On October 21, 2020, a draft of China’s Personal Information Protection Law (the “Draft PIPL”) was released for public comment on the website of China’s National People’s Congress – the national legislature. The comment period ended on November 19, 2020.
This is the first draft of this law, and depending on the comments received by the legislature, it is technically possible that a second draft or even a third draft may be issued for public comment as draft laws can be submitted for voting only after three readings. However, usually third drafts are reserved for intensely debated laws, and the PIPL does not appear to attract much public attention in China, so it is more likely that it will end with a second draft at most and may be finally enacted this year or next year.
Currently, personal data protection provisions are scattered among various laws and regulations in China, and the Draft PIPL, if passed, would become China’s first comprehensive law dedicated to personal data protection. The Draft PIPL combines and expands on personal data provisions in existing laws and regulations. While it likely will be further revised before finally enacted, it certainly sheds light on the legislators’ thoughts on key personal data protection issues in China.
Below is a summary of provisions in the Draft PIPL that may be of interest to international companies.
Under the Draft PIPL, personal information is defined as various information that is recorded electronically or by other means and is related to an identified or identifiable natural person, excluding anonymized information.
Sensitive personal information is defined as personal information which, once leaked or illegally used, may result in discrimination or seriously endanger personal or property safety, including information such as ethics, race, religious beliefs, personal biometrics, medical health, financial accounts, and personal whereabouts.
Personal information processing covers activities such as the collection, storage, use, processing, transmission, provision, and disclosure of personal information.
The Draft PIPL does not adopt the role of data controllers in the European Union’s General Data Protection Regulation (GDPR). Instead, personal information processors in the Draft PIPL are similar to data controllers in the GDPR. Also, under the Draft PIPL, personal information processors may entrust other parties to process data and such entrusted parties are similar to data processors in the GDPR.
The Draft PIPL applies to the processing of personal information outside of China where the personal information being processed belongs to natural persons in China and under any of the following circumstances: i) the processing is for the purpose of providing products or services to natural persons in China; ii) the processing is for the purpose of analyzing or evaluating the conduct of natural persons in China; or iii) other circumstances otherwise provided in laws or regulations.
The Draft PIPL also provides that such personal information processors outside of China must establish a specialized entity or designate a representative in China that is in charge of handling matters related to personal information protection, and the name and the contact information of the entity or the representative must be reported to the authorities responsible for personal information protection.
The Draft PIPL sets forth several principles for processing personal information:
Under the Draft PIPL, personal information processors may process personal information only under one of the following circumstances:
Under the Draft PIPL, a host of rules have been established surrounding personal consent as the main legal basis for personal information processing:
Similar to the GDPR, the Draft PIPL has a chapter on individual rights in personal information processing activities, including:
Personal information processors are required to take necessary measures to secure personal information:
For personal information processors that process personal data in an amount reaching the threshold set by the national cyberspace administration, a personal information protection officer should be designated and his or her name and contact information should be published and reported to the competent authorities.
Personal information processors are required to regularly audit their personal information processing activities and protection measures.
For the following and other personal information processing activities that have a significant impact on individuals, processors are required to conduct prior risk assessment and keep the risk assessment reports and records of the processing activities for three years:
In the event of a personal information breach, processors must immediately take remedial measures and notify the competent authorities and individuals, but notifications to individuals may be waived if processors take measures that successfully prevent harm resulting from a data breach.
Under China’s current Cybersecurity Law (CSL), only operators of critical information infrastructure (CII) are required to store personal data collected in their operations in China within the territory of China.
In addition to CII operators and state organs, the Draft PIPL imposes the same data localization requirement on personal information processors that process personal data in an amount reaching the threshold set by the national cyberspace administration. These processors with the data localization obligation must pass the security assessment organized by the national cyberspace administration before providing personal information outside of China.
Other general personal data processors may provide personal information outside of China for business needs under any of the following circumstances: i) that it passes the security assessment organized by the national cyberspace administration; ii) that it is certified for personal information protection by a professional organization designated by the national cyberspace administration; or 3) that it has entered into a contract with the recipient outside of China setting forth the two parties’ rights and obligations, and monitors that the data processing by the recipient meets the same protection standard as set by this law.
The Draft PIPL provides that automated decision-making on basis of personal information should be transparent and that the processing results should be fair and reasonable.
If individuals believe that automated decision-making has a significant impact on their rights and interests, they may request personal information processors to give an explanation and may refuse personal information processors to make decisions only by means of automated decision-making.
For business marketing and push notifications based on automated decision-making, an option without targeting personal traits must be provided.
The Draft PIPL imposes certain restrictions upon security surveillance in public places. Specifically: