On April 29, 2021, China released the second draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments, which replaced the first draft issued in October 2020. The PIPL is regarded as the “Chinese GDPR” and widely believed to have significant influence on the development of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 15 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.
China does not have an independent data protection authority (“DPA”) like the European countries. Instead, several departments like the Cyberspace Administration of China (“CAC”), the Ministry of Public Security (“MPS”), the State Administration for Market Regulation (“SAMR”), sectoral authorities and their local counterparts, have certain law enforcement power over personal information protection-related issues. It seems that the Draft does not change such status quo, but further clarifies the responsibilities and enforcement measures of authorities while maintaining the existing regulatory system.
I. Departments Performing Personal Information Protection Duties
Article 59 of the Draft puts forward the concept of “departments performing personal information protection duties”, among which, the State cybersecurity and informatization department is responsible for comprehensive planning and coordination of personal information protection work and related supervision and management work; relevant departments of the State Council are responsible for personal information protection, supervision, and management work within their respective scope of duties and responsibilities; and relevant departments of county-level and higher local governments perform personal information protection duties according to related regulations.
Specifically, State cybersecurity and informatization department generally refers to the CAC. Relevant departments of the State Council include the MPS, the SAMR, the Ministry of Industry and Information Technology (“MIIT”) and other sectoral authorities like the People’s Bank of China, the Ministry of Science and Technology (“MST”) and the Nation Health Commission. Relevant departments of county-level and higher local governments mainly refer to the local counterparts of the departments of the State Council mentioned above. For example, Shanghai Communications Administration is one of the local counterparts of the MIIT.
II. Duties and Responsibilities of Enforcement Authorities
The Draft clarifies the duties and responsibilities of the “departments performing personal information protection duties”, and requires the State cybersecurity and informatization department to take the lead to promote the overall personal information protection work.
1. Duties and Responsibilities of the Authority
According to Article 60 of the Draft, the “departments performing personal information protection duties” shall fulfill the following personal information protection duties and responsibilities: (1) conducting personal information protection propaganda and education, and guiding and supervising personal information handlers’ conduct of personal information protection work; (2) accepting and handling personal information protection-related complaints and reports; (3) investigating and punishing unlawful personal information handling activities; and (4) other duties and responsibilities provided by laws and administrative regulations.
2. Personal Information Protection Work to Be Promoted
Article 61 of the Draft requires the State cybersecurity and informatization department to coordinates the relevant departments to promote personal information protection work, including (1) formulating personal information protection rules and standards; (2) formulating specialized personal information protection rules and standards for new technologies and new applications regarding sensitive personal information, facial recognition, artificial intelligence, etc.; (3) supporting the research and development of secure and convenient electronic identity authentication technology; and (4) promoting the construction of service systems to socialize personal information protection, and supporting relevant organizations to carry out personal information protection evaluation and certification services.
So far, the CAC has formulated or taken the lead to formulate certain personal information protection regulations and rules, such as the Provisions on the Cyber Protection of Children’s Personal Information and the Method for Identifying the Illegal Collection and Use of Personal Information by Apps.
Notably, items (2) and (3) of the personal information protection work mentioned above are newly added in the second draft of the PIPL, which reflect China’s growing attention to new technologies and applications involving the use of personal information, as well as the development of new technologies to protect personal information.
III. Enforcement Measures of Authorities
China has been proactive in law enforcement regarding personal information protection since the implementation of the Cybersecurity Law in 2017. On one hand, the four major enforcement authorities, namely the CAC, the MPS, the SAMR and the MIIT, have launched several special campaigns independently or jointly, such as the “Clean Net” campaign, the “Protect Consumer” campaign and the campaigns against unscrupulous collection of personal information by mobile applications. On the other hand, general law enforcement activities have gradually become normalized, and sectoral authorities are quite active in handling data protection-related issues as well, for example, the MST has punished some companies for providing human genetic resources information outside of China without official authorization.
Under this background, the Draft further makes it clear the measures could be taken when the “departments performing personal information protection duties” are performing their duties and responsibilities. The measures include (1) interviewing relevant concerned parties, and investigating personal information handling activities; (2) looking up and copying the concerned party’s contracts, records, receipts as well as other relevant material related to personal information handling activities; (3) conducting on-side inspections, and investigating suspected unlawful personal information handling activities; and (4) inspecting equipment and articles relevant to personal information handling activities, and when there is evidence the equipment or articles are used in illegal personal information handling activities, after reporting to the department’s main responsible person in writing and receiving approval, the equipment or articles could be sealed or confiscated.
Besides, pursuant to the Draft, the “departments performing personal information protection duties” may have a talk with the personal information handler’s legal representative or main responsible person; or require personal information handlers to entrust specialized institutions to conduct compliance audits of their personal information handling activities, if they found relatively large risks exist in personal information handling activities.
IV. Other Observations
Overall, as above-mentioned, the Draft does not change the current polycentric supervision on data protection-related issues, but maintains such status quo to some extent. In this regard, a personal information handling activity may be subject to multiple enforcement authorities’ regulations with different perspectives. Predictably, law enforcement activities may further increase after the PIPL takes effect, so it is advisable for companies operating in China to establish data compliance system and get prepared for potential enforcement activities at the same time.
Note: After April 29, 2021, our alerts will be based on the second draft of the Personal Information Protection Law. For those published before the date, they referred to the first draft.