On August 20, 2021, the Personal Information Protection Law of the People's Republic of China was reviewed and adopted at the 30th Meeting of the Standing Committee of the 13th National People's Congress of the People's Republic of China, and will officially come into effect on November 1, 2021. After three rounds of deliberation and two rounds of public consultations, the long-awaited Personal Information Protection Law has finally been unveiled. Comprising eight chapters and 74 articles, this landmark legislation—China's first dedicated law specifically addressing personal information—reflects the collective wisdom of numerous experts. It introduces several innovative institutional features, marking a significant milestone in data protection legislation and providing new, robust guidelines for enterprises striving to ensure data compliance.

Lawyer Xinglai provides commentary on the ten key points related to corporate compliance under the Personal Information Protection Law, focusing on critical provisions such as the implementation paths and exemptions for informed consent, cross-border data transfers, corporate governance, rights and obligations, and legal responsibilities. She dissects the current regulatory framework for personal information protection, aiming to offer businesses a valuable reference as they prepare for and adapt to the era ushered in by the Personal Information Protection Law, helping them establish or refine their compliance management systems.

*Note: This is the first part, specifically offering commentary on the five key points mentioned earlier.

I. Clear Regulation: China’s Regulatory Framework for Personal Information Protection

National Level – Integrated Management:

Local Level – Specific Implementation (Taking Beijing as an Example):

II. Knowledge of Application: Special Provisions Regarding Extraterritorial Effectiveness

Based on its application within the country, the "Personal Information Protection Law" also introduces a "long-arm jurisdiction clause"—essentially, a provision governing extraterritorial applicability.

(1) Applicable within China: This law applies to activities involving the processing of personal information of natural persons within the territory of the People's Republic of China;

(2) Application Outside China: Activities involving the processing of personal information of natural persons within the territory of the People's Republic of China by entities located outside the PRC shall also be subject to this Law if any of the following circumstances apply:

Additionally, according to Article 53, cross-border personal information processors subject to the Personal Information Protection Law must establish a dedicated agency or appoint a representative within the territory of the People's Republic of China, responsible for handling matters related to personal information protection. They are also required to submit the name of the agency or the representative’s full name, contact details, and other relevant information to the department tasked with overseeing personal information protection obligations.

3. Clarify Concepts: "Natural Person," "Personal (Sensitive) Information," and the New Meanings of "Processing" and "Deleting" Activities

Based on the above provisions regarding legal application, to accurately understand activities involving the "processing of personal information of natural persons," the following three sets of concepts need to be clarified:

IV. A New Path Forward: Addressing the Legal Basis of the Activity

Unlike the previous "Information Security Technology — Personal Information Security Specification" (GB/T 35273-2020), which combined the "consent-based collection of personal information" with a "consent exemption" model as the legal basis for processing personal data, the "Personal Information Protection Law" aligns more closely with the EU's GDPR by directly establishing obtaining consent from the data subject as one of the primary legal grounds for handling personal information. Alongside this, there are six additional scenarios where consent is not required (in other words, cases where obtaining authorization consent is not necessary):

5. Finding Solutions: How Can "Informed Consent" Be Achieved?

The Personal Information Protection Law establishes different requirements for obtaining consent when processing general personal information versus sensitive information. The author has summarized the relevant legal provisions:

Based on the above provisions, here’s an interpretation of how to obtain informed consent for different types of information:

(1) Processing general personal information:

1. Key Points for Drafting a Privacy Policy

● Basic information about the processor, including the entity's identity and contact details;

● Distinguish between basic and extended business functions, listing the intended purposes for processing personal information under each function;

● For each purpose of processing personal information, clearly state what specific information is intended to be collected and how it will be handled. If sensitive information is involved, it must be specially marked in the privacy policy.

● Potential security risks associated with providing personal information, as well as the possible consequences of choosing not to share it;

● The purposes of sharing, transferring, or publicly disclosing personal information externally, the types of personal information involved, the types of third parties receiving the personal information, and the respective security and legal responsibilities.

● Name and functionality of the integrated SDK;

● Rules governing the processing of personal information, including data storage methods, retention periods, and circumstances involving cross-border data transfers;

● The data security capabilities of the processor, along with the personal information protection measures implemented, and the relevant compliance management qualifications held;

● The implementation approach for the mechanism responding to data subjects' rights, along with the channels and mechanisms for data subjects to make inquiries and file complaints, as well as details on external dispute resolution bodies and their contact information.

2. Key Points for Displaying the Privacy Policy

● When the app is run for the first time or when a user registers for the first time, users should be prompted to read the privacy policy through a prominent method, such as a pop-up window.

● Privacy policies must not be pre-selected or automatically agreed to;

● Privacy policy updates must be proactively notified to users in advance—through notices, announcements, pop-up windows, or other prominent methods—along with a clear request asking whether they accept the updated terms.

● After entering the app or website’s main interface, users can access the privacy policy with no more than 4 clicks.

3. Key Points for Obtaining User Authorization Consent

● Personal information collection or activation of permissions that enable such collection must not begin without first obtaining user consent—especially before the user has accepted the privacy policy.

● Collect general personal information. If separate consent is not required, the data processor may inform the individual about the types of information being collected and the default permission settings before gathering the personal data for the first time. Additionally, users should be allowed to modify these permissions directly on the notification page—for instance, core and extended business functions must not be bundled together when seeking user consent. If a user chooses not to grant permission for non-essential personal information or to enable non-essential features, the provider must not refuse to deliver core business functionalities as a result.

● Users who have reconfigured their permission settings must not arbitrarily alter the previously set status of permissions for collecting personal information;

● Personally identifiable information actually collected or permissions granted to access such information must not exceed the scope of the user’s authorization:

● If personalized content is displayed using users' personal information and algorithms, users should be given the option to voluntarily opt in, with a choice provided for non-targeted information delivery.

● Personal information processors shall not refuse to provide products or services on the grounds that an individual does not consent to the processing of their personal information or chooses to withdraw such consent. If the collection of additional personal information requested for new business functions exceeds the scope originally agreed upon by the user, the processor must still continue providing the original business functions unless the user explicitly declines—provided that the new function is clearly intended to replace the existing one.

● If the purpose, method, or types of personal information being processed change, personal consent must be obtained again.

(II) Handling Personal Sensitive Information:

Building upon the general principles of personal information protection outlined above, please pay special attention to the following:

1. Separate consent to obtain key points

● When collecting personal sensitive information for the first time, users should be specially notified in advance—via a "pop-up window" or similar prompt—about the types of data being collected, the purpose (which must be thoroughly justified and necessary; it’s recommended to incorporate an assessment of the impact on personal information protection), as well as the specific measures in place to safeguard sensitive information (e.g., by including these details in the privacy policy and providing a direct link to the policy on the pop-up page). Users should then be asked to explicitly authorize the collection by means such as checking a box or clicking "Agree."

● Users must not be required to grant multiple permissions that collect sensitive personal information at once. Instead, explicit user consent should be obtained through individual clicks or confirmations.

2. Key Points for Protecting Information of Children (Under 14 Years Old)

● Develop a "Children's Privacy Protection Policy/Statement," ensuring compliance with the real-name registration requirements under the Cybersecurity Law, and conduct age verification for users. If a user is confirmed to be under 14 years old after verification, processors are advised to provide a special reminder regarding the "Children's Privacy Protection Policy/Statement," which should explicitly include the following key points:

◎ Special note for children: Children under 14 are advised to read the privacy policy together with their guardian and obtain the guardian's consent before using the relevant products/services.

◎ Special note for children's guardians: Clearly outline the content of the product/service, as well as the potential benefits or adverse effects that may arise when children use it. Emphasize the necessity of obtaining **double consent** from the child's guardian—specifically, consent for the child to use the product/service and consent for the provision of the child's personal information.

◎ The privacy policy listed above specifically adjusts the sections related to personal information to include special protection measures for children's personal data, as well as dedicated complaint and response channels.

◎ The content of the privacy policy should be as easy to understand as possible.

● To ensure that child users can fully understand the "Special Notes for Children" outlined in the aforementioned "Children's Privacy Policy/Statement," thereby making their acceptance of the children's privacy policy a valid action, it is recommended that the data processor implement verification steps before the child user checks the acceptance box—for example, requiring users to select specific characters or rearrange sentences (e.g., scrambling the phrase "I have read the privacy policy and obtained my guardian’s consent," then asking the user to click on the characters in the correct order to reassemble it).

● If confirmed to be used by child users, the types of personal information collected and the duration of use should be strictly limited, ensuring thorough compliance with the "minimum necessary" principle; and so forth.