fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

A Closer Look: The Personal Information Protection Law in China

The Personal Information Protection Law in China

Exploring The Personal Information Protection Law in China

The Personal Information Protection Law in China was promulgated on August 20, 2021 by theStanding Committee of China’s National People’s Congress, and will take effect this upcoming November 1, 2021. This new law aims to “regulate personal information processing activities,” “facilitate reasonable use of personal information,” and “protect the rights and interests of individuals” (Article 1).

The PPIL, Data Security Law, and the Cybersecurity Law, in a broader cyber and data security governance perspective, will form an over-arching framework to govern cybersecurity, data security, and data protection in China for years to come.

But before we comb through China’s new Personal Information Protection Law (PPIL), let us first define some key terms as we delve deeper to the start of something exciting!

Key Terms, Defined

Throughout the Personal Information Protection Law in China, we will get to stumble upon the terms “Sensitive personal information,” “personal information,” “personal information processing entity,” “anonymization,” and “processing of personal information.” Upon the plain reading of it, it can be observed that “personal information” and “processing of personal information” are defined similarly under both of the PIPL and the GDPR. It is defined as all kinds of information relating to identified or identifiable natural persons recorded by electronic or other form, excluding anonymized information.

Moreover, “Sensitive personal information” is defined under the Personal Information Protection Law (PIPL) as “personal information that, once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially-designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14” (Article 28).

Furthermore, “anonymization” refers to the process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing (Articles 4 & 73). Also, it is to note that anonymized information is not deemed as personal information under the PIPL.

Lastly, “personal information processing entity”  under the PIPL refers to “organization or individual that independently determines the purposes and means for processing of personal information” (Article 73). This also seems to appear as a similar concept to the GDPR’s “data controller” concept. This is the same with PIPL’s “entrusted party” with GDPR’s “data processor.”

Also Read: Personal Data Protection Act Singapore: Is Your Business Compliant?

The Total Package of the Personal Information Protection Law in China, unwrapped!

The Personal Information Protection Law in China consists of 8 chapters with 74 articles in total. These are:

  • General Provisions;
  • Personal Information Processing Rules;
  • Rules for Cross-Border Provision of Personal Information;
  • Individuals’ Rights in Personal Information Processing Activities;
  • Obligations of Personal Information Processors;
  • Departments Performing Personal Information Protection Functions;
  • Legal Liabilities; and
  • Miscellaneous Provisions.

Business Implications of the Personal Information Protection Law in China 

The Personal Information Protection Law in China now adds another layer of complexity with respect to compliance with China’s security and data laws and regulations. As similarly required by the GDPR,  it is now required for PIPL tohave a lawful basis to process personal information. In addition to consent, Article 13 of the said law provides for the following non-consent basis:

  • Necessary to enter into or perform a contract to which the individual is a party, or where necessary to conduct human resources management according to lawfully formulated internal labor policies and lawfully concluded collective labor contracts.
  • Necessary to perform legal responsibilities or obligations.
  • Necessary to respond to a public health emergency, or in an emergency to protect the safety of individuals’ health and property.
  • To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests.
  • Processing of personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope in accordance with the PIPL.
  • Other circumstances as required by laws.

Under the PIPL, the definition of consent provides that it must be freely given, informed, demonstrated by a clear action of the individual, and may later be withdrawn (Articles 14 & 15). It aligns with the GDPR with its strict consent requirements. 

But, there is a separate consent under the PIPL for certain processing activities, that is:

  • (i) shares personal information with other processing entities; 
  • (ii) publicly discloses personal information;
  • (iii) processes sensitive personal information; or
  • (iv) transfers personal information overseas (Articles 23, 25, 29 and 39). 

Personal information protection impact assessment

Furthermore, the Personal Information Protection Law in China also requires personal information processing organizations to carry out prior personal information protection impact assessments and for at least three years, retain the processing records for the processing activities below:

  • Processing of sensitive personal information.
  • Processing of personal information for automated decision-making.
  • Entrusting vendors to process personal information, sharing personal information with other processing entities or publicly disclosing personal information.
  • Transferring personal information overseas.
  • Other personal information processing activities that may have significant impacts on the rights and interests of individuals.

Also Read:China’s IT Ministry Takes Sina Weibo To Task Over 538-Million User Data Leak

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us