How to Conduct a Personal Information Protection Impact Assessment in China
Companies handling sensitive personal information or conducting certain transactions and procedures using personal information must conduct a personal data impact assessment in China. The scope of the data impact assessment depends on the specific application and type of personal information being handled. It can therefore be difficult for companies to navigate the various laws and regulations. In this article, we explain all the requirements and scenarios in which companies must carry out a personal data impact assessment in China.
Under China’s Personal Information Protection Law (PIPL), companies that engage in certain personal information processing activities are required to carry out a personal data impact assessment in China, known as a personal information protection impact assessment (PIPIA), in order to ensure the security of the data they are handling.
A PIPIA is similar to what is called a Data Protection Impact Assessment (DPIA) in Europe’s General Data Protection Regulations (GDPR). As with a DPIA, a PIPIA requires companies to assess the potential risks to an individual or data subject before they can process their personal information in certain circumstances.
Almost all companies based in China will be required to conduct a PIPIA at some point during their operations, except perhaps small companies that only handle low levels of personal data within the Chinese mainland.
In this article, we explain the circumstances in which a company must conduct a PIPIA and what must be included in the report depending on its use and application.
Who needs to conduct a PIPIA?
The PIPL and related regulations outline specific circumstances in which a company will be required to conduct a PIPIA. These scenarios are:
- Processing sensitive personal information;
- Using personal information for automated decision-making;
- Entrusting the processing of personal information to another party, providing personal information to other personal information processors, and disclosing personal information;
- Transferring personal information overseas; and
- Other personal information processing activities that could have a significant impact on the personal rights and interests of the personal information subject.
Based on the above requirements, we conclude that almost all companies would need to consider performing PIPIA to comply with the PIPL, especially when considering the wider scope of sensitive personal information, which includes data such as biometrics, personal information tied to a person’s medical records, information on religious beliefs or specific identities, and any data of a minor under the age of 14, among others. Moreover, many foreign companies use IT systems based in overseas headquarters, which means they often have to transfer data outside of China or share data across borders.
The requirements of conducting a PIPIA are similar to conducting a DPIA under the GDPR. Both processes require companies to identify the purpose for processing PI, the potential risks to individuals, and whether the company has taken the appropriate control measures for protecting personal information. However, companies should be aware that the PIPIA report and handling records must be kept for at least three years.
How to conduct a PIPIA
The PIPL provides a relatively broad description of what is required to be included in a PIPIA, namely:
- Whether the purposes for and methods of processing personal information are legal, legitimate, and necessary;
- The potential impact on personal rights and security risks; and
- Whether the protective measures taken to protect personal information are legal, effective, and commensurate with the level of risk.
In addition to the PIPL, other related regulations provide additional details on what is required content for the PIPIA depending on the situation.
PIPIAs for the export of personal information
Companies are required to conduct a PIPIA as part of the procedures to get clearance to transfer personal information outside of the Chinese mainland. Under the PIPL, a company that handles a certain volume of personal information or sensitive personal information must undergo one of the following procedures in order to transfer personal information outside of China:
- A security review by the Cybersecurity Administration of China (CAC);
- A third-party personal information protection certification; or
- Sign a standard contract with the overseas recipient of the personal information.
A PIPIA must be conducted regardless of which of the above procedures a company is subjected to. However, the scope of the PIPIA differs slightly in the various implementation rules.
Note that the following types of companies must undergo a security review by the CAC, and cannot choose one of the other two options:
- Companies that transfer “important” data overseas;
- Critical information infrastructure operators (CIIOs) and companies that handle the personal information of more than 1 million people; and
- Companies that have provided the personal information of 100,000 people or the sensitive personal information of 10,000 people overseas since January 1 of the previous year.
Companies that do not meet the above criteria or fall below the thresholds for volumes of personal information or sensitive personal information can either undergo third-party personal information protection certification or sign a standard contract with the overseas recipient of the personal information. These two procedures are generally considered to be less cumbersome than the CAC security review.
PIPIA for security review by the CAC
When undergoing a security review by the CAC, companies must first do a “self-assessment of data export risks”. While the regulations on the security review don’t call this a self-assessment and not a PIPIA, the required scope is very similar in nature.
The following matters must be included in the self-assessment:
- The legality, legitimacy, and necessity of data export and the purpose, scope, and method of data processing by the overseas recipient;
- The scale, scope, type, and sensitivity of the exported data, and the risks that data export may bring to national security, public interests, and the legitimate rights and interests of individuals or organizations;
- The responsibilities and obligations promised by the overseas recipient, as well as whether the management and technical measures and capabilities to fulfill the responsibilities and obligations can ensure the security of outbound data;
- The risk of data being tampered with, destroyed, leaked, lost, transferred, illegally obtained, illegally used, and so on during and after exporting, and whether there are unimpeded channels for protecting personal information rights and interests;
- Whether the data export-related contract or other legally binding documents (hereinafter collectively referred to as legal documents) to be entered into with the overseas recipient fully stipulates the data security protection responsibilities and obligations; and
- Other matters that may affect the security of data export abroad.
PIPIA for third-party certification
Meanwhile, under the draft rules on third-party personal information protection certification, the PIPIA must at the very least contain the following information:
- The legality, legitimacy, and necessity of the purpose for the cross-border personal information processing, the scope of and method for processing the PI;
- The scale, scope, type, and sensitivity level of the personal information being processed, the frequency of cross-border personal information processing activity, and the risks that this activity may pose to the rights and interests of the personal information subjects;
- The responsibilities and obligations promised by the overseas recipient, and whether their management, technical measures, and capabilities are sufficient to fulfill their responsibilities and obligations to guarantee the security of the cross-border personal information processing activity;
- Risks of leakage, damage, tampering, abuse, and other violations or breaches during the cross-border processing of personal information and whether there are unobstructed channels for individuals to protect their rights and interests;
- The impact of the personal information protection policies and regulations in the country or region where the overseas recipient is located may have on their ability to fulfill their obligations to protect the personal information and the rights and interests of the personal information subjects. This may include (but is not limited to):
- The overseas recipient’s previous similar experience in cross-border transmission and processing of personal information, whether any data security-related incidents have occurred under their authority, whether these incidents have been dealt with in a timely and effective manner, and whether they have ever received a request from a public authority in the country or region where they are located to provide personal information, and how they responded to this request;
- The current laws and regulations on personal information protection in the country or region in which the overseas recipient is located, the generally applicable standards, and the differences between the relevant laws, regulations, and standards on personal information protection in China;
- Any regional or global personal information protection organizations that the country or region in which the overseas recipient is located has joined and the binding international commitments it has made; and
- The mechanisms for personal information protection that the country or region that the overseas recipient is located in have implemented, such as whether there are supervisory and law enforcement agencies and relevant judicial agencies for personal information protection.
- Other matters that may affect the security of cross-border personal information processing activity.
Note that the rules on third-party certification are still in draft form and have not yet come into effect.
PIPIA for signing a standard contract
Under the rules on standard contracts, which came into effect on June 1, 2023, the PIPIA must assess the following matters:
- The legality, legitimacy, and necessity of the purpose, scope, and processing method of the data processor [in China] and the overseas recipient.
- The scale, scope, type, and sensitivity level of the outbound personal information being exported, and the potential risks that the export of the personal information can pose to the rights and interests of the personal information subjects.
- The responsibilities and obligations that are undertaken by the overseas recipient, and whether the management and technical measures and capabilities for fulfilling these responsibilities and obligations can ensure the security of outbound personal information.
- The risk of the personal information being tampered with, destroyed, leaked, lost, or illegally used after being exported, and whether the channels for safeguarding the rights and interests of the personal information subjects are unobstructed.
- The impact that the personal information protection policies and regulations in the country or region where the overseas recipient is located may have on the fulfillment of the standard contract.
- Other matters that may affect the security of the outbound personal information.
PIPIA for other applications
As mentioned above, companies are required to conduct a PIPIA in order to carry out activities, such as handling sensitive personal information, using personal information for automated decision-making, entrusting the processing of personal information to another party, or disclosing personal information.
However, no specific guidelines or regulations on conducting a PIPIA for these applications have been released.
In August, the government released a set of draft standards on the security requirements for processing sensitive personal information. These draft standards reiterated that companies must carry out a PIPIA. It also states that companies can refer to the Guidance for Personal Information Security Impact Assessment, a set of technical standards (GB/T 39335-2020) released at the end of 2020, in order to carry out the assessment.
We can therefore presume that for the other applications, these same technical standards will apply. However, official documents have not yet clarified at what stage of conducting these activities a PIPIA must be conducted.
Technical standards for conducting a PIPIA
The technical standards for carrying out a PIPIA mentioned above provide detailed descriptions of the recommended processes and mechanisms for conducting a PIPIA.
Note that these are recommended standards, not obligatory, and therefore mainly serve as reference material for companies carrying out a PIPIA.
According to the technical standards, before beginning the PIPIA, it is recommended that a company thoroughly research the target of the PIPIA (such as a particular product, department, or cooperation project). Through this process, the company can create a detailed and clear data list and data flow diagram and identify the exact personal information processing activity that needs to be assessed.
When conducting a PIPIA, the company will (1) analyze the possible impact and extent of the processing activities on the rights and interests of personal information subjects and (2) analyze whether security measures are effective and whether they will lead to security incidents, as well as the likelihood of this happening. The company will then combine the results of these two aspects, and assess the security risks and risk levels of the personal information processing activities. Finally, it can put forward corresponding improvement suggestions to form an assessment report.
Mechanisms for conducting a PIPIA
The technical standards recommend three mechanisms for conducting a PIPIA, which are as follows:
- Interviews: The assessment team will conduct interviews with the relevant personnel, in order to understand, analyze, and collect evidence on the process of personal information processing and protection mechanism design and implementation within the information system. The targets of the interviews may include product managers, R&D engineers, persons in charge of personal information protection, legal affairs personnel, system architects, HR, system users, and related stakeholders and personnel.
- Inspection: Evaluators observe, inspect, and analyze management systems, security policies and mechanisms, contract agreements, security configuration and design documents, operation records, and so on, in order to understand, analyze, or collect evidence.
- Testing: Evaluators conduct technical testing through manual or automated security testing tools, obtain relevant information, and analyze it to obtain evidence. The testing objects may be security control mechanisms, such as access control, identity recognition and verification, security audit mechanisms, transmission links and storage encryption mechanisms, continuous monitoring of important events, test event response capabilities, emergency planning and acting capabilities, and so on.
Considerations for companies
Conducting a PIPIA in accordance with China’s Personal Information Protection Law is a crucial yet complex procedure for companies handling personal data. With the relatively broad scope of activities for which an assessment is required under the PIPL, it is important that companies thoroughly assess whether their data processing activities require a PIPIA to remain compliant.
Given the complex nature of PIPIA, companies may benefit from expert assistance to navigate the process effectively, safeguarding personal rights and interests while maintaining regulatory compliance. By prioritizing comprehensive assessments, robust data protection measures, and proactive compliance efforts, companies can mitigate risks and uphold privacy standards in alignment with evolving regulations. For support with conducting a PIPIA or guidance on compliance matters, companies can reach out to China@dezshira.com.
About Us
China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.
Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.
- Previous Article Hong Kong’s Cosmetics and Skincare Market – Trends and Industry Overview
- Next Article China Issues 24 New Measures to Attract Foreign Investment