions of the PIPL are more comprehensive and include:

• orders for rectification, warning, confiscation of illegal gains, suspension or cessation of service, cessation of operation for rectification, and revocation of operating permits or business licenses;
• that the person-in-charge or other directly liable individuals may also be individually liable and fined or prohibited from acting as directors, supervisors, senior managers; or data protection officers; and
• that, if the processing activity violates the rights or interests of a large number of individuals, a public interest action may be initiated by the Supreme People's Procuratorate, the authority responsible for criminal prosecution in the People's Republic of China.

According to the PDPA, additional penalties include:

• the temporary prohibition of collection of treatment of personal data;
• an order to partially or fully erase the unduly collected data;
• the publication of the judgment against the infringing entity in the Macau newspapers; and/or
• a public warning or censure of the infringing entity.

Similar to the PDPA, violations of the PIPL may also lead to liabilities under Chinese civil and criminal law or administrative regulations, depending on the circumstances.

Changes that companies will need to make to remain compliant

The PIPL presents new compliance challenges for Macau companies doing business in China. Companies will be required to adopt new procedures in order to follow the requirements set out by the PIPL:

• conducting a comprehensive review of personal information processing activities and controls around the processing and export of personal information to evaluate whether relevant activities align with the PIPL;
• reevaluating existing data security and breach notification procedures against the PIPL and making additions or adjustments where necessary; and
• assessing current records and procedures relating to individual consent and determining whether additional consent, such as individual consent to transfer personal information abroad, needs to be obtained under the PIPL.

As mentioned above, the PIPL has extra-territorial effect, therefore governing the processing of personal information of individuals located in China, regardless of whether or not the entities processing that information are in China.

The PIPL imposes various obligations on the processors of personal information, including obligations to:

• formulate internal management systems and operation procedures;
• implement classified management of personal information;
• adopt corresponding technical security measures, such as encryption and de-identification;
• reasonably determine the operational authorisations for personal information and provide regular security education and training for operational staff;
• formulate and implement response plans for security incidents relating to personal information;
• conduct regular compliance audits, and
• adopt other security measures as stipulated by laws and regulations.

Certain companies (processors of sensitive personal information, companies offering important internet platform service, and complex types of businesses) are subject to more obligations, such as appointing a data protection officer and/or an independent supervisory board and conducting Privacy Impact Assessments for the processing activities.

Moreover, companies should take technical measures to protect personal information, including corresponding data classification, encryption, and de-identification, communicate with employees about data privacy compliance policies, and provide training on a regular basis.

It should be noted that failure to comply with the PIPL may result in severe administrative penalties, including large fines, and may even expose companies to civil lawsuits by private individuals.

Bruno Nunes Managing Partner
BN Lawyers, Macau
[email protected]