On August 20, 2021, the Personal Information Protection Law of the People's Republic of China was reviewed and adopted at the 30th Meeting of the Standing Committee of the 13th National People's Congress of the People's Republic of China, and will officially come into effect on November 1, 2021. After three rounds of deliberation and two rounds of public consultations, the long-awaited Personal Information Protection Law has finally been unveiled. Comprising eight chapters and 74 articles, the law reflects the collective wisdom of numerous experts. As China’s first piece of legislation specifically addressing personal information, it introduces several groundbreaking institutional features, marking a significant milestone. Moreover, it provides a new framework for enterprises to ensure data compliance.

Lawyer Xinglai provides commentary on the ten key points related to corporate compliance under the Personal Information Protection Law, focusing on critical provisions such as the implementation paths and exemptions for informed consent, cross-border data transfers, corporate governance, rights and obligations, and legal responsibilities. She dissects the current regulatory framework for personal information protection, aiming to offer valuable insights and guidance for businesses as they prepare for—or update—their compliance management systems in the era of the Personal Information Protection Law.

*Note: This is the second part, specifically offering commentary on points six through ten.

Attached is the link:

[Star Analysis] Ten Key Points Businesses Can't Afford to Overlook Under the Personal Information Protection Law (Part 1)

6. Respect for Rights: A New Right for Individuals Whose Personal Information Is Involved

Effective October 1, 2020, the "Information Security Technology—Personal Information Security Specification" (GB/T 35273-2020) clearly defines six rights for individuals whose personal information is involved: the right to access, the right to rectify, the right to erasure, the right to withdraw consent, the right to account deletion, and the right to data portability. Building on this foundation, the "Personal Information Protection Law" further clarifies and delineates these rights for individuals, formally enshrining the recommended national standards’ guidance on applicable rights into legislation. Moreover, the law enhances and supplements these provisions by specifically introducing the right to data portability and establishing special rights for close relatives of deceased individuals.

By now, China's legal framework for personal information rights has become relatively comprehensive, presenting new challenges for entities processing personal data.

1. Right to Know and Right to Self-Determination

2. Right to Access and Right to Copy

3. Right to Rectification and Right to Supplement

4. Right to Withdraw Consent

5. Right to Erasure

6. Right to Data Portability

7. Special Rights of the Deceased's Immediate Family Members

7. Assumption of Obligations: Special Duties Businesses Need to Be Aware Of

In addition to the general obligations of personal information processors—such as ensuring informed consent, protecting sensitive personal information (especially that of children), safeguarding data subjects' rights, and establishing principled guidelines and rules for processing activities (particularly regarding deletion)—the author specifically highlights and analyzes the key provisions related to corporate responsibilities under the Personal Information Protection Law as follows:

1. Personal Information Protection Impact Assessment

According to the "Information Security Technology – Personal Information Security Specification," personal information controllers (a concept that has been adjusted to "personal information processors" under the "Personal Information Protection Law") must establish a personal information security impact assessment system to evaluate and address security risks associated with personal information processing activities. Building on this, the "Personal Information Protection Law" further refines the term to "Personal Information Protection Impact Assessment," broadening the scope of evaluation. Beyond mitigating security risks, ensuring that all personal information processing activities—from collection to disposal—remain lawful and compliant throughout the entire lifecycle of the data has become the central focus of compliance efforts for information processors at every stage.

2. Compliance Audit

According to Article 54 of the Personal Information Protection Law, personal information handlers are required to conduct regular compliance audits to ensure their processing of personal information adheres to laws and administrative regulations.

The audit should at least include:

(1) Regularly update regulatory updates and legal regulations;

(2) Have the obligations stipulated in laws and administrative regulations been mapped within the company’s internal compliance management system—for instance, have relevant institutional measures been established, have dedicated compliance positions been set up, and are regular training sessions conducted for employees in these roles?

(3) Regularly review whether the company’s compliance management measures are being effectively implemented. Assessing "effectiveness" can be approached from two key dimensions: (a) Whether the established compliance policies help the company promptly identify and mitigate risks; (b) If a compliance violation occurs, whether the current compliance framework enables the company to swiftly and systematically carry out corrective actions—such as preparing and submitting reports to regulatory authorities, as well as implementing measures to prevent the situation from escalating further.

(4) Regularly assess network and system security to prevent personal information leaks caused by cybersecurity risks;

(5) Regularly assess the compliance awareness and essential compliance knowledge of employees in key positions through questionnaire surveys;

(6) It is recommended to establish an internal whistleblowing and oversight mechanism, encouraging anonymous reporting of misconduct and wrongdoers, while also creating a robust protection system for whistleblowers.

……

3. Special Obligations of Key Internet Platforms

Article 58 of the Personal Information Protection Law specifically outlines special obligations for personal information processors that provide critical internet platform services, have a massive user base, and operate in highly complex business models. This represents another key highlight of the new legislation—its innovative approach to differentiating legal responsibilities based on whether a processor is classified as "large" or "small."

According to Article 58, personal information processors that provide critical internet platform services, have a massive user base, and operate in complex business models must fulfill the following obligations: (1) Establish and maintain a robust compliance system for personal information protection as stipulated by national regulations, and set up an independent body composed primarily of external members to oversee compliance with personal information protection practices. (2) Adhere to the principles of openness, fairness, and impartiality when formulating platform rules, clearly defining the standards for how product or service providers within the platform handle personal information, as well as their responsibilities to protect such data. (3) Cease providing services to any product or service provider within the platform that seriously violates laws or administrative regulations regarding the processing of personal information. (4) Regularly publish social responsibility reports on personal information protection, thereby inviting public scrutiny and oversight.

While specific criteria for the three criteria—“essential internet platform services,” “massive user base,” and “complex business models”—have not yet been clearly defined, it’s easy to predict that several well-known leading internet companies are likely to fall under this regulation. As for the selection rules governing external members of the independent oversight body and the guidelines for publishing social responsibility reports, these remain to be clarified further.

8. Responsible Data Sharing: Rules Governing Cross-Border Flow of Personal Information

According to the provisions in the Personal Information Protection Law regarding cross-border transfers of personal information, the author believes that the legal basis should meet all three of the following conditions simultaneously:

9. New Role: Corporate Internal Personal Information Protection Officer

Article 52 of the Personal Information Protection Law requires personal information processors handling personal data reaching the quantity specified by the national cyberspace administration to appoint a personal information protection officer, who will be responsible for overseeing personal information processing activities as well as the protective measures implemented.

In accordance with the relevant provisions of "Information Security Technology – Personal Information Security Specification" (GB/T 35273-2020), specifically:

10. Strict Penalties: Heavy Fines + "Dual Penalty System"

At the level of legal liability, the Personal Information Protection Law provides relatively detailed regulations on the legal responsibilities of personal information processors, covering both administrative and civil aspects. Notably, innovative measures such as joint processors' joint and several liability, hefty fines tied to annual turnover, and a "dual-penalty system" targeting both organizations and their responsible individuals—combined with unprecedentedly stringent penalties—effectively deter violations of personal information handling practices.

1. Joint and Several Liability of Co-Handlers

(1) The concept of a joint processor:

When two or more personal information processors jointly determine the purposes and methods of processing personal data, they are considered joint controllers.

(2) Provisions on Joint and Several Liability:

According to Article 20 of the Personal Information Protection Law, when two or more personal information processors jointly determine the purposes and methods of processing personal information, they must clearly define their respective rights and obligations. However, this agreement does not affect an individual’s right to request any one of these processors to exercise the rights stipulated under this law. If personal information processors jointly handle personal information and such actions result in harm to individuals’ personal information rights, they shall bear joint and several liability in accordance with the law.

Joint and several liability is a concept within civil tort liability. The provision in the Personal Information Protection Law also aligns with the relevant provisions on tort liability outlined in the Civil Code, meaning that internal agreements regarding responsibility cannot prevail against external parties and do not affect the imposition of joint and several liability.

2. Civil Litigation Risks

(1) If a personal information handler refuses an individual’s request to exercise their rights, the individual may file a lawsuit with the people’s court in accordance with the law;

(2) If a personal information handler violates the provisions of this law by processing personal information in a way that infringes upon the rights and interests of numerous individuals, the People's Procuratorate, consumer organizations specified by law, and organizations designated by the national cyberspace administration may file a lawsuit with the People's Court in accordance with the law.

3. "Dual Penalty System": Heavy administrative fines + market ban for responsible personnel

Another innovative move under Article 66 of the Personal Information Protection Law is the introduction of a "dual-penalty system," which imposes sanctions on both the non-compliant enterprises and the individuals directly responsible.

Specifically, violating the provisions of the Personal Information Protection Law when handling personal information—or failing to fulfill the personal information protection obligations stipulated by this law—can lead to severe consequences. In such cases, not only will the company face penalties like being ordered to rectify its practices, having illegal gains confiscated, and paying hefty fines, but the directly responsible executives and other individuals bearing direct responsibility will also be subject to fines and market entry bans.

Conclusion

The newly introduced "Personal Information Protection Law" strikes a balance between aligning with international standards and retaining China's unique characteristics. It proactively addresses pressing societal concerns such as apps excessively collecting user data, facial recognition technologies, and the controversial practice of "big data price discrimination," laying a robust institutional foundation for safeguarding personal information. From now on, we’re entering an era where cybersecurity, data compliance, and personal information protection are firmly established as three pillars—complementing each other under the framework of the "Cybersecurity Law," the "Data Security Law," and the "Personal Information Protection Law." This development also presents businesses with unprecedented opportunities—and challenges—in ensuring regulatory compliance. While the Personal Information Protection Law imposes stringent requirements on companies, particularly large internet firms, in terms of compliance, embracing strong data governance has increasingly become a shared understanding among organizations. In the age of big data, effective data compliance is no longer just a legal obligation—it’s fast emerging as a critical component of a company’s core competitive edge.

In the past, the national standards and industry guidelines that businesses typically referred to were mostly supplementary documents aligned with the guiding principles outlined in the Cybersecurity Law. However, following the enactment of the Personal Information Protection Law, new regulatory frameworks will gradually be developed to provide clear guidance on the law's specific implementation. StarLaw Firm will continue to closely monitor the latest developments related to the Personal Information Protection Law and its accompanying regulations, offering businesses timely legal advice to support their data compliance initiatives.