China Unveils Its First Draft of Personal Information Protection Law

January.29.2021

On October 21, 2020, a draft of China’s Personal Information Protection Law (the “Draft PIPL”) was released for public comment on the website of China’s National People’s Congress – the national legislature. The comment period ended on November 19, 2020.

This is the first draft of this law, and depending on the comments received by the legislature, it is technically possible that a second draft or even a third draft may be issued for public comment as draft laws can be submitted for voting only after three readings. However, usually third drafts are reserved for intensely debated laws, and the PIPL does not appear to attract much public attention in China, so it is more likely that it will end with a second draft at most and may be finally enacted this year or next year.

Currently, personal data protection provisions are scattered among various laws and regulations in China, and the Draft PIPL, if passed, would become China’s first comprehensive law dedicated to personal data protection. The Draft PIPL combines and expands on personal data provisions in existing laws and regulations. While it likely will be further revised before finally enacted, it certainly sheds light on the legislators’ thoughts on key personal data protection issues in China.

Below is a summary of provisions in the Draft PIPL that may be of interest to international companies.

Key Definitions and Data Protection Roles

Under the Draft PIPL, personal information is defined as various information that is recorded electronically or by other means and is related to an identified or identifiable natural person, excluding anonymized information.

Sensitive personal information is defined as personal information which, once leaked or illegally used, may result in discrimination or seriously endanger personal or property safety, including information such as ethics, race, religious beliefs, personal biometrics, medical health, financial accounts, and personal whereabouts.

Personal information processing covers activities such as the collection, storage, use, processing, transmission, provision, and disclosure of personal information.

The Draft PIPL does not adopt the role of data controllers in the European Union’s General Data Protection Regulation (GDPR). Instead, personal information processors in the Draft PIPL are similar to data controllers in the GDPR. Also, under the Draft PIPL, personal information processors may entrust other parties to process data and such entrusted parties are similar to data processors in the GDPR.

Extraterritorial Application

The Draft PIPL applies to the processing of personal information outside of China where the personal information being processed belongs to natural persons in China and under any of the following circumstances: i) the processing is for the purpose of providing products or services to natural persons in China; ii) the processing is for the purpose of analyzing or evaluating the conduct of natural persons in China; or iii) other circumstances otherwise provided in laws or regulations.

The Draft PIPL also provides that such personal information processors outside of China must establish a specialized entity or designate a representative in China that is in charge of handling matters related to personal information protection, and the name and the contact information of the entity or the representative must be reported to the authorities responsible for personal information protection.

Principles Relating to Processing of Personal Information

The Draft PIPL sets forth several principles for processing personal information:

  • Personal information should be processed in a lawful and fair way and in good faith.
  • Processing of personal information should have specific and reasonable purposes and should be limited to the minimum for accomplishing the purposes of processing.
  • Processing of personal information should follow the principles of openness and transparency, and the rules for processing personal information should be published.
  • Processed personal information should be accurate and should be updated in a timely manner.
  • Personal information processors should be accountable for their personal information processing activities and should take necessary measures to secure the processed personal information.

Legal Bases for Processing Personal Information

Under the Draft PIPL, personal information processors may process personal information only under one of the following circumstances:

  • With consent from the individual;
  • When necessary for entering into or performing a contract to which the individual is a party;
  • When necessary for carrying out legal responsibilities or legal obligations;
  • When necessary in response to a public health emergency or for protecting a natural person’s life, health, and property safety in an emergency;
  • When processing personal information to a reasonable extent in carrying out activities for public interests such as news coverage and watchdog journalism; or
  • other circumstances as provided by laws or regulations.

Rules Regarding Personal Consent

Under the Draft PIPL, a host of rules have been established surrounding personal consent as the main legal basis for personal information processing:

  • Personal consent should be obtained on a fully informed basis and should be made voluntarily and explicitly.
  • For processing personal information of minors under 14 years of age, consent from their guardians is required.
  • For personal information processing based on personal consent, individuals may withdraw their consent.
  • Personal information processors may not refuse to provide products or services on the grounds that an individual refuses or withdraws their consent to personal information processing unless personal information processing is necessary for providing the products or services.
  • Separate consent is required if personal information processors are to provide processed personal information to a third party.
  • Separate consent is also required for processing sensitive personal information on the basis of consent.

Individual Rights

Similar to the GDPR, the Draft PIPL has a chapter on individual rights in personal information processing activities, including:

  • The right to be informed and to decide about processing of his or her personal information;
  • The right to restrict or object to processing of his or her personal information;
  • The right to access and reproduce his or her personal information from personal information processors;
  • The right to rectify and supplement his or her personal information;
  • The right to erase his or her personal information.

Obligations of Personal Information Processors

Personal information processors are required to take necessary measures to secure personal information:

  • Developing internal management regime and operational protocols;
  • Grading and classifying personal information for processing;
  • Implementing technical security measures such as encryption and de-identification;
  • Setting reasonable operating authority for personal information processing and conducting regular security education and training of staff;
  • Developing and implementing personal information security incident response plan.

For personal information processors that process personal data in an amount reaching the threshold set by the national cyberspace administration, a personal information protection officer should be designated and his or her name and contact information should be published and reported to the competent authorities.

Personal information processors are required to regularly audit their personal information processing activities and protection measures.

For the following and other personal information processing activities that have a significant impact on individuals, processors are required to conduct prior risk assessment and keep the risk assessment reports and records of the processing activities for three years:

  • Processing of sensitive personal information;
  • Automated decision-making using personal information;
  • Entrusting others to process personal information, providing personal information to a third party, or publishing personal information; and
  • Providing personal information outside of China.

In the event of a personal information breach, processors must immediately take remedial measures and notify the competent authorities and individuals, but notifications to individuals may be waived if processors take measures that successfully prevent harm resulting from a data breach.

Data Localization and Cross-Border Transfer

Under China’s current Cybersecurity Law (CSL), only operators of critical information infrastructure (CII) are required to store personal data collected in their operations in China within the territory of China.

In addition to CII operators and state organs, the Draft PIPL imposes the same data localization requirement on personal information processors that process personal data in an amount reaching the threshold set by the national cyberspace administration. These processors with the data localization obligation must pass the security assessment organized by the national cyberspace administration before providing personal information outside of China.

Other general personal data processors may provide personal information outside of China for business needs under any of the following circumstances: i) that it passes the security assessment organized by the national cyberspace administration; ii) that it is certified for personal information protection by a professional organization designated by the national cyberspace administration; or 3) that it has entered into a contract with the recipient outside of China setting forth the two parties’ rights and obligations, and monitors that the data processing by the recipient meets the same protection standard as set by this law.

Regulation of Automated Decision-Making

The Draft PIPL provides that automated decision-making on basis of personal information should be transparent and that the processing results should be fair and reasonable.

If individuals believe that automated decision-making has a significant impact on their rights and interests, they may request personal information processors to give an explanation and may refuse personal information processors to make decisions only by means of automated decision-making.

For business marketing and push notifications based on automated decision-making, an option without targeting personal traits must be provided.

Regulation of Security Surveillance

The Draft PIPL imposes certain restrictions upon security surveillance in public places. Specifically:

  • The installation of image capture or personal identification equipment in public places must be necessary for safeguarding public security and prominent warning signs must be set up.
  • Collected images of individuals and personal identification information can only be used for safeguarding public security and shall not be published or provided to others unless separate consent is granted by individuals or provided otherwise in laws or regulations.