The Personal Information Protection Law (PIPL), China’s first specialised legislation on personal information protection, came into effect on 1 November 2021, marking the beginning of a new era of comprehensive legal protection for personal information in the country. Since its implementation, China has gradually improved its supporting systems for personal information protection, establishing a fundamental framework. Among these, the personal information protection impact assessment system has emerged as a critical component.
The connotation and value of the personal information protection impact assessment system. China’s personal information protection impact assessment system is rooted in the concept of risk prevention. It mandates that personal information processors conduct assessments before engaging in high-risk personal information processing activities.
Partner
W&H Law Firm
Tel: +86 133 0111 0217
E-mail:
baiyusi@weihenglaw.com
These assessments evaluate the purpose of processing, as well as the legitimacy, legality and necessity of the processing parties, while identifying potential significant impacts on individual rights. The system also requires monitoring and verifying whether the protective measures adopted are lawful, effective and proportionate to the level of risk.
Through pre-assessment, processors can identify, intervene in and mitigate risks in advance, dynamically respond to changes in risk, and determine whether to proceed with the processing activity based on the assessment report. This enables them to implement targeted control measures promptly, ensuring the activity is carried out in a compliant and secure manner.
This early intervention assessment mechanism integrates personal information protection into the project design phase, embedding it within the systems, operations and technical solutions of personal information processors. This approach not only ensures comprehensive and effective protection of personal information rights, but also helps processors control risks within manageable limits, thereby reducing potential post-incident losses and improving cost efficiency.
Beyond its risk prevention value, conducting and documenting pre-assessments of high-risk personal information processing activities can serve as evidence that processors have implemented appropriate control measures in compliance with laws and regulations. This helps regulate processor behaviour and safeguard their legitimate rights and interests in the event of disputes.
Furthermore, in cases of personal information breaches or other security incidents, the assessment records can assist processors in investigating, analysing and tracing the causes while reducing the likelihood of similar risks recurring.
Obligation to conduct personal information protection impact assessments. The PIPL explicitly outlines the circumstances under which personal information processors must conduct impact assessments. These include processing sensitive personal information, using personal information for automated decision-making, entrusting others to process personal information, providing or disclosing personal information to other processors, transferring personal information overseas, and other activities that may significantly affect individual rights. Whenever these legally prescribed scenarios arise, processors are obligated to perform and document such assessments as a statutory duty.
In practice, some processors have undertaken these assessments and achieved positive outcomes. However, many still fail to meet compliance requirements due to a lack of understanding of the purpose and value of impact assessments, or uncertainty about how to conduct them.
Additionally, as processors’ operations evolve, personal information processing activities often undergo continual and dynamic changes. Therefore, fulfilling the obligation to conduct impact assessments is not a one-time task, but requires the establishment of a long-term, ongoing, flexible and adaptive assessment mechanism.
Key points of personal information protection impact assessments. Risk identification is central to impact assessment activities. Risks in personal information processing may stem from the processor’s internal vulnerabilities or external threats.
Examples include: processing sensitive personal information without a specific purpose or sufficient necessity; failing to adhere to the principle of informed consent; sharing data with third parties without explicit consent from the data subject; collecting information beyond the required scope; storing information beyond the necessary period; lacking robust deletion mechanisms; insufficient transparency in automated decision-making; and issues such as misuse, leakage or tampering of information.
Personal information processors must thoroughly analyse potential risks, design and implement effective controls to mitigate them. Additionally, personal information protection requirements should be embedded into measures during the project design phase to ensure processing activities comply with legal and regulatory standards.
The objective of personal information protection impact assessments is to implement effective risk responses. Based on assessment results and their risk tolerance levels, personal information processors should adopt appropriate risk response measures.
These may include: refraining from processing certain types of information; explicitly informing users of processing rules in privacy policies or user agreements and obtaining their consent; strictly limiting data storage periods and ensuring secure destruction; establishing robust deletion mechanisms; encrypting data transmission; anonymising or de-identifying information; and standardising identity verification and access controls.
The PIPL mandates that processors maintain records of their assessments. Assessment reports must include key details such as the personnel involved, scope of application, assessment subjects, scale, methods, relevant stakeholders, risk analysis results, risk response plans, and the implementation status of these plans.
In summary, personal information protection impact assessments play a critical role in the legal framework for personal information protection. Their function and value are significant in helping processors fulfil data security and compliance obligations. These assessments serve a preventive purpose, minimising risks for processors and effectively safeguarding personal information rights.
Bai Yusi is a partner at W&H Law Firm. She can be contacted at +86 133 0111 0217 or by e-mail at baiyusi@weihenglaw.com
