Successfully reported this slideshow.
Your SlideShare is downloading. ×

CHINA PIP LAW ppt.pptx

Upcoming SlideShare
GDPR Presentation
GDPR Presentation
Loading in …3

Check these out next

1 of 34 Ad

More Related Content

Similar to CHINA PIP LAW ppt.pptx (20)

Recently uploaded (20)


CHINA PIP LAW ppt.pptx

  1. 1. D A T A P R O T E C T I O N China’s Draft ‘Personal Information Protection Law’
  2. 2. General meaning of Personal Data In daily lives we give our personal data which is also known as personal information to somewhere or the other. Personal data is the data which identifies an individual who owns that data. For example while purchasing anything online, while signing on the applications, while using online payment modes, etc. Personal Data / information includes: A name or surname  Home address  Office address  An email address  An ID card number [aadhar card number, PAN number, passport]  An IP address  Information held by a hospital, etc.
  3. 3. Personal data under the draft Personal data is defined under the draft: Individual data is a wide range of data recorded by electronic or different means identified with distinguished or recognizable normal people, excluding data after anonymization taking care of. Individual data dealing with incorporates individual data assortment, stockpiling, use, preparing, transmission, arrangement, distribution, and other such exercises. Personal information handling Individual data controllers may just deal with individual data where they adjust to one of the accompanying condition: • Getting people’s assent • Where important to close or satisfy an agreement wherein the individual is an invested individual • Where important to satisfy legal obligations and obligations or legal commitments • Where important to react to unexpected general wellbeing episodes or ensure regular people’s lives and wellbeing, or the security of their property , under crises conditions • Taking care of individual data inside a sensible extension to execute news detailing, popular assessment oversight, and other such exercises for the public interest • Different conditions gave in laws and authoritative guidelines
  4. 4.  Biometric data  Health concerning data  Philosophical beliefs  Political opinions  Religious opinion, etc Types of sensitive personal data: • Personal information • Business information • Classified information Sensitive Personal data needs more protection because of its sensitive nature. It has to be processed differently from the other data and there is a clear distinction between sensitive personal data and non-sensitive personal data made by GDPR. General meaning of sensitive personal data
  5. 5. . Sensitive personal data under the Draft The expression “sensitive personal data” under the draft PIP law is characterized as individual data of which spillage or unlawful use might prompt prejudicial therapy or genuine harm to individual or property wellbeing, including race, nationality, strict convictions, individual biometrics, clinical wellbeing data, monetary records, and individual location/whereabouts, and so forth. The draft PIP law gives more limitations on the handling of delicate individual data. An individual data processor can possibly deal with sensitive personal information on the off chance that it has explicit purposes and such preparing is adequately fundamental, yet the draft PIP law doesn’t give further translation of what comprises “explicit purposes” and “sufficiently necessary”. Sensitive personal information handling  Individual data oversees might deal with delicate individual data just for explicit purposes and when adequately important/necessary.  When dealing with delicate individual data depends on individual assent, individual data oversees will get independent assent from the person.  When individual data oversees handle sensitive personal data, aside from the prerequisites of article 18 of the law, they will likewise tell the person about the need of sensitive personal data taking care of , as well as the impact on the person.  Where laws or authoritative guidelines give that significant regulatory licenses will be gotten or stricter limitation forced for the treatment of delicate individual data, those arrangements are followed.
  6. 6. Scope and Applicability The draft PIP just indicates responsibility and consistence necessities on “individual data processor” that refers to associations or people that autonomously decide the reason, extension, scope, and strategies for preparing of individual information. This law applies to state organs’ exercises of taking care of individual data; where this section contains explicit arrangement, the arrangements of this part applies. State organs taking care of individual’s data to satisfy their legal obligations and obligations will lead them as per the forces and strategies gave parents in law and managerial guidelines; they may not surpass the extension or degree important to satisfy their legal obligations and responsibilities. Individual data took care by state bodies will be stored within the boundaries of the people’s republic of China; where it is important to give it abroad, a danger appraisal will be led. Application divisions might be needed to offer help, support and assistance for hazard evaluations. Extraterritorial Application Global organizations might be generally intrigued by the considered extraterritorial jurisdiction of the draft PIP law, which may expand consistence hazard for unfamiliar organizations that have working subsidiaries in China or don’t have a legitimate presence in China yet provide products or administrations to Chinese people. The draft would apply to company overseas: That interaction individual data of people in China to provide products or administrations to them;
  7. 7.  Material scope Data or any information which is considered as personal data is protected under the draft. It is the sole responsibility of the data user to safeguard and protect the personal data that they collect.  That investigate and evaluate the exercises of people in China through the assortment of individual data; or  For different purposes indicated by laws and regulatory guidelines. Furthermore, the draft PIP law additionally looks like the GDPR arrangement and requires seaward processors that cycle individual data of people in the PRC to build up an assigned office or delegate an agent in the PRC to be answerable for individual data assurance in the PRC. Name and contact data of such office or agent ought to be submitted to the controllers. This law will applies to associations and people’s taking care of individual data exercises of normal people inside the boundaries of people’s Republic of China. Where one of the accompanying conditions is available in taking care exercises outside the line of people’s republic of China of personal data of regular people inside the lines of the people’s republic of China, this law applies too; •Where the object id to give items or administrations to regular people inside the lines; •Where directing examinations or evaluations of activities of normal or regular people inside the boundaries •Other situations provides in law or administrative guidelines. Repeating the GDPR abroad processors if individual data that fall inside the extraterritorial extent of the PIP law should build up “uncommon foundation or assigned delegates” inside the territory of China to manage PIP law matters for the benefit of the abroad element.
  8. 8. General meaning of consent As we all know that there is a requirement of consent when we use something of someone. Consent means giving people a real choice and control over how you use their data. The consent which has no real choice, that does not considered as a free consent and it will be invalid. A person is said to be given a free consent when he is not bound by anything or anyone and must be able to withdraw consent easily anytime whenever he wants to. It also means that consent should be boundless or unbundled from other terms and conditions. Consent under the draft If the data subject would like to use the data collected for some different purpose other than then that for which it is collected, the data subject must obtain the prescribed consent of the person whom data they are using and the consent must be free [voluntarily]. This means that the person has given their consent on their behalf. If the data user is not able to give the consent, a person who is minor [that is below the age of 18] in that situation, parents of that person is responsible for giving the consent on the behalf of that person. Before a data user can use a data subject’s personal information or data for marketing purposes, the user must obtain his/her consent. This consent must be given orally or in written form.
  9. 9. Consent for taking care of individual personal data will be given by people under the precondition of full information, and in a deliberate, voluntary and explicit proclamation of wishes. Where laws or managerial guidelines give that separate consent or written consent will be acquired to deal with individual data, those arrangements are followed. Where a change happens in the purpose of handling the personal data of an individual, the dealing with strategy, or the classes took care of individual data, the person’s consent shall be acquired once more. Without the consent of the individual data controller, and endowed party may not further depend individual data taking care of to different people. Individual data controller will, where it is important to move individual data because of consolidation, partitions, and other such reason, inform people about the accepting party’s personality and contact technique. Where the receiving side changes the first taking care of direction or dealing with strategy, they will advise the individual again as given in this law and acquire their consent. Where the reason at the time the individual data was distributed isn’t clear, individual data collectors will deal with distributed personal data in a sensible and careful way; for activities using distributed personal data affecting people, the individual will be told by the arrangements of the PIP law, and their consent obtained. An individual also have the right to revoke or withdraw hid consent of individual data taking care of exercises conducted based on person’s consent. Without the consent of the personal data handler, a dependent party may not further entrust individual data handling of to another person. When the personal information handlers provide the information to third party, they shall notify the individual about the identity of third party which includes their name, contact details, there data receiving and handling method, ad obtain an individual consent for it. In the case of processing sensitive personal data, the handler shall obtain separate consent from the individual. That too in written form were provided by laws or administrative regulations. When state organs handles personal data for the purpose or reason to fulfill statuary duties and responsibilities shall notify the data owner according to the provisions of this law and must obtain their consent. When the personal data is provided by the personal data handlers outside the border of People’s Republic of China, they should inform the individual about the data receiver outside and must obtain separate consent the same. It is clearly mentioned in the draft that if the data handler rescinds his consent, personal data handlers shall, dependent on individual’s request, delete personal information.
  10. 10. Principles According to the PIP draft there are some there are some basic principles that must be followed for the processing and functioning of personal data or information: • The principle of legality and goof faith Personal data or information of an individual should be processed in accordance with the criteria or principle of legality, appropriateness, necessity, need and good faith. The PIPL underlines that personal data must not be handled through deceiving, fake, fraudulent or coercive manner or strategies. • Clear and reasonable purpose Purpose that is both clear and reasonable. Personal data processing should have a clear, fair, sensible and reasonable purpose that is directly connected to the processing purpose. The processing personal data should be prepared in a manner that has a least impact on personal rights of an individual. Personal information should be collected only to the that extent which is necessary for the intended purpose, and unreasonable collection of data or information is not permitted under the draft. • Transparency and openness The processors of personal information must explicitly disclose or reveal the personal data processing rules, the purpose of processing the information, the processing mechanism and the processing scope of the same.
  11. 11. • Quality assurance To avoid any detrimental impact on personal rights and interest caused by inaccuracy and incompleteness of personal information, the quality of personal information must be protected when it is processed. Furthermore, the processors are responsible for taking precautions to protect the security and privacy of personal data or information. • Illegality Unlawful acquisition, use, processing, and transfer of personal data, as well as the illegal sale, supply, and publishing of personal information, are all banned for both entities and people. Processing actions that jeopardise national security and the public interest are strictly banned. The PIPL further refines the standards and principles and personal data processing rules to be followed in the security of individual data, explains the limits of rights and obligations in processing activities of personal information and further develops the framework and method or mechanism for personal data security and protection.
  12. 12. Enforcement Where it is required to transmit personal data outside the borders of PRC (People’s Republic of Chins) for global legal help or administrative law enforcement help, an application must be made with the appropriate competent agency for permission, according to the legislation. Regarding the PIPL, at the same time as government’s organs and its data protection authorities are getting ready to deal with it. What actions are required by the PIPL one it enforced is the question. Answering that, there are some actions which is required by PIP law such as: • Creating internal management structure and rules within the organization to handle data and to manage the handling of data within the organization. • Adopting corresponding technical security measures that would include physical measures like safety but, of course also cyber measures software limiting the access to data to on a need to known basis within the organization and encryption etc. • Determining operational limits for personal information handling. • Regularly conducting security education and training within the organization for employees that have access to data. • Formulating security incident response plans In all over the world many countries still don’t have any law related to data protection. China has also started looking into data related law which subsequently result with several legislations implemented or drafted for public consultation in the last few years. Personal Information Protection (PIP) law just closed for public opinion and expected to be finalised in later in 2021. The government which is responsible for the enforcement of this law is CAC (Cyberspace Administration China)
  13. 13. Internal transfer of information Under the draft, it is mentioned under Article 38 that if the data processor has to transmit personal data beyond of PRC for business or any other purpose, the data processor must meet at least one of the following requirements: • Passing a security assessment determined by the CAC (Cyberspace Administration China) which is the government department that is responsible for the enforcement of this law • CAC as per Article 40 of the draft of PIPL, which necessitates that administration of Critical Information Infrastructure (CII) 1 and that move a specific volume of personal data of an individual (to be determined by CAC) should locally store personal data collected and created in PRC and should go through a security assessment if the cross-border transfer id necessary, except if such security evaluation is not needed by laws, administrative regulators and CAC rules • Obtaining a certification provided by the CAC • Establishing an agreement with the foreign receiving party (this is something that would be in the control of data handler without the need of government approval) • Other conditions provided in laws, administrative regulations, or by the CAC The regulations governing cross-border information transmitting are a major source of worry for many international corporations doing business in the PRC. In general, the PIPL requires personal information processors to take the appropriate steps to ensure that the actions of foreign receiver in processing personal data comply with the PIPL’s personal information protection requirements.
  14. 14. Besides the above general requirements, Critical Information Infrastructure Operators (CIIO) or personal information processing companies that processes up to the amount authorized by the national cyberspace administration should keep personal data within China in addition to the above general requirement. As a result, that applicant must pass the national cyberspace authority’s security assessment before they may provide such information to an overseas recipient, if it is necessary. Beyond the criteria, they urge that firms pay attention to any specific rues or advice that may be imposed by ralavent agencies. Automobile data processors that hold critical data may only send data overseas if it is absolutely necessary and only after passing a data outbound security assessment established by the national cyberspace authority. Individuals and organizations are not permitted under Article 41 of the PIPL to transmit personal data held in China to foreign law enforcement authorities without the prior consent of the appropriate Chinese authorities. It is unclear how data “stored within China” is defined and how a “data processing” company may request for permission at this time; the actual implementation of such provision would most likely depend on further precise laws or measures released by the appropriate regulatory agencies. Even if a processor is permitted to transfer personal information to an offshore party, it must notify individuals of at least the following information: the offshore recipient's identity and contact information; the purposes and means of processing; the categories of personal information to be transferred; and the means to exercise rights under this law against the offshore recipient. Furthermore, for such cross-border transfers, the processor must seek individual consent from everyone.
  15. 15. Data breach Data breach is a security incident in which sensitive protected or confidential data is copied, transmitted, viewed, stolen or used by an individual and unauthorized to do so. In the incident of data breach it might involve the loss or damage of financial information, social media account, band accounts, credit card or debit card details, personal medical information, email address, passwords, necessary documents, and other confidential information which is really private to an individual. Many jurisdictions have past data breach notification laws requiring a company that has been subject to a data breach to inform customers and take other steps to remediate possible injuries, this may include incidents such as theft or loss of digital media such as computer tapes, hard drives or laptop computers containing such media upon which such information is stored unencrypted. Posting such information on the world wide web or on a computer otherwise accessible from the internet without proper information security precautions cause those damages.
  16. 16. Data breaches present position under PIPL Proposed amendments regarding necessary breach notification • Definition of “personal data breach” • Notification threshold • Notification timeframe • Mode of notification
  17. 17. Lawful processing of personal data A data user must have to collect data from a data subject for a lawful purpose. For which a data subject is giving his consent to data user to use his personal data that processing must be lawful and trustworthy. A data user may collect personal information of a data subject on if: • The personal information on an individual is collected for a lawful purpose which is directly related to the event of exercise of the data user who is to use the personal data. • It should be mandatory that the collection of personal data is for and directly related to that purpose for which he has given his voluntary consent. • The personal data is sufficient or adequate, but not excessive in relation to that purpose. • There must be a fair and reasonable processing of personal data of an individual. • Personal data shall be processing to only that purpose which is clear, specific, direct and lawful. • There must be a collection limitation which means that only necessary personal data must be collected, and the collection must be limited to such data. • Personal data may be processed, if necessary, situation occurred such as to respond to any medical emergency, to take measure to provide health services to any individual an epidemic or pandemic, to ensure the safety on a personal during the situation of any disaster or any breakdown of public order, necessary for the employment etc. • Processing of sensitive personal data based on explicit content, for certain functions of the state, for any order of the court or tribunal, for prompt action [medical emergency], processing of personal sensitive data of children, etc.
  18. 18. Moreover, if the personal data will be used or transferred for direct marketing purposes or any other purpose which is not included in the original collection purpose or a directly related purpose , consent is required for that. Data subject have the right to ask a data user to stop using or transferring the personal information for direct marketing purposes, and the data user must observe or comply with such requests. Companies that violate the PIPL are liable to administrative, civil, and criminal penalties, as described below. Administrative penalties. In the case of a violation of the PIPL, personal information protection authorities may issue a rectification order or a warning, and any unlawful gains may be confiscated. Services for the relevant apps may be suspended or terminated. Companies and their accountable executives that refuse to correct violations may face extra penalties. Serious violations may result in the suspension of business activities, the termination of a business certificate, and the imposition of a fine of up to RMB 50,000,000 or 5% of annual revenue. Fines and bans from accepting management or personal information protection responsibilities in other firms may be imposed on responsible executives. In line with the applicable rules, PIPL breaches may also be made public and recorded in the social credit records of the relevant firms. Civil liability. If the processing of personal information in violation of an individual's rights causes injury and the personal information processor cannot demonstrate that it is not at fault, the processor may be held responsible for damages and other civil penalties. If a substantial number of people are affected, designated consumer groups may file a lawsuit on their behalf. Criminal Responsibility. Violations of the PIPL that constitute criminal crimes may result in criminal prosecution.
  19. 19. Individual rights under the PIP draft Individual rights before data handling under the draft: • To know that the data is being handled • To decide, if the data id going to be handled • To limit the purpose of handling the data • To refuse to handle the data Data subject’s rights one the data is handled: • To access the data • To copy the data • To correct or complete the data, if required • To delete the data and once it has been done there is also a right to be forgotten
  20. 20. Individual rights. When it comes to personal information processing activities, this law codifies the individual's rights such as the right to know and to restrict or reject others' processing of personal information, as well as the right of inquiry and request a copy of personal information from processors. Those that process personal data are required to provide persons with a simple way to exercise the rights listed above. Individuals also have the right to revoke their consent to personal information handling actions done with their consent. They must agree on the rights and duties of each when two or more handlers of personal information make a joint decision on a personal information handling purpose and method. As a result of this agreement, an individual is still free and clear to demand that any personal information handler comply with all this Law's obligations. Personal information controllers are jointly liable if they infringe on personal information rights and interests. It is a person's right to ask personal information handlers to explain how automated decision making affects their rights and interests, and it is also their right to reject that personal information handlers make choices exclusively based on automated decision-making techniques. When talking about the regulations on the cross-border provisions of personal information one of them is that conclusion of an agreement with a foreign receiving party, agreement on both parties' rights and duties, and supervision of their personal information handling activities to ensure compliance with the personal information protection standards set out in this Law. Where personal information handlers provide personal information outside of the borders of the People’s Republic of China, they must inform individuals about the foreign receiving party's identity, contact method and handling purpose as well as personal information categories, as well as how they can exercise their rights under this Law with the foreign receiving party. They must set up procedures to accept and process requests from persons seeking to exercise their rights. If they deny a person's request to exercise their rights, they must give a justification for doing so. The right to make a complaint or report regarding unlawful personal information handling practises is available to any organisation or individual.
  21. 21. Accountability The DPP5 requires data users to take all the reasonable measures to ensure that their personal information policies and exercises regarding personal data collecting, storing, transferring and using it. In the PDPO, accountability principles and other privacy management measures are not explicitly defined. In order to ensure compliance with the PDPO, the PCPD recommends organizations adopt privacy management system. The PCPD also recommends appointing data protection officers and conducting privacy impact assessments for this purpose. All feasible steps must be taken to safeguard personal data possessed by data users against unauthorized access, use, processing, erasure, lost, theft or disclosure. Breach notification has no mandatory requirement, but it is recommended that the PCPD (and the data subjects, where appropriate) be notified
  22. 22. If there is any kind of data breach and there is no proper mechanism that was being followed, the organization shall be accountable for that. The PDPO does not explicitly make certification or adherence to a code of prsctice a legal basis for cross-border transfers.
  23. 23. Data protection authority Privacy Commissioner for Personal Data (PCPD) is the authority which enforcing the PDPO in Hong Kong. Furthermore, the PCPD has additionally developed a number of codes of practice (available here) that provide practical guidance in relation to the requirements under the PDPO. If a data user breaches the code of practice, the presumption will apply to any legal proceeding under the PDPO, unless the data user can demonstrate that the requirement of the PDPO was actually complied within an alternative way. Various guidance notes has published by PCPD which referred to as good practice recommendations for protecting personal data in Hong Kong.
  24. 24. Regulatory authority PCPD is an independent statutory body established to supervise the enforcement of PCPD. As stated on its website, its main responsibility is to “ensure the protection of the privacy of individuals in terms of personal data by promoting, monitoring and supervising compliance with the PDPO.
  25. 25. Privacy Management The PCPD has upheld since 2014 for hierarchical data users to execute a Privacy management programme (PMP), in order to accept personal data assurance as a component of their corporate administration obligations and apply them as a basic all through the association. Recently, the PCPD reexamined and distributed its Privacy Management Program: a best practice guide (the PMP guide), which prescribes association to shape PMPs with three segment, specifically: Authoritative responsibilities Program controls Continues evaluation and update
  26. 26. To oversee the compliance with the PDPO and implementation of the PMP, the PMP guide encourages organizations to appoint a designated officer (i.e. a DPO). The DPO should either the owner of a small organization or a senior executive of a major corporation. The main responsibilities of a DPO is:  setting up and executing the PMP program controls, specifically tracking the association’s very own personal data, starting the beginning of occasional danger evaluation to all divisions, organizing and observing the treatment of data breach incidents.  auditing the adequacy of the PMP, for example setting up an oversight and survey plan for the PMP and overhauling the program controls where it is necessary.  if any problem is occurred, reporting it to the top management periodically on the organization’s compliance issues, problem encountered, and complaints received in relation to personal data privacy.
  27. 27. Responsibilities The PCPD has power to find relevant data users when it receives a complaint or has reasonable reasons to believe that an activity has contravened the relevant needs the PDPO. The PCPD also has the authority to review any personal data system used by a data user in order to obtain information that will assist the PCPD in making recommendations for compliance with the PDPO. The PCPD has to inform the respective data user in advance in writing of its intention to inspect or conduct an investigation, unless there are reasonable assumptions that this harm the purposes of the investigation. For investigation or inspection purposes, the PCPD may enter may enter into any premises with a court order or prior written notice. If the investigation confirms that the data user has violated a PDPO requirement, the PDPO can send the data user an enforcement notice to instruct him to take necessary steps to remedy the violation and to take reasonable legal steps. Compliance with an enforcement order is a criminal offence.
  28. 28. Moreover, if a data subject is harmed as a result of a breach under the PDPO, the PCPD may provide legal assistance to bring a claim against the relevant data user. In an investigation the PCPD will also try to resolve the issue in a less formal way through mediation or conciliation.
  29. 29. Data sharing Data users may not transfer personal data to third party without informing the data subject of the following at the time their personal data was collected or before it or before it was collected: That their personal data or information could be transferred The types of people the data could be transferred There are presently no restrictions on the transfer of personal data outside of Hong Kong, as the cross-border transfer restrictions outlined in the ordinance have yet to take effect. In the event that these restrictions come into force as right now drafted, they will have a critical affect upon outsourcing courses of action, intragroup information sharing courses of action, compliance with oversees reporting commitments and other exercises that include cross-border data exchange.
  30. 30. All things considered, non-binding best practice guidance distributed by the PCPD energizes compliance with the cross-border transfer restrictions in the ordinance, which disallow the exchange of personal information to outside Hong Kong unless, certain situations are met [counting a white list of jurisdictions; separate and intentional consent obtained from the information subject; and an enforceable information exchange understanding for which the PCPD gives proposed model clauses].
  31. 31. Anonymized data Anonymised data means data which removes all identifiers irreversibly and that data subject is no longer identifiable in any manner. It is an information which may be a sort of data sanitization in which information anonymization devices scramble or expel actually identifiable data from data sets from the reason of protecting a data subject’s privacy. This decreases the chance of unintended disclosure amid the exchange of data over boundaries and encourages assessment analytics post-anonymization. There is no such concept of anonymization within the PDPO. However, the PCPD distributes the guidance note titled Direction on Individual Eradication and anonymization which gives the information which is anonymised, to the degree that the data user will not be able to specifically of indirectly identify the individual concerned, will not be considered as [personal data] under the PDPO.
  32. 32. Anonymising data is therefore an alternative for taking care of an individual’s information which is not required for the purpose for which it was collected or stored, other than total erasure. Concluding that, anonymized data is not considered as “personal data” under Personal Data Privacy Ordinance PDPO.
  33. 33. Data localization Data localization means information localization or information residency law requires information around a nation’s citizens or inhabitants to be collected, handled, stored and/or put inside the nation, frequently some time before being transferred internationally.