CHINA Law and Practice Contributed by: James Hu, Yingjie Kang, Huihui Li, Sherry Xu, Bivio Yu and Lisa Zhao, Fangda Partners
Penalties and Enforcement of Violation Violation of the CSL, DSL or PIPL will result in criminal, administrative and civil penalties. In particular, data handlers found to be in serious breach of the PIPL may be imposed fines of up to 5% of a company’s rev - enue during the preceding year or CNY50 million. The regulators also have the power to suspend or termi - nate any mobile app or online service that illegally pro - cesses personal data. Those who are responsible for causing the violation may be disqualified from being directors, supervisors, general managers or personal data protection officers. Multiple Chinese regulators have been actively enforc - ing the data protection laws and their implementation measures. Among others, the enforcement against illegal processing of personal data by mobile applica - tions, mini-apps on WeChat and Alipay, and third-par - ty SDKs deployed in mobile applications has been a continuous and routine broad-sweeping law enforce - ment campaign. In addition, data breaches can trigger regulators’ scrutiny and inspection of the companies’ compliance with relevant data protection laws. Privacy litigation has been on the rise in China, which may continue to be the case – particularly with PIPL lowering the bar for data subjects to bring claims against companies by shifting the burden of proof to defendant companies. In addition, procuratorial organs, as authorised by the PIPL, can also actively bring up public interest litigation on personal informa - tion.
Cross-Border Data Flows, establish the integrated regulatory framework on cross-border data transfer (CBDT). Specifically, in addition to other CBDT compliance requirements under the PIPL (such as engaging in personal information protection impact assessment), companies need to rely on any of the following pre - requisites when transferring personal data outside of China: • passing the security assessment for CBDT organ - ised by the CAC (Security Assessment); • obtaining a certification on personal data protec - tion issued by a licensed agency; • concluding an agreement with the overseas recipi - ent using the China SCC and filing such agreement with the provincial CAC; • where the CBDT of personal data is necessary to conclude or perform a contract to which the indi - vidual is a party; • where the CBDT of employees’ personal data is necessary for human resources management in accordance with the employment rules and regula - tions developed in accordance with the law and collective contracts concluded in accordance with the law; • where the CBDT of personal data is necessary to perform statutory duties or fulfil statutory obliga - tions; • where the CBDT of personal data is necessary to protect the life, health and property security of a natural person in an emergency; • where a data handler who is not a Critical Informa - tion Infrastructure Operator transfers the personal data (excluding sensitive personal data) of fewer than 100,000 individuals overseas as of January 1 of the current year; or • where the CBDT of personal data falls outside the scope of the negative list to be formulated by and applicable limited to the free trade zones. In any event, a company shall pass the Security Assessment before transferring important data out - side of China.
147 CHAMBERS.COM
Powered by FlippingBook