Personal Information Protection Law

CONTENTS

Chapter I: General Provisions

Chapter II: Rules for Handling Personal Information

Section 1: General Rules

Section 2: Rules for Processing Sensitive Personal Information

Section 3: Special Provisions on the Processing of Personal Information by State Organs

Chapter III: Rules for Cross-border Provision of Personal Information

Chapter IV: Rights of Individuals in Personal Information Processing Activities

Chapter V: Obligations of Personal Information Handlers

Chapter VI: Departments Performing Personal Information Protection Duties

Chapter VII: Legal Responsibility

Chapter VIII: Supplementary Provisions

Chapter I: General Provisions

Article 1: This Law is drafted on the basis of the Constitution to protect rights and interests in personal information, to regulate activities handling personal information, and to promote the reasonable use of personal information.

Article 2: The personal information of natural persons is protected by law, and natural persons' rights and interests in personal information must not be infringed upon by any organization or individual.

Article 3: This law applies to activities of handling the personal information of natural persons within the [mainland] territory of the People's Republic of China.

This law is also applicable to activities outside the mainland PRC [“overseas“--ed.] that handle the personal information of natural persons within the territory of the PRC, in any of the following circumstances:

(1) for the purpose of providing products or services to natural persons within the territory;

(2) to analyze and assess the conduct of natural persons within the territory;

(3) Other situations provided for by law or administrative regulations.

Article 4: Personal information is any type of information that identifies or can identify natural persons recorded electronically or by other means, but does not include anonymized information.

Handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, deletion etc., of personal information.

Article 5: Handling of personal information shall respect the principles of legality, propriety, necessity, and creditworthiness, and methods such as misdirection, fraud, or coercion must not be used in handling personal information.

Article 6: The handling of personal information shall have a clear and reasonable purpose, shall be directly related to that purpose, and employ the means with the smallest impact on individuals' rights and interests.

The collection of personal information shall be limited to the smallest scope for realizing the purpose of handling, and excessive personal information must not be collected.

Article 7: The handling of personal information shall comply with the principles of openness and transparency, disclosing rules for handling personal information, clarifying the purposes, methods, and scope of handling.

Article 8: The handling of personal information shall ensure the quality of the personal information to avoid causing a negative impact on individuals' rights and interests due to inaccurate or incomplete personal information.

Article 9: Personal information handlers shall be responsible for their personal information handling activities and employ necessary measures to ensure the security of the handled personal information.

Article 10: Organizations and individuals must not unlawfully collect, use, process, or transfer the personal information of others; must not unlawfully buy, sell, provide or disclose others' personal information; and must not engage in personal information handling activities that endanger national security or the public interest.

Article 11: The state is to establish and complete personal information protection systems to prevent and punish acts that infringe on rights and interests in personal information, to strengthen publicity and education on personal information protection, and to promote the formation of a positive environment for governments, enterprises, relevant social organizations, and the public to participate in the protection of personal information.

Article 12: The state is to actively participate in the formulation of international rules for protecting personal information, promote international exchanges and cooperation on personal information protection, and promote mutual recognition of rules and standards for the protection of personal information with other countries, regions, and international organizations.

Chapter II: Rules for Handling Personal Information

Section 1: Ordinary Provisions

Article 13: Personal information handlers can only handle personal information where one of the following circumstances is met:

(1) The individual's consent is obtained;

(2) As necessary to conclude or perform on a contract to which the individual is a party, or as necessary for carrying out human resource management in accordance with lawfully formulated labor rules systems and lawfully concluded collective contracts;

(3) As necessary for the performance of legally-prescribed duties or obligations;

(4) As necessary to respond to public health incidents or to protect natural persons' security in their lives, health, and property in an emergency;

(5) Handling personal information within a reasonable range in order to carry out acts such as news reporting and public opinion oversight in the public interest;

(6) For a reasonable scope of handling of personal information that has been disclosed by the individual or otherwise already legally disclosed in accordance with this Law;

(7) Other situations provided by laws or administrative regulations.

Where the handling of personal information shall be upon obtaining the individual's consent in accordance with other provisions of this Law, but there are circumstances provided for in items 2-7 of the preceding paragraph, the individual's consent is not required to be obtained.

Article 14: Where the handling of personal information is based on individuals' consent, that consent shall be given voluntarily and explicitly by individuals who are fully informed. Where laws and administrative regulations provide that independent or written consent shall be obtained for the handling of personal information, follow those provisions.

Where there are changes to the purpose or methods for handling information, or to the type of personal information to be handled, the individual's consent shall be newly obtained.

Article 15: Where the handling of personal information is based on individuals' consent, individuals have the right to withdraw their consent. Those handling personal information shall provide convenient and easy methods for withdrawing consent.

Individuals' withdrawal of consent does not impact the validity of personal information handling activities conducted before the consent was withdrawn.

Article 16: Those handling personal information must not refuse to provide products or services on the grounds that individuals do not consent to the handling of their personal information or withdraw their consent; except where handling personal information is necessary to provide the products or services.

Article 17: Before handling personal information, personal information handlers shall truthfully, accurately, and completely notify individuals of the following matters in a conspicuous fashion and in clear and understandable language:

(1) The organizational or personal name of the personal information handlers;

(2) The purposes of handling the personal information, the methods of handling, and the type of personal information handled, and period it will be stored;

(3) the manner and procedures by which individuals are to exercise their rights under this Law;

(4) Other matters that laws and administrative regulations provide shall be announced.

Where there are changes in the matters provided for in the preceding paragraph, the individuals shall be notified of the parts changed.

Where personal information handlers give notice of the matters provided for in the first paragraph of this article by formulating rules for handling personal information, the rules shall be made public and easy to read and save.

Article 18: When personal information handlers handle personal information, where there are circumstances that laws and administrative regulations provide shall be kept confidential or need not be announced, it is acceptable to not notify the individual of the matters provided in the first paragraph of preceding article.

In an emergency situation, where it is impossible to notify individuals in time to protect the security of natural persons' lives, health, and property, the personal information handlers shall promptly notify the individual after the emergency is eliminated.

Article 19: The period for retaining personal information shall be the shortest time necessary to achieve the purposes of handling except as otherwise provided by laws and regulations.

Article 20: Where two or more personal information handlers jointly decide on the purpose and method of handling personal information, they shall make an agreement on their respective rights and obligations. However, this agreement does not affect an individual's request to any of the personal information handlers to exercise the rights provided for in this Law.

Where personal information handlers jointly handle personal information and infringe on rights and interests in personal information and cause harm, they shall bear joint liability in accordance with law.

Article 21: Where personal information handlers entrust the handling of personal information, they shall make an agreement with the entrusted persons on the purposes and methods for the entrusted handling, the types of personal information to be handled, protection measures, and the rights and obligations of both parties, and oversee the entrusted persons personal information handling activities.

The entrusted persons shall handle personal information in accordance with agreements and must not exceed the purpose or methods of handling in the agreements to handle personal information; where the contract for the entrustment is not effective, is void, is withdrawn, or is concluded, the entrusted persons shall return the personal information to the personal information handler or delete it, and must not store it.

Without the consent of the personal information handlers, the entrusted persons must not entrust others to handle personal information.

Article 22: Where as a result of mergers, divisions, disbandment, declarations of bankruptcy and so forth, personal information handlers need to transfer personal information, they shall notify the individuals of the organizational or personal name and contact information of the party receiving it. The recipient party shall continue to perform the obligations of the personal information handler. Where the recipient changes the purpose of the original handling or the methods of handling, they shall newly obtain the individuals' consent in accordance with this Law.

Article 23: Where personal information handlers provide the personal information they are handling to other personal information handlers, they shall notify the individuals of the organizational or personal name and contact information of the recipient, the purposes of the handling, methods of handling, and the types of personal information, and are to obtain the independent consent of the individuals. The party receiving the personal information shall handle the personal information within the scope of the purposes and methods, and types of personal information provided above. Where the recipient changes the purpose of the original handling or the methods of handling, they shall newly obtain the individuals' consent in accordance with this Law.

Article 24: personal information handlers using personal information to conduct automated decision-making shall ensure the transparency of the decision-making and that the results are fair and equitable, they must not implement unreasonable differential treatment of individuals in transaction conditions such as price.

Where information pushing and commercial marketing are conducted through automated decision-making, individuals shall also be provided with options that do not target specific personal characteristics or with convenient means of refusing.

Where decisions with a major impact on individuals' rights and interests are made through automated decision-making, the individuals have the right to request that personal information handlers explain it and have the right to refuse to have the personal information handler's making decisions solely through automated decision-making.

Article 25: Personal information handlers must not disclose the personal information they handle; unless they have obtained independent consent or as otherwise provided for by laws and administrative regulations.

Article 26: The installation of image acquisition and personal identification equipment in public places shall be as necessary to preserve public safety, and shall comply with relevant national regulations, and have prominent alerts in place. The collected personal images and identification information can only be used for the purpose of preserving public safety, and must not be used for other purposes unless the individual's independent consent is obtained.

Article 27: Personal information handlers may handle personal information that has been disclosed by the individual or otherwise already legally disclosed within a reasonable scope; except where the individual explicitly refuses. Where personal information handlers use the already disclosed personal information for activities that have a significant impact on the individuals' rights and interests, their consent shall be obtained as provided in this Law.

Section 2: Rules for Handling Sensitive Personal Information

Article 28: Sensitive personal information is personal information that once leaked or illegally used can easily cause natural persons to suffer encroachments on their dignity or harms to their persons or property; including information such as on biometric identifiers, religious faith, particular identities, medical care and health, financial status, and location tracking, as well as the personal information of minors under the age of 14.

Personal information handlers may only handle sensitive personal information for specified purposes and when fully necessary, and where employing strict protective measures.

Article 29: Personal information handlers that are handling sensitive personal information shall obtain the independent consent of individuals, and where laws and administrative regulations provide that written consent shall be obtained for the handling of sensitive personal information, follow those provisions.

Article 30: When handling sensitive personal information, personal information handlers shall, in addition to the matters specified in Article 17 of this Law, also notify individuals of the necessity of handling the sensitive personal information and the impact on the individuals' rights and interests, except where this Law provides that that notice needn't be given to individuals.

Article 31: Those handling the personal information of minors under the age of 14 online shall obtain the consent of the minors' parents or other guardians.

Those handling the personal information of minors under the age of 14 online shall draft special rules for the handling of personal information.

Article 32: Where laws and administrative regulations provide that those handling sensitive personal information shall obtain related administrative licenses or impose other restrictions, follow those provisions.

Section 3: Special Provisions on the Processing of Personal Information by State Organs

Article 33: This law applies to the handling of personal information by state organs; and where there are special provisions in this section, the provisions of this section apply.

Article 34: State organs handling personal information in order to perform their legally-prescribed duties shall do so in accordance with the authority and procedures provided by laws and administrative regulations, and must not exceed the scope and limits necessary for performing their legally-prescribed duties.

Article 35: State organs handling personal information in order to perform their legally-prescribed duties shall perform their obligations of notification, except in the circumstances provided in the first paragraph of article 18 or where giving notice would impede the performance of the state organs' legally-prescribed duties.

Article 36: Personal information handled by state organs shall be stored within the territory of the People's Republic of China; and where it is truly necessary to provide it overseas, a security assessment shall be conducted. Support and assistance may be requested from relevant departments for security assessments.

Article 37: The provisions of this Law on state organs' handling of personal information apply to the handling of personal information by organizations authorized by laws or regulations to have public affairs management duties in order to perform their legally-prescribed duties.

Chapter III: Rules for Cross-border Provision of Personal Information

Article 38: Where personal information handlers truly need to provide personal information overseas due to business requirements, they shall possess one of the following requirements:

(1) passing a safety assessment organized by the state internet information departments in accordance with the provisions of Article 40 of this Law;

(2) Having a professional body conduct personal information protection certification in accordance with provisions of the State Internet Information Departments;

(3) Contracts concluded with the overseas recipient parties in accordance with standard contract drafted by the state internet information departments agree upon the rights and obligations of both parties,

(4) Other conditions provided for by laws, administrative regulations, or provisions of the state internet information department.

Where the international treaties and agreements concluded by or participated in by the PRC have requirements for the provision of personal information overseas and so forth, those provisions may be implemented.

Personal information handlers shall employ necessary measures to ensure that the overseas recipients' activities handling personal information meet the protection standards provided for personal information provided for in this Law.

Article 39:Where personal information handlers provide personal information overseas, they shall notify the individuals of matters such as the organizational or personal name and contact methods of the overseas recipient, the purposes and methods of the handling, the types of personal information to be handled, and the methods and procedures for individuals to exercise the rights provided for in this Law, and obtain the individuals' independent consent.

Article 40: Critical information infrastructure operators and personal information handlers that handle personal information at the volume provided for by the state internet information departments shall store the personal information they collect or generate within the territory of the People's Republic of China. Where it is truly necessary to provide it overseas, it shall pass a security assessment organized by the state internet information department; but where laws, administrative regulations, and provisions of the state internet information department provide that it is acceptable to not conduct a security assessment, follow those provisions.

Article 41: The competent organs of the PRC are to handle requests for the provision of domestically-stored personal information from foreign justice or law enforcement based on relevant laws and international treaties and agreements concluded or participated in by the PRC, or in accordance with the principle of reciprocity. Those handling personal information must not provide personal information stored within the PRC to foreign justice or law enforcement bodies without the permission of the competent organs of the PRC.

Article 42: Where organizations or individuals outside the [mainland] PRC engage in personal information handling activities that harm PRC citizens' rights and interests in personal information or endanger the PRC's national security or public interest, the state internet information departments may enter them on the list of those restricted or limited in provision of personal information, make a public announcement, and employ measures to restrict or stop the provision of personal information to them.

Article 43: Where any country or region adopts discriminatory prohibitions, restrictions, or other similar measures against the PRC in terms of personal information protection, the PRC may employ equal measures against that country or region based on the actual conditions.

Chapter IV: Rights of Individuals in Personal Information Processing Activities

Article 44: Individuals enjoy the right to know and make decisions about the handling of their personal information, and have the right to limit or refuse the handling of their personal information by others, except as otherwise provided by laws and administrative regulations.

Article 45: Individuals have the right to access and reproduce their personal information from personal information handlers, except in the circumstances provided for in the first paragraph of Article 18 and in article 35 of this Law.

Where individuals request to access or reproduce their personal information, the personal information handlers shall provide it in a timely manner.

Where individuals request that personal information be transferred to personal information handlers that they designate, and it meets the conditions provided for by the state internet information departments, the personal information handlers shall provide channels for the transfer.

Article 46: Where individuals discover that their personal information is inaccurate or incomplete, they have the right to request that the personal information handler correct or supplement it.

Where individuals request correction or supplementation of their personal information, the personal information handler shall verify their personal information and make corrections and supplements in a timely manner.

Article 47:In any of the following circumstances, personal information handlers shall proactively delete personal information, and where personal information handlers fail to delete it, the individuals have the right to request its deletion:

(1) The purpose of the handling has already been realized, is unable to be realized, or handling is no longer necessary for the realization of the purpose of handling;

(2) The personal information handler stops providing products or services, or the period for retention is complete;

(3) The individual withdraws consent;

(4) The personal information handler violates laws, administrative regulations, or agreements in the handling of personal information;

(5) Other situations provided by laws or administrative regulations.

Where the retention period provided for by laws and administrative regulations is not yet complete or it is technically difficult to delete personal information, the personal information handlers shall stop handling other than storage and employing security protection measures.

Article 48: Individuals have the right to request that personal information processors explain their personal information processing rules.

Article 49: Where natural persons have died, their close relatives may exercise the rights provided in this law such as to access, reproduction, modification, and deletion of the deceased's personal information in order to protect their own lawful and legitimate interests; except as otherwise arranged by the deceased during their lifetime.

Article 50: Personal information handlers shall establish convenient mechanisms for accepting and addressing requests from individuals to exercise their rights. Where an individual's request to exercise their rights is rejected, the reasons shall be explained.

Where personal information handlers refuse individuals' requests to exercise their rights, the individual may initiate a lawsuit in the people's courts in accordance with law.

Chapter V: Obligations of Personal Information Handlers

Article 51: Based on the purposes and methods of handling, the types of information to be handled, the impact and potential risks to individuals rights and interests, and so forth, personal information handlers shall take the following measures to ensure that personal information handling activities comply with the provisions of laws and administrative regulations, and prevent unauthorized access, leaking, alteration, and loss of personal information:

(1) formulate internal security management systems and operating procedures;

(2) Implement categorical management of personal information;

(3) Employ related technical security measures such as encryption and de-identification;

(4) Reasonably determine the operational authority of personal information handlers, and periodically conduct security education and training for workers;

(5) Formulate and organize the implementation of emergency plans for personal information security incidents;

(6) other measures provided for by laws and administrative regulations.

Article 52: Personal information handlers that handle personal information at a volume specified by the state internet information department shall designate a person in charge of personal information protection to be responsible for overseeing personal information handling activities and any protective measures taken.

Personal information handlers shall disclose the name and contact information of the person in charge of personal information protection, and submit their names, contact information, and so forth to the departments performing duties on personal information protection.

Article 53:Overseas personal information handlers as provided for in the second paragraph of Article 3 of this Law shall establish special institutions or designated representatives within the territory of the PRC responsible for handling matters related to the protection of personal information, and report the name, contact information, and other information to the departments performing personal information protection duties.

Article 54: Personal information handlers shall conduct periodic audits of whether their personal information handling activities are in compliance with laws and administrative regulations.

Article 55: In any of the following circumstances, personal information handlers shall first conduct an assessment of the impact on personal information protections and make a record of the circumstances of the handling:

(1) Handling sensitive personal information;

(2) using of personal information for automated decision-making;

(3) entrusting the handling of personal information, providing personal information to other personal information handlers, or disclosing personal information;

(4) Providing personal information abroad;

(5) Other personal information handling activities that have a major impact on individuals' rights and interests.

Article 56:Personal information protection impact assessment reports shall include the following content:

(1) the purpose and manner of handling personal information, the type of personal information handled, and the period of time it will be retained;

(2) The impact and security risks for individuals' rights and interests;

(3) Whether the protection measures employed are legal, effective, and correspond to the degree of risk.

Personal information protection impact assessment reports and handling records should be retained for at least three years.

Article 57: Where the leak, alteration, or loss of personal information occurs or might occur, the personal information handlers shall immediately employ remedial measures and notify the departments and individuals perform duties to protect personal information. The notice shall include the following matters:

(1) The type of information for which leaks, alteration, or loss of personal information has occurred or might occur, the reasons, and the harms that might be caused;

(2) The remedial measures employed by the personal information handlers and measures that individuals may employ to reduce the harm;

(3) Contact methods for the personal information handlers.

Where personal information handlers employ measures that can effectively avoid the harm caused by the leak, alteration, or loss of personal information, the personal information handlers do not need to inform the individuals; but where the departments with duties to protect personal information find that harm might be caused, they have the power to request that the personal information handlers notify individuals.

Article 58: Personal information handlers that provide important internet platform services, have a huge number of users or a complex operational model shall perform the following obligations:

(1) establish and complete institutional systems for personal information protection compliance in accordance with state provisions, and establish an independent body composed primarily of external members to conduct oversight of personal information protections;

(2) Comply with the principles of openness, fairness, and equity to draft platform rules, clarifying norms for the handling of personal information in for the providers of products and services on the platform, and for their obligations to protect personal information.

(3) Stop providing services to products or service providers on the platform that handle personal information in serious violation of laws and administrative regulations;

(4) Periodically publish social responsibility reports on the protection of personal information, and accept societal oversight.

Article 59: Persons entrusted to handle personal information shall follow the provisions of this Law and relevant laws and administrative regulations to employ necessary measures to ensure the security of the personal information they handle and assist the personal information handlers of personal information in performing their obligations in this Law.

Chapter VI: Departments Performing Personal Information Protection Duties

Article 60: The State internet information department is responsible for the overall planning and coordination of personal information protection efforts and related oversight and management. The relevant departments of the State Council are responsible for personal information protection, oversight, and management within the scope of their respective duties in accordance with the provisions of this Law and relevant laws and administrative regulations.

The personal information protection, oversight, and management responsibilities of the relevant departments of local people's governments at the county level or above are to be determined in accordance with the relevant state provisions.

The departments provided for in the preceding two paragraphs are collectively referred to as the 'departments performing personal information protection duties'.

Article 61: Departments performing personal information protection duties are to perform the following personal information protection duties:

(1) Carrying out publicity and education on the protection of personal information, guiding and overseeing personal information protection work carried out by personal information handlers;

(2) Accepting and addressing complaints and reports related to the protection of personal information;

(3) Organizing appraisals of personal information protection such as in application, and publishing the results;

(4) Investigating and addressing illegal personal information handling activities;

(5) other duties stipulated by laws and administrative regulations.

Article 62: The state internet information department is to plan and coordinate relevant departments in advancing the following efforts to protect personal information based on this law:

(1) Draft specific rules and standards for the protection of personal information;

(2) Draft specialized rules and standards for small enterprises handling personal information and sensitive and personal information and for the protection of personal information in regards to sensitive personal information and new technologies and applications such as facial recognition and artificial intelligence;

(3) support research and development and spread the use of of secure and convenient electronic identity confirmation technologies; and advance the construction of public services for online identity confirmation;

(4) Advance the construction of a system of socialized personal information protection services, and support relevant institutions in carrying out personal information protection assessment and certification services;

(5) Improve the working mechanisms for complaints and reports on personal information protection.

Article 63: Departments that perform personal information protection duties may employ the following measures in performing personal information protection duties:

(1) questioning the relevant parties, and investigating circumstances related to personal information handling activities;

(2) Accessing and reproducing contracts, records, account book, and other materials related to the parties and personal information handling activities;

(3) Conducting on-site inspections and investigating suspected illegal personal information handling activities;

(4) Inspecting equipment and items related to the personal information handling activities, and for equipment and items that there is evidence showing were used in illegal personal information handling activities, make a written report to the principal responsible person of the department, and upon approval, they may be sealed or seized.

Where departments that perform personal information protection duties are lawfully performing their duties, the parties shall provide assistance and cooperate, and must not refuse or obstruct.

Article 64: Where in the performance of their duties, departments performing personal information protection duties find that personal information handling activities have a relatively large risk or that personal information security incidents have occurred, they may give a talking to the legal representative or principal responsible person for the personal information handler in accordance with the authority and procedures provided, or require the personal information handler to retain a professional establishment to conduct a compliance audit of their personal information handling activities. Personal information handlers shall take measures as required, carry out rectification, and eliminate threats.

Where it is discovered in the course of performing their duties the departments with personal information protection duties discover a suspected crime in the handling of personal information, they shall promptly transfer it to the public security organs to be handled in accordance with law.

Article 65: All organizations and individuals have the right to complain or report to the departments performing personal information protection duties regarding illegal personal information processing activities. Departments receiving complaints or reports shall promptly handle them in accordance with law and notify the complainant or informant of the outcome.

Departments performing personal information protection duties shall publish the contact information for accepting complaints and reports.

Chapter VII: Legal Responsibility

Article 66: Where personal information is handled in violation of this Law, or where the obligations for the protection of personal information provided for in this Law are not performed in handling personal information, the departments performing duties on personal information protection are to order corrections, give warnings, and confiscate unlawful gains; applications that illegally handle personal information are to be ordered to have their provision of services suspended or stopped, and a fine of up to 1,000,000 RMB is to be given; the directly responsible managers and other directly responsible personnel are to be given a fine of between 10,000 and 100,000 RMB.

Where the circumstances of the illegal activities provided for in the preceding paragraph are serious, the provincial level or higher departments performing personal information protection duties are to order corrections, confiscate unlawful gains, and give a concurrent fine of up to 50,000,000 RMB or up to 5% of the preceding year's business income, and may order that operation be suspended, suspend operations for rectification, or report to relevant regulatory departments for the cancellation of business permits or licenses; and a fine of between 100,000 and 1,000,000 RMB is to be given to the directly responsible managers and other directly responsible personnel, and a decision may be made to prohibit their serving as the board member, supervisor, senior management, or person in charge of personal information protection for an enterprise during a set period of time.

Article 67: Where there is conduct violating the provisions of this law, record it in the credit archives and make it public in accordance with relevant laws and administrative regulations.

Article 68: Where state organs fail to perform their obligations to protect personal information under this law, the organ at the level above or the departments performing personal information protection duties shall order corrections; and the directly responsible managers and other directly responsible persons are to be punished according to law.

Where the personnel of departments with duties protecting personal information derelict their duties, abuse their authority, or twist the law for personal gain, but it does not constitute a crime, they are to be sanctioned in accordance with law.

Article 69: Where the handling of personal information infringes on rights and interests in personal information and causes harm, and the personal information handlers cannot prove that they are not at fault, they shall bear tort liability to compensate losses.

The liability for compensation in the preceding paragraph is to be based on the losses suffered by the individual or on the benefits obtained by the personal information handlers; where it is difficult to determine the losses suffered by the individual or the benefits obtained by the personal information handlers, determine the amount of compensation in light of actual circumstances.

Article 70: Where personal information handlers violate the provisions of this Law in the handling of personal information and infringe on the rights and interests of a large number of individuals, the People's Procuratorate, legally designated consumer protection organizations, and organizations designated by the State internet information departments may file a lawsuit in the people's court.

Article 71: Where provisions of this Law are violated, constituting a violation of the administration of public security, public security administrative sanctions are given in accordance with law; where a crime is constituted, criminal responsibility is pursued in accordance with law.

Chapter VIII: Supplementary Provisions

Article 72: This law does not apply to natural persons handling personal information for personal or family affairs.

Where the law has provisions on the handling of personal information for statistics and archives management activities organized and implemented by the people's governments at all levels and their relevant departments, those provisions are to be applied.

Article 73: In this law, the following terms have these meanings:

(1) “Personal information handlers“ refers to organizations or individuals that independently make decisions about the purposes and methods of personal information handling in personal information handling activities.

(2) “Automated decision-making“, refers to the use of computer programs to automatically analyze, evaluate, and make decisions on personal information on personal behavior habits, hobbies or economic, health, credit status, and so forth.

(3) "De-identification" refers to the process of handling personal information to make it impossible to identify a specific natural person without the help of additional information.

(4) "Anonymization" refers to the process in which personal information is handled so that it cannot be used to identify a specific natural person and cannot be restored after being so handled.

Article 74: This Law is to be implemented beginning November 1, 2021.