News Article

News Article

China’s data protection law: the wait is over

9 Sep 2021

By Francesca Lewis, BritCham Shanghai Policy Team


On the 6th September 2021, BritCham Shanghai hosted a webinar called “China’s Data Protection Law: The Wait is Over”, focusing on the legal business and HR implications of the Personal Information Protection Law (PIPL) coming in on the 1st of November. The webinar was hosted by Jasmine Chen, the Legal Director at the Weir Group.

The webinar led to an active Q&A session with key questions included below, as there is still much uncertainty surrounding the upcoming regulations. The talk prioritised the scope of the law, the extraterritorial reach, enforcement authorities and the legal liabilities.

The following are the key takeaways but bear with us – there’s a lot of information to get through:

  • Personal information (PI) is any information that identifies or has identifiable information about a citizen. Anonymous information is not included.
  • Extraterritorial rules include:

– Services provided outside of China to persons inside China.

– Software that analyses/ assesses the behaviour of persons in China.

– Circumstances as provided by laws and administrative regulations.

  • General breaches of administrative liabilities will see a maximum fine of 1 million yuan for companies, a maximum fine of 100,000 yuan for individuals and the opportunity to rectify violations.
  • Severe breaches of administrative liabilities will see a maximum fine of 50 million yuan for companies or 5% of the annual turnover (at the authorities’ discretion), a maximum fine of 1 million yuan for individuals and the business license revoked.
  • The personal information handler is liable for damages caused by processing PI unless they can prove non-negligence through good data compliance practises, which is hard to do.
  • Public Interest Litigation exists for public consumer protection laws and is becoming more involved in public interest litigation – Cyberspace Administration of China (CAC) may bring breaches to them in the future.
  • Most severe criminal liabilities include infringing citizens’ personal information such as selling information and refusal to fulfil obligations of IT security management.
  • Under article 13 section 2, “Human Resources Management Purpose (HRMP) is an exemption of the data subjects’ consent” first appeared in the final document. It refers to processing employees’ basic information and means that clearly outlined legal contracts/code of conduct will allow HR to process information without seeking employee consent.
  • There is no grace period for transition. Companies should run an assessment in the following months to check compliance. Be aware that being fully GDPR and ISO 27001 compliant does not guarantee total PIPL compliance!
  • New rules mean if your company falls under CIIO, you will be contacted about it.
  • A Data Protection Impact Assessment will be necessary under PIPL.

There’s a lot of key takeaways from the talk as a result of the information rich-discussions fuelled by the speakers, however, there is also more basic background information to be aware of.

Rule enforcement:

The new regulations come from the central level from the CAC. They will be enforced by three other ministries; the Ministry of Public Security (MPS), Ministry of Human Resources and Social Security (MOHRSS) and the Ministry of Industry and Information Technology (MIIT). Enforcement will depend on the industry. Additionally, some sectors will also be enforced by local counterparts such as Shanghai CAC / Shanghai PSB, Shanghai Municipal Commission of Economy and Informatisation (SHEITC) and Shanghai Municipal Human Resources and Social Security Bureau (SHHRSS).


For general breaches, penalties can include confiscation of illegal gains, an order to rectify, order to suspend or terminate provision of the application programs unlawfully processing personal information. This is seemingly all reversible if the necessary corrections are made. Additionally, all authorities from central and local level have authority to fine general breaches.

For severe breaches however, penalties can include an order to rectify, confiscation of illegal gains, suspension of relevant business activities, cessation of business for rectification and/or revocation of business license or permit. Additionally, the person responsible can be prohibited from holding a position of authority (such as director, supervisor, senior manager or personal information protection officer) for a period of undisclosed time. Only enforcement authorities of provincial or higher level can penalise these types of breaches.

Q&A highlights

Can personal or sensitive personal information be stored outside of China?

If the company has met all of the government-required procedures satisfactorily, it seems likely.

Is the employment contract signature sufficient evidence of employee consent?

It depends on what the employment contract provides in terms of purpose, method, and how the company uses the information. Companies should review their existing employment contract templates, code of conduct, or relevant data protection policies already being used in the company.

If personal information handling issues are caused by a vendor, who does the liability fall with?

At this point there is no answer. It can fall either solely to either side or both parties end up facing joint responsibility. It will likely depend on the agreement in the contract to find the internal liability.

What is the main focus under PIPL? National security or protection or independent privacy?

The focus of PIPL is the right to privacy, protecting individual and personal information.

What’s the scope of HMRP exemptions?

The scope can be split into 4 stages. Recruitment, onboarding, during employment, post-employment. If contracts don’t account for this, it’s worth considering adapting them. Although agreed on during employment, it’s appropriate to seek employees’ consent – especially over personal issues. It is best to use the exemption prudently.

Information presented by:

  • Jasmine Chen – Legal Director of the Weir Group
  • Ken Dai – Partner of Dentons Shanghai – Data Protection Law expert
  • Vivian Jin – PwC – employment lawyer

Disclaimer: The views and opinions expressed within this content are those of the Policy team summarising the information. This material is for informational purposes only and has been prepared for the exclusive use and benefit of British Chamber of Commerce Shanghai members or prospective members. Neither the Policy team nor the British Chamber of Commerce Shanghai accepts any liability arising from use of this content.

Platinum members

Join us

BritCham Shanghai is an organisation proudly run by its members — for its members. Whether your business is based in China or overseas, we welcome you to be part of our community. Let's connect, and become a member today.