The Personal Information Protection Law (PIPL) stipulates six definitive legal bases for the processing of personal information in Article 13:
1. Obtaining the consent of the individual;
2. Necessary for the conclusion and performance of a contract to which the individual is a party, or necessary for the implementation of human resource management according to legally established labor regulations and legally signed collective contracts;
3. Necessary for the fulfilment of legal duties or obligations;
4. Necessary to respond to sudden public health incidents, or in emergencies to protect the life, health, and property safety of natural persons;
5. For public interest actions such as news reporting and public opinion supervision, within a reasonable range of personal information processing;
6. Processing personal information within a reasonable range in accordance with this law, either publicly disclosed by the individual or legally disclosed by others.
The PIPL will soon come into effect, but how to apply it to various complex business scenarios is filled with unknowns. The basis for the judgment of the applicability of each legal basis needs to be continuously refined and summarized in judicial and compliance practices. In the laws and regulations before the PIPL, the legal basis for personal information processing was often unclear. How to apply the PIPL to protect personal information rights, how to coordinate between superior laws and special laws, how to link between new and old laws and regulations, and even the situation of regulatory interest games between different departments, are all issues to consider. This article attempts to raise some questions and initially explore the basis and relationship of applicability between different legal bases.
There are many difficult questions to answer. This article first focuses on the following questions:
• Why choose the appropriate legal basis?
• How to choose the right legal basis?
• Can legal bases be applied simultaneously?
1. Why choose the appropriate legal basis?
As we all know, the PIPL has borrowed a lot from the GDPR, both in terms of structure and articles. Excluding Legitimate Interest, the GDPR also has several similar legal bases or legal justifications for data controllers to process personal data. Under GDPR, choosing the appropriate legal basis for data processing is very important:
Firstly, a piece of personal data processing can only have one legal basis, and it must be determined before the processing begins. Data controllers cannot establish a legal basis after processing personal data, nor can they alternate between legal bases during the process.
Secondly, regardless of the legal basis chosen, data controllers must be able to present the decision-making basis and process records for applying a certain legal basis to data subjects and regulatory authorities at any time. For example, they should be able to show when and how the data subject agreed, or the necessity of data processing to fulfill the contract.
Thirdly, the legal basis for personal data processing has a significant impact on the way data controllers respond to data subject rights requests, because different legal bases have different applicable conditions, exceptions, and restrictions. The choice of legal basis depends on the purpose of data processing, data type, and the relationship between the data controller and the data subject. If the wrong legal basis is chosen, it may lead to illegal data processing, inability to respond to data subject rights requests, and insufficient organization and technical control of data processing, which will affect the basic rights and freedoms of individuals.
Therefore, the importance of choosing the appropriate legal basis in our PIPL is self-evident. Personal information processors should determine the legal basis before processing, or sort out the legal basis of existing businesses. Using the wrong legal basis firstly involves legality issues, and secondly, it cannot meet certain applicable conditions of the legal basis.
For example, it should be necessary to process personal information based on the performance of the contract, but it is wrongly based on consent, and later it is impossible to meet the request of the individual to withdraw consent. Moreover, if based on consent, in scenarios where the law requires obtaining individual consent separately, personal information processors must comply with more legal obligations. Therefore, it is extremely important to clarify the legal basis that should be relied upon before processing personal information.
2. How to Choose the Appropriate Legal Basis?
Article 5(1)(a) of the GDPR stipulates that personal data processing should follow the principles of legality, fairness, and transparency. This applies not only to personal data processing but also to the selection and application of the legal basis. Following these principles means recognizing the reasonable expectations of the data subject, considering the adverse consequences that data processing may have on personal rights and interests, and considering the relationship between the data subject and the data controller and potential imbalances.
According to the UK Information Commissioner’s Office (ICO) guidelines on the application of the legal basis, the legal basis for personal data processing depends on the specific purpose of data processing and the scenario in which it takes place. Many factors need to be considered, such as:
– Who benefits from the personal data processing?
– Can the individual anticipate the processing of personal data?
– What is the relationship between the data controller and the individual? Is the individual in a disadvantaged position?
– What impact does data processing have on individual rights?
– Can the data controller stop processing at the request of the individual?
Additionally, according to the EDPB’s Guidelines on processing personal data under Article 6(1)(b) of the GDPR in the context of providing online services to data subjects (2/2019), the following questions should be answered when determining whether it is “necessary for the performance of a contract to which the data subject is party”:
– What is the nature of the service provided to the data subject? What are its significant features?
– What exactly is the contract based on (i.e., its substance and basic objective)?
– What are the basic elements of the contract?
– What are the attitudes and expectations of the parties to the contract concerning its fulfillment? How does the data controller promote or advertise its services to the data subject? Given the nature of the services provided, can the average user reasonably expect data processing in order to fulfill the contract?
China’s PIPL also adopts the principles of legality, fairness, and transparency.
Article 5: The processing of personal information shall follow the principles of legality, legitimacy, necessity, and good faith, and personal information shall not be processed by means of deception, fraud, coercion, etc.
Article 7: The processing of personal information shall follow the principles of openness and transparency, disclose the rules of personal information processing, and explicitly state the purpose, method, and scope of processing.
This article believes that the factors and questions to be considered can all be borrowed during the process of choosing an applicable legal basis.
In deciding whether to adopt “consent” as a legal basis, at least the following questions should be considered:
– Can consent be given voluntarily and explicitly, with the individual fully informed?
– In cases where the law or administrative regulations stipulate that personal information should be processed with the individual’s separate or written consent, can separate consent be obtained, for example, for processing sensitive personal information?
– When the purpose of personal information processing, processing methods, and types of personal information processed change, can consent be re-obtained?
– If an individual revokes their consent, can the revocation and deletion requests be fulfilled?
In deciding whether to adopt “necessary for the conclusion or performance of a contract” as a legal basis, at least the following questions should be considered:
– Is the individual a party to the contract?
– What are the main content and purpose of the contract?
– Is the business scenario involved in the contract special?
– Are the types of personal information involved in processing or the processing methods necessary?
– Does the processing of personal information serve the contract itself or the business model?
– What are the general expectations of individuals regarding the processing of personal information necessary for the performance of the contract?
In practice, different types of contracts, depending on the business scenario and technical
level, have different types of personal information processing or processing methods that are necessary for performance. It is worth noting that the validity of the contract also needs to be considered.
When determining whether the processing of employee personal information meets the “necessary for human resource management” criterion, the following questions should be answered first:
– Is the processing of employee personal information related to the vital interests of the workers?
– Have labor rules and regulations been discussed by the workers’ representative assembly or all workers?
– Have labor rules and regulations been publicized or informed to employees?
– Have collective contracts been discussed by the workers’ representative assembly or all workers?
Further, to judge what is necessary for human resource management, the degree of information security management for different types of jobs, as well as industry regulatory requirements for special industries and senior positions, must also be taken into account. Special consideration should be given to the unequal relationship between employers and employees to avoid processing employee personal information based on consent. Also, the company’s legal obligations, such as paying social insurance for employees or network security obligations under the “Cybersecurity Law”, should be considered.
III. Can Different Legal Bases be Applied Simultaneously?
As mentioned earlier, determining the legal basis before processing personal information is extremely important. So, can a single personal information processing activity be based on two or more legal bases?
Before the Personal Information Protection Law (PIPL) was enacted, there was indeed such a doubt in the laws and regulations. For example:
Article 29 of the “Credit Reporting Industry Management Regulations” stipulates that institutions engaged in credit business should provide credit information to the financial credit information basic database as required. Institutions engaged in credit business that provide credit information to the financial credit information basic database or other entities should obtain the prior written consent of the information subject, and this provision regarding information providers should be applied.
The question here is whether the legal basis for institutions engaged in credit business to provide credit information to the financial credit information basic database is legal obligations or the consent of the information subject?
The establishment of a financial credit information basic database by the state is to provide relevant information services for preventing financial risks and promoting the development of the financial industry. It is a national financial infrastructure built based on the need for public interest. It is a legal obligation explicitly stipulated in the “Credit Reporting Industry Management Regulations” that institutions engaged in credit business should provide credit information to the financial credit information basic database. However, the provision of paragraph 2 of Article 29 should be carefully interpreted in conjunction with PIPL.
According to Article 29, as a bank engaged in credit business and signing loan contracts with individuals, the bank is required to report individuals’ credit records to the financial credit information basic database based on legal obligations and must obtain the individual’s written consent before doing so. However, the consent here does not meet the effect of “consent” required by PIPL, which is fully informed and voluntary. If an individual does not agree to sign a written consent form, it is clear that they cannot obtain a loan. Even if voluntary, once signed, consent cannot be revoked before the loan contract is fulfilled. It can be seen that in this scenario, the only legal basis is “legal obligations.”
Institutions engaged in credit business that provide credit information to other entities should obtain the prior written consent of the information subject according to the requirements of PIPL, because the information processing necessary for the general performance of a loan contract does not include providing credit information to other entities.
Therefore, this article believes that in general, other legal bases cannot be used simultaneously with “consent” as the legal basis for an information processing activity. However, “legal obligations” may overlap with “necessary for the performance of a contract”. For example, non-bank payment institutions may have to process personal information necessary for a contract while also having the obligation to comply with anti-money laundering regulations.
This article has not done a detailed analysis of the application basis of all legal bases. In subsequent articles, the author will explore these questions step by step.
The author expresses special thanks to the senior colleagues who discussed the issues with me.
Original: Data Compliance & Governance
Date: October 18, 2021, 15:00
Keywords: #PersonalInformation #Legalbasis #Applicability