法律法规事实核查专家

Fact-check report on the Personal Information Protection Law (PIPL) statement

Basic Information

• Object of Verification: Personal Information Protection Law of the People’s Republic of China (PIPL) – Articles 13, 38, effective date, treatment of public-place video images, and use of anonymized data for statistics/research; latest cross-border supporting measures
• Verification Date: 2025-11-22
• Status: Partially verified (with corrections and updates)

Core Findings

• Correct: PIPL took effect on 2021-11-01; lawful bases in Article 13 include consent and necessity to conclude/perform a contract; public-place video images constitute personal information; cross-border mechanisms under Article 38 include a CAC security assessment and a CAC standard contract.
• Incomplete: Article 38 also includes certification as a lawful cross-border path and other legal mechanisms; cross-border transfers require prior PIPIA and specific notice/consent conditions.
• Incorrect numbering: The rule on using anonymized data for statistics/research is in Article 24, not Article 29. Article 29 governs sensitive personal information.
• Latest supporting rules materially adjust cross-border procedures (CAC Orders and 2024 Provisions), including thresholds and exemptions from security assessment/SCC/certification under specified conditions.

Detailed Verification Results

1. Clause Accuracy

• Article 13 (Lawful bases):
  • Verified. Article 13 enumerates lawful bases, including:
    • the individual’s consent; and
    • necessity to conclude or perform a contract to which the individual is a party.
  • Note: Article 13 also lists other bases (e.g., statutory duties/obligations, human-resources management under lawfully established policies/collective contracts, public health emergencies or protection of life/health/property, news/public supervision per law, processing publicly disclosed personal information within a reasonable scope, and “other circumstances” provided by law/regulation). The statement is accurate but not exhaustive.
• Article 38 (Cross-border provision of PI):
  • Verified in substance. Article 38 sets multiple legal paths, including:
    • passing a security assessment organized by the CAC;
    • obtaining a personal information protection certification recognized by CAC; and
    • concluding a contract with the overseas recipient that uses the CAC standard contract terms;
    • plus other conditions provided by laws/administrative regulations or CAC.
  • The statement’s “security assessment or standard contract” is accurate but omits “certification” and the “other circumstances” clause.
  • Additional PIPL requirements apply to cross-border transfers, including conducting a personal information protection impact assessment (PIPIA) before the transfer (Article 55) and providing enhanced notice to individuals about the overseas recipient and the transfer (Article 39), with separate consent for cross-border transfers.
• Effective date:
  • Verified. PIPL took effect on 2021-11-01.
• Public-place video images:
  • Verified. PIPL defines personal information broadly (information related to identified or identifiable natural persons, excluding anonymized information), which covers video images. Article 26 specifically regulates the installation/use of image collection and personal identification devices in public places, confirming such collected content is personal information and restricting its use to maintaining public security unless otherwise provided by law.
• “Article 29 allows anonymized data for statistics/research”:
  • Incorrect article reference. The relevant rule is Article 24, which allows processing for statistics or research with conditions:
    • personal information may be processed in de-identified form for statistics/research; and
    • when providing statistical/research results externally, personal information involved shall be anonymized.
  • Article 29 pertains to sensitive personal information and imposes stricter conditions (specific purpose and sufficient necessity; separate consent, etc.), not the statistics/research anonymization rule.

2. Source Verification

• Personal Information Protection Law of the PRC (PIPL), adopted Aug 20, 2021 by the NPC Standing Committee, effective Nov 1, 2021:
  • Article 4 (definition of personal information);
  • Article 13 (lawful bases);
  • Article 24 (statistics/research – de-identification internally; anonymization when providing results externally);
  • Article 26 (public-place image collection and personal identification devices);
  • Article 38 (cross-border mechanisms: security assessment, certification, standard contract, and other legal mechanisms);
  • Article 39 (specific notice requirements and separate consent for cross-border);
  • Article 55 (PIPIA before cross-border);
  • Article 73 (definitions, including anonymization and de-identification).
• CAC Order No. 11: Measures for Security Assessment of Cross-Border Data Transfers (issued Jul 7, 2022; effective Sep 1, 2022).
• CAC Order No. 12: Measures on the Standard Contract for Cross-Border Transfer of Personal Information (issued Feb 24, 2023; effective Jun 1, 2023), with the SCC template attached and filing requirements.
• Provisions on Promoting and Regulating Cross-Border Flow of Data (CAC, issued Mar 22, 2024; effective upon issuance), adjusting thresholds and exemptions for transfers.

3. Applicability and Conditions

• Lawful bases under Article 13:
  • “Consent” must be informed, voluntary, and explicit (see PIPL consent provisions); individuals may withdraw consent.
  • “Contract necessity” applies where processing is necessary to conclude or perform a contract to which the individual is a party.
  • Selection of a lawful basis must match the actual processing purpose and necessity; bases are not interchangeable.
• Cross-border personal information transfers:
  • Legal paths (Article 38): CAC security assessment; personal information protection certification; CAC standard contract; other legal mechanisms.
  • Security assessment is mandatory under CAC Order No. 11 if, for example, the exporter:
    • provides “important data” overseas;
    • is a critical information infrastructure (CII) operator providing PI overseas;
    • processes PI of more than 1 million individuals and provides PI overseas; or
    • has cumulatively provided PI of 100,000+ individuals or sensitive PI of 10,000+ individuals since Jan 1 of the previous year.
  • SCC path (Order No. 12): available where security assessment is not required; requires signing the CAC template SCC and filing with CAC (generally within 10 business days of signing).
  • Certification path: personal information protection certification by qualified bodies recognized by CAC; applicable where security assessment is not required.
  • Mandatory pre-transfer steps under PIPL:
    • conduct a PIPIA (Article 55);
    • inform individuals of the overseas recipient’s identity/contact, purpose/method, PI categories, retention period and location, and how to exercise rights (Article 39);
    • obtain separate consent for cross-border transfers (Article 39), unless another lawful basis under Article 13 applies that permits processing without consent per law.
  • 2024 CAC Provisions (Mar 22, 2024) adjustments:
    • introduce exemptions from security assessment/SCC/certification in specified scenarios (e.g., certain contract performance, HR management under lawfully established policies, emergency protection of life/health/property) when the exporter is not a CII operator and sensitive PI volumes do not exceed prescribed thresholds;
    • exempt transfers of small volumes of ordinary personal information (e.g., fewer than 10,000 individuals per year) from security assessment/SCC/certification, subject to compliance with PIPL notice/consent and PIPIA requirements;
    • clarify sector “important data” catalogs and reduce uncertainty where catalogs are not defined.
    • Applicability depends on precise volume, sensitivity, sector designations, and whether the exporter is a CII operator.
• Public-place video images:
  • Installation and use must be for maintaining public security or other lawful purposes, with conspicuous notice and protective measures; collected personal information may only be used for maintaining public security and may not be disclosed or provided to others unless otherwise provided by law (Article 26).
• Statistics/research:
  • Article 24 permits using personal information for statistics/research in de-identified form; when providing statistical/research results externally, anonymization of personal information is required.
  • “Anonymized information” (Article 73 definition) falls outside “personal information” and is not regulated as PI under PIPL.

Evidence Support

• PIPL (NPC Standing Committee, effective Nov 1, 2021): Articles 4, 13, 24, 26, 38, 39, 55, 73.
• CAC Order No. 11 (2022): Measures for Security Assessment of Cross-Border Data Transfers (effective Sep 1, 2022).
• CAC Order No. 12 (2023): Measures on the Standard Contract for Cross-Border Transfer of Personal Information (effective Jun 1, 2023; SCC template and filing rules).
• CAC Provisions on Promoting and Regulating Cross-Border Flow of Data (2024-03-22): exemptions and threshold adjustments for cross-border transfers.

Verification Conclusion

• The statement is largely accurate on effective date, Article 13 lawful bases (consent and contract necessity), public-place video images being personal information, and the availability of security assessment or standard contract for cross-border transfers under Article 38.
• Corrections required:
  • Article reference for statistics/research is Article 24 (not Article 29), and it requires de-identification for processing and anonymization when providing results externally.
  • Article 38 includes certification and other legal mechanisms in addition to security assessment and SCC.
  • Cross-border transfers trigger PIPL-specific obligations (PIPIA, enhanced notice, and separate consent), and the latest CAC rules (2022–2024) define thresholds and exemptions that may remove the need for security assessment/SCC/certification in defined scenarios.
• Recommendation: Update citations to Article 24 (statistics/research) and include Article 38’s full set of legal paths; reflect CAC Order No. 11, CAC Order No. 12, and the 2024 CAC Provisions when describing cross-border requirements, thresholds, and exemptions, and ensure internal compliance includes PIPIA documentation and individual notice/consent per Articles 39 and 55.

사실확인 보고서 제목

중국 「행정처벌법」(2021년 전면개정) 관련 제도 사실확인

기본정보

• 핵차 객체: 「中华人民共和国行政处罚法」(2021년 개정·현행판)
• 핵차 시간: 2025-11-22
• 핵차 상태: 已核实

핵심 발견

• 2021년 개정법은 2021년 7월 15일부터 시행됨.
• 경미한 위반행위에 대한 “불처벌”(轻微违法不罚) 원칙, 법 적용시점에 관한 “從舊兼從輕”(구법 적용을 원칙으로 하되 신법이 더 경감하면 신법 적용) 원칙을 명문으로 규정함.
• 행정처벌 결정 전 “사전 고지 및 진술·변론” 절차를 필수 규정으로 둠.
• 동일 위반행위에 대해 복수의 행정처벌(예: 벌금과 위법소득·불법물건의 몰수)을 병과할 수 있으며, 처벌과 별개로 “시정명령(责令改正)” 등 행정관리조치를 함께 부과할 수 있음. 다만 시정명령 자체는 행정처벌의 종류가 아니라 행정조치에 해당.

상세 핵차 결과

1. 조문 정확성

   • 시행일: 2021년 4월 29일 제13기 전국인민대표대회 상무위원회 제28차 회의에서 개정 통과, 2021년 7월 15일부터 시행. 중국어 원문: “本法自2021年7月15日起施行。”
   • 경미 위반 불처벌: “违法行为轻微并及时纠正，没有造成危害后果的，不予行政处罚。”(현행 본문에 명시) 적용요건은 “경미성 + 즉시(지체 없이) 시정 + 해악결과 없음”의 3요건이 병존해야 함.
   • 從舊兼從輕: “对违法行为的行政处罚，适用违法行为发生时的法律、法规、规章；违法行为发生后法律、法规、规章有变更的，适用变更后的规定从轻或者减轻行政处罚。”(현행 본문에 명시) 위반행위 성립 당시의 규범을 원칙적으로 적용하되, 사후에 규범이 변경되어 처벌이 경감·감면되면 변경 후 규정을 적용.
   • 사전 고지 및 진술·변론: “行政机关在作出行政处罚决定之前，应当告知当事人作出行政处罚的事实、理由、依据以及依法享有的权利；当事人有权进行陈述和申辩，行政机关应当充分听取并采纳当事人的意见。”(현행 본문에 명시) 또한 일정한 중대처벌(예: 비교적 큰 금액의 벌금, 허가·면허의 취소 등)의 경우, 당사자 신청에 따른 청문(听证) 절차 보장 규정이 병행되어 있음.
   • 동일 위반행위의 병과: “对当事人的同一违法行为，可以给予一种或者多种行政处罚。”(현행 본문에 명시) 행정처벌의 종류에는 경고, 벌금, 위법소득의 몰수, 불법물건의 몰수, 생산·영업정지 명령, 허가증·면허의 일시보류 또는 취소, (법률·행정법규 근거에 따른) 행정구류 등과 기타 법률·행정법규가 규정하는 처벌이 포함됨. 아울러 “责令改正”“限期改正”“恢复原状”“采取消除或减轻违法后果的措施” 등은 처벌과 병행 가능한 행정관리·행정명령 조치로서, 처벌종류 자체와는 구분됨.

2. 출처 검증

   • 전국인민대표대회 공식 법률 데이터베이스(全国人大网 法律库): 「中华人民共和国行政处罚法」（2021年修订，自2021年7月15日施行）正文
   • 중국정부망(中国政府网) 및 전국인대 상무위원회 공보의 개정결의 공시
   • 법제 판본: 중국법제출판사 현행 합본(현행화된 2021년 개정본)

3. 적용성 설명

   • 경미 위반 불처벌:
     • 적용 범위: 경미하고, 지체 없이 자발 시정이 이루어졌으며, 사회적 해악결과가 발생하지 않은 경우.
     • 적용 경계: 해악결과가 있거나, 즉시 시정이 아니거나, 법률·행정법규에 별도의 강행 처벌 규정이 있는 경우에는 불처벌 원칙이 적용되지 않음. 불처벌이라도 행정관리조치(시정명령 등)는 가능.
   • 從舊兼從輕:
     • 적용 범위: 위반행위가 종결된 시점 이후 규범이 변경되어 처벌이 경감·감면되는 경우, 변경 후 규정 적용.
     • 적용 경계: 신법이 처벌을 가중하는 경우 소급적용 금지. 계속·종지행위의 경우에는 행위의 종지 시점을 기준으로 판단하는 해석이 일반적이며, 구체 사안에서는 관련 부문 규정 및 사법·행정 해석을 참조.
   • 사전 고지 및 진술·변론:
     • 적용 범위: 모든 일반절차 처벌에 적용. 간이절차(현행법상 경미·사소한 위반으로 사실이 명백하고 증거가 충분한 경우 당장 처분 가능)에서도 당사자 권리 고지가 요구됨.
     • 적용 경계: 긴급처리나 현장간이처분의 경우 절차가 간소화될 수 있으나, 권리 고지의무는 면제되지 않음. 청문은 법이 정한 중대처벌 범주 및 당사자 신청 요건 충족 시 실시.
   • 동일 위반행위 병과 및 시정명령 병행:
     • 적용 범위: 같은 위반행위에 대하여 벌금·몰수(위법소득·불법물건) 등 복수 처벌 병과 가능. 동시에 시정명령 등 행정조치 병행 가능.
     • 적용 경계: 동일 위반행위에 대해 “중복처벌(一事不再罚)” 금지 원칙을 준수해야 하며, 동일 처벌종류의 반복 부과나 관할 중복 부과는 금지. 처벌과 조치는 법적 성격이 달라 병행 가능하나, 과잉·불균형 처벌을 금지하는 “과실상응(过罚相当)” 원칙 및 재량 통제 원칙에 부합해야 함.

증거 지원

• 법률 명칭 및 시행 공시:
  • 「中华人民共和国行政处罚法」：2021년 4월 29일 개정 통과, 2021년 7월 15일 시행(全国人大常委会通过决定载明)
• 핵심 조문(중국어 원문 발췌):
  • 경미 불처벌: “违法行为轻微并及时纠正，没有造成危害后果的，不予行政处罚。”
  • 從舊兼從輕: “对违法行为的行政处罚，适用违法行为发生时的法律、法规、规章；违法行为发生后法律、法规、规章有变更的，适用变更后的规定从轻或者减轻行政处罚。”
  • 사전 고지·진술·변론: “行政机关在作出行政处罚决定之前，应当告知当事人作出行政处罚的事实、理由、依据以及依法享有的权利；当事人有权进行陈述和申辩……”
  • 동일 위반행위 병과: “对当事人的同一违法行为，可以给予一种或者多种行政处罚。”
    • 처벌 종류 열거 조항에 “警告、罚款、没收违法所得、没收非法财物、责令停产停业、暂扣或者吊销许可证、执照、行政拘留，以及法律、行政法规规定的其他行政处罚” 명시

핵차 결론

• 상기 주장(경미 위반 불처벌, 從舊兼從輕, 사전 고지 및 진술·변론, 동일 위반행위의 벌금·몰수 병과 및 시정명령 병행)은 모두 2021년 개정 현행 「행정처벌법」에 명문 규정으로 존재함.
• 시행일은 2021년 7월 15일로 확인됨.
• 적용 경계는 각 조문의 요건(경미·즉시 시정·무해악, 신법 경감, 절차 유형, 중복처벌 금지 등)에 따라 엄격히 한정되며, 구체 사안에서는 해당 부문법 및 하위 행정법규·규정, 청문·간이절차 요건을 종합 검토해야 함.
• 보완 권고: 실무 적용 시 전국인대 공식 법률 텍스트(全国人大网) 현행본의 정확한 조문 번호·문언을 재확인하고, 관련 부문(예: 시장감독, 환경, 안전생산 등)의 특별법상 청문·금액 기준·간이절차 요건을 병행 점검할 것을 권고함.