After struggling with developing a national-level data privacy law for over a decade, the National People’s Congress of People’s Republic of China released the draft Personal Information Protection Law (Draft Law) on October 21, 2020. The Draft Law was open for public comments for almost a month and is likely to be adopted as is. Once issued, the Personal Information Protection Law will be the first national-level law on data privacy in China.
Drawing on the main rules of the Cybersecurity Law, Information Security Technology – Personal Information Security Specifications (Specifications) and other relevant laws and regulations in China and overseas, the Draft Law stipulates the personal information processing rules, rights of individuals in personal information processing activities, and the obligations of personal information processors, etc. and provides a comprehensive regulatory legal framework for personal information protection in China. Highlights of the Draft Law are discussed below.
Extraterritorial Effect of the Draft Law
Previously, the Cybersecurity Law and other relevant laws and regulations mainly limited their scope of application to domestic network operators. The Draft Law, which borrows some principles from the EU’s General Data Protection Regulation (GDPR), also applies to activities of processing personal information outside China under any of the following situations: (1) where the purpose is to provide products or services to individuals in China; (2) where conducting analysis or assessment of activities of individuals in China; and (3) other situations as stipulated by laws and regulations (art. 3).
This territorial scope is similar to that of the GDPR and Brazil’s Lei Geral de Protecao de Dados (LGPD). Similarly, the California Consumer Privacy Act (CCPA) also has an extraterritorial scope and applies to businesses outside of California as long as they meet the CCPA’s “business” thresholds, which include doing business in California.
The Draft Law further requires that a personal information processor outside China should set up a specialized agency or appoint a representative in China to take the responsibility of handling matters concerning personal information protection, and report the name of the agency or representative, contact information, etc. to government authorities responsible for personal information protection (art. 52). Such a requirement goes beyond what is required by the CCPA, and also seems to go beyond the GDPR which does not require the appointment of a data protection officer (DPO) or EU representative in all instances.
However, the Draft Law does not clarify specific requirements or legal responsibilities for such agency or representative. For example, it does not specify what kind of agency can act as representative of the overseas information processor, and whether a law firm or professional consulting agency can serve as the representative.
Definitions of Personal Information and Sensitive Personal Information
The Draft Law clearly distinguishes general personal information from sensitive personal information. While the CCPA does not make these distinctions, the California Privacy Rights Act (CPRA), which was just passed by California voters and will amend the CCPA in substantive way, does make such a distinction.
“Personal information” in the Cybersecurity Law only refers to various types of information that can be used separately or in combination with other information to identify a natural person. The Draft Law broadens the scope of personal information to a certain extent, stipulating that “personal information” refers to all kinds of information related to identified or identifiable natural persons as recorded by electronic or other means, excluding information after anonymization treatment (art. 4). Although somewhat similar to the GDPR’s definition, neither the GDPR nor the CCPA contain the limitation that personal information must be “recorded by electronic or other means.” It is not clear how broadly the requirement of “being recorded” in the Draft Law is meant to be interpreted in practice. “Anonymization” here means the process of rendering personal information unable to be identified with a specific natural person, and so that it is unable to be restored to its original state (art. 69). Furthermore, the processing of personal information includes collection, storage, use, processing, transmission, provision, disclosure, etc.
In addition to the definitions in the Specifications which are recommended national standards, this is the first time sensitive personal information has been defined in laws and regulations in China. According to the Draft Law, “sensitive personal information” refers to personal information that, once leaked or illegally used, may lead to personal discrimination or serious harm to personal and property safety, including race, nationality, religious belief, personal biological features, medical history, health, financial account, personal whereabouts, and other information (art. 29). This definition is much different than the GDPR and CPRA’s definitions which do not emphasize the possibility of leading to personal discrimination or serious harm when the information is leaked or illegally used.
Similar to the GDPR, the Draft Law has a special section that puts forward higher protection requirements for processing sensitive personal information such as: the personal information processor should have specific purpose and sufficient necessity to process sensitive personal information (art. 29); separate or written consent of individuals should be obtained if the sensitive personal information to be processed is subject to personal consent (art. 30); the personal information processor should inform the individuals of the necessity of processing such sensitive personal information and the impact on them (art. 31).
However, since the definition of sensitive personal information in the Draft Law is relatively broad, considering the strict requirements on the sensitive personal information, how to interpret such information in practice may involve more detailed implementing regulations.
Core Principle of “Notification—Consent”
For the purpose of relaxing the pre-conditions of personal information processing, the Draft Law establishes a series of personal information processing rules centered on “Notification—Consent.” Based on the Specifications and other regulations and supervision practices, the requirements of “Notification—Consent” in the Draft Law are defined to ensure that information subjects can make effective and knowledgeable choices about consent to specific personal information processing activities.
The main provisions in terms of “Notification—Consent” in the Draft Law are as follows:
- As for the exceptions of prior notification: (1) where the circumstance should be kept confidential as stipulated by laws or regulations, the personal information processor does not have to inform the individual of the above-mentioned matters; and (2) where it is impossible to promptly inform the individual as necessitated for the protection of the life, health or property safety of the individual in case of emergencies, the personal information processor can inform the individual after the emergencies are eliminated (art. 19).
Legal Basis of Processing Personal Information—Consent With Exceptions
The Cybersecurity Law takes “consent” as the only legal basis for the processing of personal information. However, with the development of personal information protection practices, it is difficult to meet the increasingly complex and diverse personal information processing scenarios if companies are required to obtain users’ consent without distinction. Although the Specifications and other national standards provide for some exceptions that do not require consent, due to the low level of legal validity of these standards, companies are facing more and more uncertainties in their compliance practices.
Currently, the Draft Law no longer takes the consent of the individuals as the sole basis for legal processing of personal information. It recognizes the diversity of the legal basis for processing personal information and provides for exceptions to consent, including the following:
- Processing of personal information is essential for entering into or performing a contract to which the relevant individual is a contracting party.
- Processing of personal information is essential for performing statutory responsibilities or obligations.
- Processing of personal information is essential for responding to public health emergencies or for protecting the life, health, or property safety of natural persons in emergency situations.
- Processing of personal information is within the reasonable scope of implementing news reporting, public opinion supervision, and other actions for the public interest.
- Other circumstances as stipulated by laws and administrative regulations (art. 13).
The GDPR similarly provides for six lawful bases for processing personal data, including consent, performance of a contract, compliance with a legal obligation, and where necessary to protect vital interests, among others.
Additionally, unlike the Specifications, the Draft Law does not distinguish explicit consent from consent by authorization but requires that any consent to personal information processing must be expressed by individuals voluntarily and explicitly on the premise of full knowledge (art. 14). This is similar to the GDPR’s definition that consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” art. 4(11).
Furthermore, the Draft Law adds new requirements for obtaining “separate consent” and “written consent” to process personal information. Specifically, separate consent is required when a personal information processor provides the personal information it processes to a third party, and the personal information processor should also inform the relevant individual of the third party’s identity, contact information, processing purpose, processing method, and types of personal information (art. 24). Written consent is needed when it is required by laws and administrative regulations (art. 30).
Other provisions regarding “consent” mainly include:
- Processing the personal information of a minor under the age of 14 requires the consent of the guardian of such minor (art. 15), which is similar to what is required under the Children’s Online Privacy Protection Act.
- Individuals have the right to withdraw their consent to the personal information processing activities which are conducted based on their consent (art. 16), which is similar to EU and U.S. laws which provide that the consumer may be allowed to withdraw their consent at any time.
- Unless the processing of personal information is essential for providing products or services, the personal information processor should not refuse to provide products or services on the ground that the individual does not give or withdraw consent to process his/her information (art. 17).
- Even for public information, if the processing of such personal information will exceed the reasonable scope of use ascertained when it is disclosed, the relevant individual should still be notified and his/her consent should be obtained (art. 28). This provision could potentially prove to be very burdensome to businesses where, for example, a business relies on the ability to collect and use publicly available information without consent. Other laws, such as the CCPA, carve out from the definition of personal information that information which is publicly available from national, provincial, or local government records.
Cross-border Transfer of Personal Information
The Draft Law makes different arrangements based on the risks that the cross-border transfer of personal information may bring to national security. The specific rules for the cross-border transfer of personal information are mainly reflected in the following:
- Localization of storage obligation of personal information. That is, the critical information infrastructure operators and personal information processors who process personal information up to the amount as specified by the Cyberspace Administration of China (CAC), should store in China the personal information they collect and generate in China (art. 40). This provision also seems potentially very burdensome to enterprises, depending on what the limits imposed are, and would go beyond the requirements of EU or U.S. law.
- Requirements of cross-border transfer of personal information. Similar to the provisions in the GDPR, which impose requirements for transfers of personal data to third countries, the Draft Law provides that when the personal information processor finds it necessary to provide personal information outside China for business needs, at least one of the following conditions shall be met:
- Have passed the security assessment organized by the CAC according to the rules of art. 40 as mentioned above.
- Have undertaken personal information protection certification conducted by professional agencies in accordance with the provisions of the CAC.
- Have signed a contract with the overseas receiving party to stipulate the rights and obligations of both parties, and supervise their personal information processing activities to ensure that the personal information protection standards are met.
- Meet other conditions stipulated by laws, administrative regulations, or the CAC (art. 38).
- Request for approval due to international judicial assistance or administrative law enforcement assistance. If it is necessary to provide personal information outside China as a result of international judicial assistance or administrative law enforcement assistance, an application shall be filed with the relevant competent authorities for approval (art. 41), which is likely to be the Cybersecurity Administration of China or local branch.
Personal Rights in Processing Personal Information
The Draft Law emphasizes that, unless otherwise stipulated by laws and regulations, individuals have the right to know and decide on the processing of their personal information and the right to restrict or refuse such processing by others (art. 44). It is not clear how individuals can decide on processing of their personal information, and neither the GDPR nor the CCPA provide for such a right (although the GDPR provides individuals the right to object to the processing of his/her information).
Also, individuals generally have the right to access and copy their personal information from personal information processors, as well as the right to request personal information processors correct or complete their personal information and explain the rules on personal information processing (arts. 45, 46 and 48). Both the GDPR and CPRA contain a similar right to correction for individuals.
Additionally, the Draft Law details the applicable conditions of the right of deletion of individuals. Personal information processors should generally, on their own initiative or at the request of individuals, delete personal information when (1) the agreed retention period has expired or the processing purpose has been achieved; (2) the personal information processors cease to provide products or services; (3) the individuals withdraw their consent; or (4) the personal information processors violate laws, administrative regulations, or the agreements in processing personal information (art. 47). This provision appears to go beyond the requirements of both the GDPR and the CCPA.
Obligation of Personal information Processors
The Draft Law specifically stipulates the security protection obligations of personal information processors. Personal information processors are required to take necessary measures to ensure that their processing of personal information complies with relevant laws and regulations. Such measures include: developing internal management systems and operating procedures; implementing hierarchical and categorized management of personal information; taking appropriate security technical measures like encryption and deidentification, etc. (art. 50). These requirements appear more specific than those of the GDPR and CCPA, as the CCPA provides for “reasonable security procedures” and the GDPR requires “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
It should be noted that a risk assessment is required to be conducted by personal information processors in advance when: processing sensitive personal information; using personal information for automated decision-making; entrusting any other person with personal information processing, providing personal information to any third party, or disclosing personal information; providing personal information outside China; and other personal information processing activities with a significant impact on individuals (art. 54).
However, in addition to the agreed/joint liabilities to be borne by two or more personal information processors, the Draft Law does not have specific and clear descriptions of the responsibility for personal information processing activities. In the event that personal information processing activities infringe the rights and interests of personal information, it may be difficult to accurately allocate legal responsibilities between the processor and processor/entrusting party according to the Draft Law (art. 21). Note that the CCPA addresses liability between “businesses” and “service providers” and provides that “[a] business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation,” and “[a] service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.” 1798.145(j).
Given that personal information processing activities will become more complex and increasing numbers of personal information processors and third parties may be involved in the future, it will be important to clarify the allocation of responsibilities for parties involved in the personal information processing activities.
For legal liability in violation of this Draft Law or personal information that is processed without any necessary security protection measure, the basic penalties are consistent with the rules in the Cybersecurity Law. These include a fine of up to RMB 1 million for personal information processors refusing to make corrections as ordered by competent authorities, and a fine between RMB 10,000 and RMB 100,000 for any directly liable individuals. If the unlawful act is significant, in addition to ordering the suspension of related business operations, there may be a suspension of the whole operation of the entity for rectification, referral to relevant authorities for the cancellation of the related business permit or even their business license. The Draft Law also newly stipulates financial penalties ranging between RMB 100,000 and RMB 1 million for any directly liable individuals. The fine can increase to RMB 50 million or 5% of total revenue of the last year for the personal information processors (art. 62). The relevant unlawful acts will also be entered into credit files and be disclosed to the public (art. 63).
The penalties in the Draft Law reflect the determination of the regulatory authorities to eliminate the abuse of personal information and create a sustainable environment of personal information protection. However, the Draft Law does not provide sufficient details on circumstances that are serious enough to warrant enhanced penalties.
Authorities to be Responsible for Protecting Personal Information
It is confirmed in the Draft Law that the CAC will be responsible for the overall planning and coordination of personal information protection and relevant supervision and management. In addition, relevant authorities under China’s State Council as well as relevant authorities of governments at the county level or above will also be responsible for personal information protection and the supervision and management within their respective scope of duties according to the relevant laws and regulations (art. 56).
Given the current regulatory environment, it is a positive development that CAC will assume overall responsibility for implementation and enforcement, although the law does provide for “coordination” with other agencies. Unfortunately, as in the past, granting any authority to multiple regulatory authorities is ripe for confusion, abuse, and potential ongoing jurisdictional turf wars. That said, it remains to be seen how the law will be implemented; hopefully enforcement efforts will be effected in a consistent, objective, and fair manner.