Sensitive Information

Obligations under the Personal Information Protection Law

The second version of the draft Personal Information Protection Law (PIPL or the Draft) period for public consultation is now closed. With personal information data increasingly a hot button topic globally amid cybersecurity investigations into popular apps’ illegal collection and use of users’ personal information, all eyes are fixed on the upcoming third (and final) draft, which will govern the personal data of China’s 989 million internet users. Shane Farrelly and Divya Hazra of D’Andrea & Partners Legal Counsel examine how the draft (and the eventual final version of the legislation) balances the protection of personal information of users with an ever-changing digital landscape and the collection and usage of the “new gold”, as companies’ future will depend on using data effectively.

China’s thorough and ever-evolving data protection framework

Over the past decade, China’s legislation on personal information protection has undergone a myriad of updates, through either smaller pieces of legislation or components of other national legislation, as outlined through the two revisions to the Advertising Law in 2015 and 2018, the 2016 Cyber Security Law, the 2017 General Rules of Civil Law, the 2019 E-commerce Law and, of course, the ‘Civil Code’ promulgated in 2020 (effective in 2021).

A recent reminder of the changing agenda of the Chinese authorities in the area of personal information protection came in the form of the allegations levelled at DiDi Chuxing of illegally collecting users’ personal data. On 4th July 2021, the Cyberspace Administration of China (CAC) ordered app stores to suspend downloads of the popular ride-hailing app while DiDi made changes in order to comply with Chinese data protection rules.

Therefore, alongside the release of the first two iterations of the Draft PIPL this year, the deliberation of both Chinese legislature and regulators on how personal information is utilised and protected within the jurisdiction has been significant.

Sensitive information and how it should be protected


The latest Draft still carries forward the spirit of the previous versions in providing a checks-and-balances approach for both domestic and foreign Internet giants, and strengthening supervision over the usage and processing of users’ personal information.

In terms of definitions, Article 29 of the Draft Law clearly distinguishes general personal information from sensitive personal information, the latter of which is deemed to be inclusive of information that, if leaked or illegally used, may cause discrimination against individuals or grave harm to personal or property security. Information covered may include data on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, among others. In simple terms, a vast array of private and intimate information with the potential to damage someone’s livelihood and identity if utilised improperly will fall under this more specific categorisation.

An initial reading of this definition ascertains that it is quite broad in certain areas in comparison to the European Union’s (EU’s) comprehensive General Data Protection Regulation (GDPR) (the data protection and privacy behemoth within the EU’s legal system), and extends to financial and location-based information. However, notable exclusions at the current drafting stage include personal information regarding trade union membership, political opinions, genetic data and sexual orientation.

All in all, a higher level of scrutiny and protection is afforded to information deemed sensitive as per the abovementioned definition. In the draft PIPL, personal data holders/processors have to justify “a specific purpose and sufficient necessity” prior to collecting sensitive personal information and must obtain separate written consent from users in order for the processing of sensitive personal information to be allowed.

This is of course in stark contrast to PIPL provisions on general personal information, which in certain circumstances—such as relating to public interest, contract performance or situations involving public health—allow for the handling of personal information of data subjects without any consent whatsoever.

Therefore, we can see that personal information handlers will have to take intricate measures to ensure compliance with the PIPL in relation to data deemed sensitive.

Protection of the personal information of minors


Prior to the release of the Draft, the CAC had already issued legislation dedicated to protecting child privacy online with the Regulation on Protection of Children’s Personal Information Online (PCPIO) promulgated on 1st October 2019.

Under the PCPIO, in order for personal information handlers to engage in the collection, storage, use, transfer, and disclosure of personal information of children under the age of 14 conducted within the territory of the PRC, they must obtain prior parental or guardian consent. This was stipulated alongside the option of refusal and the obligation to provide numerous points of information regarding the means, safeguard/s, location/s, purpose/s, reporting mechanisms and retention periods, among others, connected to the obtained data.

The first draft of the PIPL went a step further regarding the responsibility afforded to personal information handlers, as the then draft Article 15 provided that, regardless of whether the data processor knows or should know that it processes personal information of an individual under 14 years old, it must obtain the consent of the minor’s parents or other guardian. However, the second draft reverted back to the initial standard set out in the PCPIO, so we’ll have to await the outcome of the public call for comments and its effect on the finality of this provision in the soon-to-be promulgated PIPL.

Concluding thoughts


As the legal landscape relating to data in China (and extra-territorially) enters a watershed moment, the future provision of personal information stored within the Middle Kingdom for a variety of different purposes will see a dramatic shift for both domestic and foreign entities.

Compliance and indeed the utilisation of such personal information will require a new level of engagement by businesses; not only with the cyberspace authorities, but also through initial security assessments, approvals and supervision to be undertaken throughout a company’s data-processing activities.

For internet giants—the larger personal information handlers with complex business models—under the PIPL, they may have to bear more onerous obligations on their activities moving forward, such as establishing an independent supervisory body to monitor PIPL compliance, ceasing services to products or service providers on their platform that seriously violate laws or administrative regulations in handling personal information, and compiling personal information protection social responsibility reports.

Personal information handlers, whether large or small, should therefore be aware of the consequences of violating PIPL provisions or the absence of adopting adequate measures of compliance. This may result in fines of up to Chinese yuan (CNY) 50 million or up to five per cent of annual turnover in grave circumstances (comparable to penalties found in the GDPR), suspension of related business activities, cessation of business for rectification, and the cancellation of licences/business permits. 

The grand concept of course is a more ironclad form of protection for one of the most valuable assets of the Digital Age – data. As numerous questions remain open at the draft stage of the PIPL, we await further clarifications in the coming months as to the future of data processing for the world’s largest internet population.

As the legal landscape relating to data in China (and extra-territorially) enters a watershed moment, the future provision of personal information stored within the Middle Kingdom for a variety of different purposes will see a dramatic shift for both domestic and foreign entities.

Compliance and indeed the utilisation of such personal information will require a new level of engagement by businesses; not only with the cyberspace authorities, but also through initial security assessments, approvals and supervision to be undertaken throughout a company’s data-processing activities.

For internet giants—the larger personal information handlers with complex business models—under the PIPL, they may have to bear more onerous obligations on their activities moving forward, such as establishing an independent supervisory body to monitor PIPL compliance, ceasing services to products or service providers on their platform that seriously violate laws or administrative regulations in handling personal information, and compiling personal information protection social responsibility reports.

Personal information handlers, whether large or small, should therefore be aware of the consequences of violating PIPL provisions or the absence of adopting adequate measures of compliance. This may result in fines of up to Chinese yuan (CNY) 50 million or up to five per cent of annual turnover in grave circumstances (comparable to penalties found in the GDPR), suspension of related business activities, cessation of business for rectification, and the cancellation of licences/business permits. 

The grand concept of course is a more ironclad form of protection for one of the most valuable assets of the Digital Age – data. As numerous questions remain open at the draft stage of the PIPL, we await further clarifications in the coming months as to the future of data processing for the world’s largest internet population.


D’Andrea & Partners Legal Counsel (DP Group) was founded in 2013 by Carlo Diego D’Andrea and Matteo Hanbin Zhi, both of whom have extensive backgrounds in Chinese and EU law. DP Group currently has four service entities: D’Andrea & Partners Legal Counsel; PHC Tax & Accounting Advisory; EASTANT Communication and Events; and Chance & Better Education Consulting. DP Group has branches around the world, with locations in several major developing economies.