Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
China: Operationalising PIPL Part one: Data Subject Rights
The Personal Information Protection Law ('PIPL') has set up an independent chapter dedicated to the rights of data subjects and the obligations that data handlers 1 should fulfill when responding to data subjects' exercise of such rights. It is therefore necessary for data handlers to understand what statutory rights are granted to data subjects and what data handlers should do when facing the relevant compliance challenges under the PIPL. Carol Sun and Jeff Wang, from YuandaWinston China Law, outline data subject rights under the PIPL and what those handling data need to consider in order to remain compliant with data protection legislation.
Quick overview on data subject rights in China
The concept of 'data subject rights' is not new under the People's Republic of China's ('PRC') legislation. Prior to the PIPL, there have been a number of laws, administrative regulations, general national standards, and industrial standards addressing the rights that should be entitled to the data subjects in relation to their personal information.
Having said the above, most of these laws and standards remain general and therefore lack detailed guidance as to how to exercise (for data subjects) and respond to (for data handlers) the data subject rights.
However, the Standard GB/T 35273-2020 on Information Security Technology – Personal Information Security Specification ('the PIS Specification'), being one of the important standards of the practice relating to the personal information handling, provides comparatively detailed explanations on the exercise of data subject rights and proposes relevant obligations of data handlers. Nevertheless, as a recommended (instead of mandatory) national standard, the PIS Specification is more of a guidance for good practice and is lack of legal binding effects against data handlers.
Data subject rights under the PIPL
With the emergence of the PIPL, data subject rights raised by previous legislations and standards have now been consolidated, or even supplemented, by the PIPL.
Under the PIPL, the rights of data subjects should be inclusive of the follows:
Right to be informed (Articles 17, 18, 44, and 48 of the PIPL)
Data subjects have the right to be informed of the handling activities. In particular, it is required by the PIPL that data handlers should provide the following information to data subjects prior to the handling of their personal information:
- the identity and contact details of the data handler;
- the purposes and methods of the handling;
- the type of personal information to be handled and the storage period;
- the methods and procedures for data subjects to exercise their rights;
- other information that is required to be informed by laws and regulations; and
- changes to the above, if any.
If the above information is provided through privacy policies, such policies should be made public and easy to be accessed and saved. Data subjects have the right to request explanations on such policies.
As exceptions, it is specified by the PIPL that where law or regulation requires the handling of personal information to be confidential or be exempted from notification, data handlers may be exempted from the above obligations.
Right to determine, restrict, and refuse data handling (Article 44 of the PIPL)
Data subjects have the right to determine whether to permit the handling activities proposed by data handlers, and have the right to restrict or refuse whole or part of such activities.
However, it is pending further clarification by PRC legislators as to how could a data subject exercise such rights (particularly for the circumstances where the data handling activities are relying on legal bases other than consent).
Right of access and request a copy of personal information (Articles 18, 35, and 45)
Data subjects have the right to access and request a copy of their personal information, whilst the PIPL provides exceptions to such rights where law or regulation requires the handling of personal information (either carried out by government authorities or other data handlers) to be confidential or be exempted from notification.
Right to rectify and supplement (Article 46 of the PIPL)
Where the personal information is not accurate or complete, data subjects have the right to request data handlers to rectify or supplement the information in a timely manner (after necessary verification by data handlers).
Right to delete (Article 47 of the PIPL)
Data subjects have the right to request the deletion of their personal information, under the circumstances that data handlers fail to delete the information after one or more of following circumstances is triggered:
- the purposes of data handling have been achieved, or have failed to be achieved, or it is no longer necessary for achieving the purposes;
- data handlers have ceased to provide the products or services, or the agreed storage period has expired;
- data subjects have withdrawn their consent;
- data handlers have violated applicable laws or regulations or any agreement relating to the handling of personal information; or
- other situations provided for by law or regulation.
Notably, if the statutory storage period is not expired (which may under other applicable laws and regulations) or it is technically unfeasible to delete the personal information, data handlers should cease the handling activities (except for taking necessary security measures and storage of information).
Right of portability (Article 45 of the PIPL)
As an important change brought by the PIPL, data subjects are granted the right to request their personal information to be transferred to other designated data handlers, provided that such request satisfies certain conditions to be raised by Cyberspace Administration of China ('CAC').
However, the details on exercising such right are pending further clarification. Particularly, the CAC conditions are yet to be released to the public and it is also unclear as to the scope of personal information that could be portable.
Right relating to automated decision (Article 24 of the PIPL)
Where the personal information is used for automated decision and such decision may cause material impact to personal rights and interests, data subjects have the right to request an explanation on such handling activity and refuse to accept any determination that is made merely relying on the automated decision.
Similarly, if the automated decision is applied for message pushes or marketing promotion, data subjects have the right to refuse such handling.
Right of the deceased (Article 49 of the PIPL)
For the personal information of the deceased, the above rights to access, copy, rectify, and deletion could be exercised by his/her close relatives (for lawful and legitimate interests of their own), unless there exists other arrangement that is priorly made by the deceased.
What should data handlers do?
The PIPL imposes a general obligation that data handlers should set up a convenient mechanism for data subjects to exercise their rights.
Based on our experience, also considering the relevant guidance under the PIS Specification, it is recommended that data handlers take actions from the following perspectives:
Review/set up the channel for data subjects raising their requests
Ideally, such channel could enable data subjects to carry out certain operations (e.g. deletion, rectification, access and obtain a copy) against the personal information on their own. Alternatively, data handlers could provide contact information of their specialised team/personnel to deal with data subjects' requests.
Review/set up the channel for receiving and tracking complaints
Such channel would help data handlers to assess whether they have properly responded to the requests raised by data subjects and importantly, data handlers would have the chance to take remedial actions and comfort the discontents for preventing them raise further complaints to regulators.
Follow up with further development of the PIPL
Data handlers should follow up with further development of the PIPL. For instance, PRC legislators are expected to explain the details of data subjects' rights to determine, restrict, and refuse as well as the right of portability, which may impact the existing practice of data handlers.
Keep records on the responses made to data subjects
The PIPL leaves certain space for data handlers to reject the requests from data subjects (with legitimate reasons to be further provided by law). On the other hand, data subjects may also file lawsuits against data handlers if they consider their rights are not properly protected. It is therefore important for data handlers to keep detailed records on their responses made to data subjects (especially the rejected ones) in writing, as such records may constitute strong defenses under potential disputes with data subjects or compliance investigations initiated by regulators.
Conclusion
The PIPL will come into effect on 1 November 2021, and it is urgent for data handlers operating within the scope of the PIPL to evaluate whether they are complying with the requirements under the PIPL.
Amongst other aspects, we foresee that handling the requests from data subjects may be one of the areas that may, most likely, expose data handlers to non-compliance risks. As such, we suggest that data handlers take actions to review/rectify their related practice as soon as possible so that the risks in this regard could be largely mitigated.
Carol Sun
Partner
[email protected]
Jeff Wang
Counsel
YuandaWinston China Law, Shanghai
1. 'Data handler' is a codified concept under the PIPL, which refers to the organisations/individuals who determine the purposes and methods for handling personal information at own discretion (similar to the concept of 'data controller' under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')). The activities of 'handling', in accordance with the PIPL, are inclusive of the collection, storage, use, handling, transmission, public disclosure, and deletion of personal information.