Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 23
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
23
sets a high bar for Chinese data protection
compliance. Some of the key features under
PIPL are as follows:
Extraterritorial effect:
PIPL applies not only to personal data handlers
based in China, but also foreign personal
data handlers that process personal data of
Chinese data subjects where the processing
is for the purpose of: (i) providing services or
products to individuals in China; (ii) analysing
or evaluating the behaviour of individuals in
China; or (iii) other circumstances provided
under Chinese law. Personal data handlers
subject to PIPL which do not have operations in
mainland China are required to appoint a
local representative.
Bases for Processing:
Consent is the main legal basis for processing
personal data (with specific exemptions for
conclusion or performance of contracts with
data subjects, HR management, compliance
with applicable laws, public health and public
interest processing). Notably, PIPL does not
follow the GDPR by providing a legitimate
interests basis for processing without consent
where obtaining consent is not practical. It
is also important to note that PIPL mandates
a “separate consent” in respect of “controllercontroller” transfers, with a plain reading of
these words suggesting that an unbundled
revocable consent (i.e., a separate tick box
consent) is required. Personal data handlers
(who independently determine the handling
purpose and method in the handling of
personal data) are also required to notify data
subjects of the specific identity of transferees.
Sensitive personal data:
PIPL introduces specific requirements in
respect of the collection and handling of
sensitive personal data, which unlike under
GDPR, is not defined exhaustively but instead
is defined as information which, if misused,
could readily cause harm to the dignity or
interests of impacted individuals. Personal
data of children under the age of 14 is also
considered sensitive. A “separate consent” is
required for the collection and use of sensitive
personal data, as well as completion of a form
of privacy impact assessment.
Data subject rights:
Data subjects entitled to a range of data
protection rights, which broadly mirror those
under GDPR (e.g. a right to request correction
of data, the right to obtain a copy of their
personal data, right to withdraw consent), but
also includes a right to request an explanation
of the organization’s data processing practices.
International data transfers:
Personal data handlers that transfer personal
data outside of China are required to satisfy
one of the following regulatory formalities,
subject to certain thresholds (i.e., data category
and volume involved) and exemptions,
including: (a) conducting a security assessment
by CAC (CAC Security Assessment); (b)
undergoing appropriate certification (Third
Party Certification); (c) entering into standard
contractual clauses (SCCs), collectively, referred
to as “Data Transfer Review”. In addition,
personal data handlers must obtain a separate
consent from relevant data subjects for such
cross-border transfers, conduct a prior privacy
impact assessment and implement necessary
measures to ensure the processing activities
of the offshore recipients will meet the PIPL
standards. Please see the discussion of the
security assessment measures below for
further information.
Accountability:
Personal data handlers meeting as yet
unspecified thresholds are required to appoint
a DPO. In addition, Article 51 of PIPL prescribes
a set of potentially broad obligations requiring
personal data handlers to formulate internal
management structures and operating
procedures concerning personal data,
undertake data classification, adopt security
measures, formulate data security incident
response plans and conduct security training
for employees. There is no specific obligation
