On 21 October 2020, the Draft of Personal Information Protection Law (“Draft”), after being reviewed by the Standing Committee of the National People’s Congress, was released for public comments, which signifies that the legal regime of personal information protection in China is about to enter a new chapter. The Draft comprises eight chapters and seventy articles. It has absorbed the advance foreign legislative experience from legislations such as the General Data Protection Regulation (“GDPR”) and adopted the legislative path that fits the current situation in China. The Draft, once officially passed and implemented, will together with the Cyber Security Law and the Data Security Law (under review) become the three pillars in the realm of cyber security and data protection. The release of the Draft announces the establishment of the three-dimensional structure of “Civil Code- Personal Information Protection Law- Respective regulations and standards” in personal information protection in China, which not only fills the legislative gap but also lays a solid legislative foundation for corporate data compliance. After the release of the Draft, there will be several solicitations of public comments and amendments. In this article, we would like to highlight eleven noteworthy aspects of this well-crafted Draft.
1. Extra-territorial Effect of the Draft
Article 3 of the Draft stipulates the application scope of the Law, which on the basis of territorial principle sets the extra-territorial application of the law under certain circumstances, enabling the “long-arm jurisdiction” of the law. Art.3(2) of the Draft, drawn on the territorial scope provision of Art.3(2) of the GDPR, its “providing products or services” and “analyzing and evaluating” requirements correspond to the “offering” and “monitoring” requirements respectively in the GDPR.
Art.3(2) of the Draft provides a clear and localized description of “analyzing and evaluating the behaviors of natural persons…”, defines whether the processing of personal information by foreign organizations and individuals shall be subject to this law and establishes the basic requirement of “long-arm jurisdiction” in personal information protection. Art.52 of the Draft further refers to Art.27 of the GDPR and stipulates that, when Art.3(2) applies, personal information processor outside the territory of China shall set up a specialized agency or appoint a representative within the territory of China and report related information to the authorities performing personal information protection duties.
Besides, Art.68(1) of the Draft, drawn on Art.2(2) of the GDPR, narrows the application scope of the law.
This law applies to:
activities of processing personal information within the territory of China; or
when the activities of processing personal information of natural persons within the territory of China was conducted outside the territory of China, which relates to:
- the purpose of providing products or services for such natural persons; or
- analyzing and evaluating the behaviors of such natural persons; or
- other situations regulated by the law and administrative regulations. (Art.3)
Cross-border digital activities surge rapidly along with globalization and digitization. The impacts of such activities frequently transcend regions and intertwine closely with national security, public interest and personal interests. Therefore, the setting of extraterritorial application of legislations concerning cyberspace and digital activities, for example the Cyber Security Law, Data Security Law (Draft for public comments) and Export Control Law, will become common practice.
2. Seven Basic Principles of Personal Information Processing
The Draft sets seven basic principles regarding personal information processing through Art.5 to Art.9.
The basic principles listed in the Draft are more detailed and practical. On top of the basic principles in the Personal Information Security Specification (for example, lawfulness, justification and necessity, balancing rights with responsibilities, clear purpose, consent, minimum necessity and etc.), the Draft adds the principle of accuracy by selectively referring to the GDPR Art.5(1).
3. Provision of Multiple Legal Bases for Personal Information Processing, not Limited to Consent
The GDPR sets six legal bases for the processing of personal data, whilst controversially the Cyber Security Law only recognizes consent as the sole legal basis for the processing of personal information. The Draft in its Art. 13 follows the rules in the Civil Code, breaking through the restrictions set by the Cyber Security Law and takes a further step close to the GDPR.
The legal bases under the Draft and the GDPR are:
The Draft, building on the Civil Code, includes the essentiality of entering into or performing a contract and the protection of public interests and vital interests of natural persons as legal bases for processing personal information and it also responds to public health emergencies, answering the current Covid-19 situation. The Draft does not include the pursuit of legitimate interests as one of the legal basis to process personal information, considering the implementation difficulties in other countries and the current situation in China.
4. Requirement for Separate or Written Consent for the First Time
The Draft puts forward explicit requirements for obtaining valid consent:
consent shall be expressed voluntarily and explicitly on the premise of full knowledge; (Art.14)
the individual enjoys the right to withdraw consent for activities based on consent. (Art.16)
obtain the consent of the guardian of the minor under the age of 14, when the processor knows or should know…(Art.15)
except that the processing of personal information is necessary for the provision of products or services, the processor shall not refuse to provide products or services on the ground that the individual does not give or withdraw consent. (Art.17)
The Draft explicitly stipulates the situations requiring separate or written consent:
5. Clarification of Responsibilities under Joint Processing and Entrusted Processing
The Draft differs from the GDPR which distinguishes between data controller and data processor. It follows the rules in the Civil Code and only specifies personal information processor. "Personal information processor" refers to any organization or individual that autonomously determines the processing purpose, processing method or any other matter relating to the processing of any personal information (Art.69). The roles in personal information processing activities are characterized by behaviors of parties concerned.
Responsibilities of respective parties in personal information processing activities (Draft v. GDPR) are as follows:
The responsibilities and obligations requirements under joint processing and entrusted processing provisions of the Draft are basically the same as provisions regarding joint controller and processor under the GDPR. In addition, it shall be noted that the Draft requires separate consent when providing personal information to a third party.
6. Regulation towards Automated Decision-Making and Utilization of Publicly Disclosed Personal Information
As regards using personal information to conduct automated decision-making (Art.25), the Draft, considering the trends of developments of new technology, drawn on Art.22 GDPR and specifies:
processors shall guarantee the transparency of their decision-making and the fairness and reasonability of their processing results;
individuals have the right to require processors to give an explanation and refuse the said processors to make decisions only by means of automated decision-making, when they consider that an automated decision-making has a material impact on their rights and interests; and
processors shall simultaneously provide the option to not target personal characteristics of an individual on direct marketing and information notification by automated decision-making.
As regards processing publicly disclosed personal information, Art.28 of the Draft for the first time specifies the basic rules in legal terms that:
processors shall conform to the purposes for which such personal information is disclosed;
processors shall inform the individuals and obtain their consent if the processing thereof exceeds the reasonable scope related to the said purposes;
processors shall process the disclosed personal information reasonably and prudently and with discretion if no clear purpose is specified; and
processors shall inform the individuals concerned and obtain their consent for activities that have a material impact on individuals.
The collection and use of disclosed information are an important data source nowadays in the era of big data, but the boundaries of reasonable use are still unclear. The existing body of law has not provided a feasible solution so far. It still needs to be seen whether Art.28 of the Draft can provide clear guidance without limiting the developments of data utilization.
7. Regulation of Personal Information Processing by State Organs
The Draft, drawn on the legislative experience of Art.2(3) of the GDPR and related rules, specifically sets section 3 under Chapter II to regulate personal information processing by State Organs, which considers recent calls to restrain the processing of personal information by public authorities from international community and answers the doubts of people concerning the processing of personal information by governments during the epidemic.
Specific provisions include:
this Law shall apply to the personal information processing activities conducted by State Organs; (Art.33)
processing in accordance with the authorities and procedures prescribed by laws and administrative regulations, and shall not exceed the scope or limit necessary for the performance of their statutory duties; (Art.34)
shall inform the individuals and obtain their consent when processing, except where confidentiality shall be kept or where giving notification or obtaining consent will hinder State Organs; (Art.35)
shall not disclose or provide to others the personal information, unless otherwise provided for by laws…or with the consent…(Art.36)
shall be stored within the territory of China, risk assessment shall be conducted where it is truly necessary to provide such information overseas. (Art.37)
8. Rules on Cross-border Provision of Personal Information in China
The Draft specifies the rules on cross-border provision of personal information on the level of law and will greatly promote the implementation of the cross-border provision of personal information rules when it enters into force.
Conditions for cross-border provision of personal information (shall meet at least one condition) (Art.38):
having passed the security assessment organized by the State cyberspace authorities if the processors are Critical Information Infrastructure Operators (“CIIOs”) or up to the amount specified by the State cyberspace authorities, in accordance with the provisions of Article 40 hereof;
having undertaken personal information protection certification conducted by professional agencies;
having signed a contract with the overseas receiving parties;
otherwise stipulated by laws, administrative regulations or the State cyberspace authorities.
CIIOs and processors (who process personal information up to the amount as specified by the State cyberspace authorities) (Art.40):
shall store within the territory of China; and
shall pass security assessment organized by the State cyberspace authorities, if it is really necessary to provide such information overseas unless otherwise stipulated by any law, regulation or requirements issued by the State cyberspace authorities.
This provision follows the considerations for national security and public interest under Art.37 of the Cyber Security Law and also granted discretion space for administrative authorities and other laws and regulations to provide convenience to cross-border provision of personal information that are relevantly not sensitive.
As regards international judicial assistance or administrative law enforcement assistance, an application shall be filed with the relevant competent authorities for approval to provide personal information outside the territory of China (Art. 41). Art. 42 and Art. 43 of the Draft specifies counter measures towards foreign organizations, individuals, countries or regions harm the personal information rights and interests of citizens of China or endanger the national security or public interests of China.
Possible justifications or bases for data transfer under the GDPR contain adequacy decision, standard contractual clauses adopted by the Commission and binding corporate rules. The Draft only specifies contract basis in contrast to the GDPR, considering the difficulties in enforcement and current situation in China.
9. Nine Rights of Individuals
The Draft for the first time comprehensively stipulates nine statutory rights of individuals in personal information processing activities.
Rights of individuals (Draft v. GDPR v. CCPA)
Rights of Individuals under the Draft are in some way resemble the rights under the GDPR and the CCPA. Specially, right to know entails that the right to request personal information processors to explain the rules on personal information processing; right to decide is similar to right to restriction of processing and right to object under the GDPR, yet the GDPR provides a more detailed description of situations of data subjects to exercise such rights; right to access and copy under the Draft mostly corresponds to right of access under the GDPR and the CCPA; Right to correct and right to delete greatly resembles such rights under the GDPR.
However, it shall be noted that Art.47 of the Draft stipulates that where the retention period provided in laws and administrative regulations has not expired, or it is technically difficult to delete personal information, the personal information processors shall cease to process the personal information. Rights related to automated decision making under the Draft are basically the same as the GDPR. The differences in the settings of statutory rights of individuals are worth noticing especially for MNCs.
10. Clarification of Obligations of Personal Information Processors
The Draft in its Chapter V, by making reference to responsibility of the controller under the GDPR, specifies the obligations of personal information processors.
In the end, records and Data Protection by Design and by Default requirements in the GDPR were included in the Personal Information Security Specification but not the Draft.
11. Imposition of High Administrative Fines and Addition of “Public Interest Lawsuits”
Legal liabilities of the Draft (Art.62-63):
following Art.64 of the Cyber Security Law, impose a fine up to CNY 1 million on the personal information processor (organization) and a fine between CNY10,000 and CNY100,000 on any directly liable person-in-charge or any other directly liable individual;
when unlawful act is grave:
- impose a fine up to CNY50 million, or 5% of last year's annual revenue;
- may also order the suspension of operations or suspension for rectification, and/or report to relevant competent authorities for the cancellation of the related business permit or license;
- any directly liable person-in-charge or any other directly liable individual shall be fined between CNY100,000 and CNY1 million.
The Draft under its Art.66 also launches the “public interest lawsuits” system., lawsuits may be filed against a personal information processor whose processing of personal information in violation of this Law infringes the rights and interests of multiple individuals by an organization as confirmed by the people's procuratorate, authorities performing personal information protection duties or State cyberspace authorities.
The harsh fines and severe legal liabilities drawn on the regulatory thinking of the GDPR, reflect the determination of the regulatory agencies to eliminate the abuse of personal information and create a good personal information protection environment.
Overall, the Draft:
specifies the application scope and legislative purposes;
being risk-oriented, improves personal information processing rules;
perfects the rules on cross-border provision of personal information;
complies with the trend of the digital economy development and pays attention to the development of new business formats; and
effectively protects the rights and interests of natural persons in personal information processing activities and deepens the obligations of personal information processors.
 “Processor” in the Draft refers to “any organization or individual that autonomously determines the processing purpose, processing method or any other matter relating to the processing of any personal information.” The Draft differs from the GDPR as it does not distinguish between controller and processor. The above “processor” in the Draft is also expressed as “handler” in some documents.