The Personal Information Protection Law (PIPL), which took effect on Nov. 1, 2021, is the first comprehensive national level personal information protection law in China. The PIPL, together with the Cybersecurity Law, which took effect on Jun. 1, 2017, and the Data Security Law, which took effect on Sep. 1, 2021, form the three significant pillars of China’s data protection legal regime.

 The highlights of PIPL include the scope of application (especially extraterritorial application), automated decision-making, personal information handlers providing important Internet platform services, cross-border data transfer (especially security assessment), notification related to data incident, individual’s rights (especially the portability right), personal information handler’s obligations, etc. Among all of these, this article aims to analyze the “consent” requirement in PIPL.

01 Legal bases for personal information handling

Obtaining the individual’s consent is one of the most important legal bases for personal information handlers to deal with personal information. However, this is not the only one. Article 13 of PIPL enumerated seven circumstances that personal information handlers may handle personal information. Except obtaining the individual’s consent, the other six circumstances are the following.

(1)       It’s necessary to conclude or fulfill a contract in which the individual is an interested party, or it’s necessary to conduct human resources management according to lawfully formulated labor rules and regulations and lawfully concluded contracts. Human resources management didn’t exist in the second draft of PIPL, however, it was added in the third draft, i.e. the final draft. The employer doesn’t have to get the employees’ consent to handle the employees’ personal information as long as such handling is for human resources management.

(2)       It’s necessary to fulfill statutory duties and responsibilities or statutory obligations.

(3)       It’s necessary to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions.

(4)       Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest.

(5)       Handling personal information already disclosed by persons themselves or otherwise lawfully disclosed, within a reasonable scope in accordance with the provisions of PIPL.

(6)       Other circumstances provided in laws and administrative regulations.

02 Valid consent

 When the legal base for the personal information handler is consent, this consent should be valid. This means the consent shall be given by the individual under the precondition of full knowledge, and in a voluntary and explicit statement (Article 14).

  PIPL requires the personal information handler to explicitly notify the individual truthfully, accurately and fully of the following items – the name or personal name and contact information of the personal information handler, the purpose of personal information handling and the handling method, the categories of handled personal information and the retention period, methods and procedures for the individual to exercise the rights provided by PIPL, and other items that laws or administrative regulations provide shall be notified (Article 17).

 Such notification should be made by clear and easily understood language. When these items change, the individual shall be notified. If these items were notified through the method of formulating personal information handling rules, the handling rules shall be public and convenient to read and store (Article 17).

03 Consent withdrawal

PIPL clearly stipulates that the individual has the right to withdraw their consent and personal information handlers are required to provide a convenient way for the individual to withdraw (Article 15). Personal information handlers are forbidden to refuse to provide products or services on the basis that the individual does not consent to the handling of the personal information or withdraws the consent, except where handling personal information is necessary for the provision of products or services (Article 16). This Article reflects the general principles of PIPL - necessity (Article 5) and the smallest scope (Article 6)

04 Separate consent

Separate consent is opposed to “bulk consent”. It’s not clear about how to implement the separate consent requirement in practice, even though some legal professionals predict that a separate pop-up window likely will suffice. In order to handle the personal information, separate consent from the individual is required in the following circumstances.

(1) Providing personal information to a third party (Article 23)

In this situation, the personal information handler should notify the individual about the name or personal name of the third party, the contact information of the third party, the handling purpose, the handling method and the personal information categories. And then, the personal information hander should obtain the individual’s separate consent. It’s not clear whether the intra-group transfer constitutes a transfer to a third party.

(2) Public disclosure of personal information (Article 25)

(3) Personal information collected by devices installed in public area if used for purposes other than public security (Article 26)

The installation of image collection or personal identity recognition equipment in public area shall occur as required to safeguard public security and observe relevant State regulations. Clear indicating signs shall be installed. Collected personal images and personal distinguishing identity characteristic information can only be used for the purpose of safeguarding public security; it may not be used for other purposes, except where the individual’s separate consent is obtained.

(4) Handling of sensitive personal information (Article 29)

  Per Article 4 of PIPL, personal information is all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, not including information after anonymization handling. Per Article 28 of PIPL, sensitive personal information refers to personal information that once leaked or illegally used, may easily cause harm to the dignity of natural persons or harm to personal or property security. Sensitive personal information includes, but not limited to, biometric characteristics, religious beliefs, specific identities, medical and healthy information, financial accounts, individual location tracking. In order to strengthen the protection to children, PIPL clearly stipulates that all the personal information of minors under the age 14 is sensitive personal information.

 To handle sensitive personal information, the individual’s separate consent shall be obtained (Article 29). Such consent should be made with the precondition of notification, which not only contains the general items listed in Article 17, but also contains the necessity of handling the information and the effects on the individual’s rights and interest (Article 30). As to handling the personal information of minors under the age of 14, personal information handlers should obtain consent of the parent or the guardian of the minor (Article 31).

(5) Providing personal information of an individual to a party outside the territory of China (Article 39)

  In this situation, the personal information handler should notify the individual about the overseas receiving party’s name or personal name, contact information, handling purpose, handling method, and personal information categories, as well as ways or procedures for the individual to exercise the rights provided by PIPL with the overseas receiving party. Besides this, the individual’s separate consent should be obtained.

05 Obtaining consent again

(1) Where a change occurs in the purpose of personal information handling, the handling method, or the categories of handled personal information, the individual’s consent shall be obtained again (Article 14).

(2) When it’s necessary to transfer personal information due to merger, separation, dissolution, declaration of bankruptcy, and other such reasons, the personal information handler should notify the individual about the receiving party’s name or personal name and contact information. The receiving party should continue to fulfill the personal information handler’s duties. When the receiving party changes the original handling purpose or handling method, the receiving party should obtain the individual’s consent again (Article 22).

(3) When the personal information handler provides the personal information to a third party and the third party changes the original handling purpose and method, the third party should obtain the individual’s consent again (Article 23).

06 Small-scale personal information handlers

 In both EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), there are exemptions to liberate the small businesses from excessive compliance burdens. In PIPL, the counterpart is Article 62, which stipulates that the national cyberspace authority will formulate specialized personal information protection rules and standards for small-scale personal information handlers. This provision doesn’t make definition of small-scale personal information handler. It is widely believed that the scale will be decided by the standards such as revenue, number of users, etc.

 In July 2021, the Cyberspace Administration of China (CAC) published the report regarding the investigation of Didi. This report concluded that Didi’s handling of users’ personal information severely violated relevant laws and regulations. In August 2021, the CAC published a report listing 85 Chinese companies that were involved in improper handling of personal information. These 85 companies were ordered to make rectification within 15 days. The Chinese government and the whole society pay more attention on the protection of personal information. With the implementation of PIPL, we believe this trend will continue. Therefore, it’s critical for companies to comply with the laws and regulations in this legal regime.