Long-awaited legislation in China—the Personal Information Protection Law of the People’s Republic of China—was released for public consultation on October 21. Once passed, the law will be the first designated personal information protection law in China.
The draft of China’s Personal Information Protection Law (Draft) comprises a total of eight chapters and 70 articles, covering the entire lifecycle of personal information processing. The basic principles and requirements of the Draft are largely consistent with the 2017 China Cybersecurity Law (CSL), the various draft regulations, and national guidelines, but the Draft further clarifies the following key issues.
In addition to activities within China, the Draft also applies to data processing activities that happen outside China if the purpose is to provide products or services to individuals located in China, or to analyze or assess the behaviors of individuals located in China. Overseas companies that fall under the exterritorial jurisdiction should establish a dedicated entity or appoint a representative in China to handle matters in relation to the personal information protection, and to file the information of the entity or the representative with competent government authorities. Foreign organizations or individuals may be put on a "blacklist" that would restrict or prohibit them from receiving personal information from China if they infringe personal information rights and interests of Chinese citizens, or harm the national security or public interest of China.
Previously, exterritorial jurisdiction was only provided in draft regulations and national guidelines that do not have binding effect. The Draft for the first time explicitly specifies exterritorial jurisdiction under the law. Once passed, it will have a great impact on foreign companies and overseas parent companies of Chinese subsidiaries that process personal information collected from the Chinese market, which may then be subject to the various personal information protection requirements.
ADDITIONAL LAWFUL BASES FOR DATA PROCESSING
In the past, consent was the only golden basis for the processing of personal information under the law. Other lawful bases are only provided as national guidelines that do not have binding effect. The Draft for the first time specifies additional lawful bases as binding law, which include (1) performing a contract; (2) fulfilling statutory duties or obligations; (3) responding to sudden public health incidents or protecting individuals’ lives, health, or property under emergency conditions; and (4) acting in the public interest for news reporting and media supervision within a reasonable scope. Once the Draft comes into force, consent may not be required if the data processing activities fall under these categories.
DATA LOCALIZATION AND CROSS-BORDER DATA TRANSFER
The CSL that took effect in 2017 provides that only critical information infrastructure operators (CIIOs) are subject to the data localization requirements. However, the Draft extends the application scope, in addition to the CIIO, to the companies that process personal information exceeding an amount threshold designated by the government authorities. If they intend to transfer the personal information outside China, they shall undergo a security assessment approved by competent government authorities.
For other general companies that do not fall under the categories above, they can transfer the personal information outside China by doing the following:
- Obtaining personal information protection certification conducted by a professional institution.
- Signing an appropriate agreement with the overseas recipients to ensure that the data processing activities are compliant with the Draft.
This provision allows general companies to be exempted from onerous procedures of government security assessments, which is a substantial breakthrough against the previous requirements under the draft cross-border data transfer regulations that impose the data localization on all network operators in China. Nevertheless, the implementing rules and the specific threshold have not been published yet and their impact on enforcement remains to be seen.
DESIGNATION OF DATA PROTECTION OFFICER (DPO)
The Draft continues the previous approach under the nonbinding national guideline that requires companies to designate a person responsible for personal information protection matters, which is similar to the DPO requirement under the GDPR. The difference is the Draft restricts the application scope only to certain companies, i.e., those that will process personal information exceeding an amount threshold designated by the competent government authorities, but the threshold has not been published yet.
PERSONAL INFORMATION IMPACT ASSESSMENT (PIIA)
Previously, the PIIA requirement was scattered across various draft regulations and national guidelines that have no binding effect. The Draft for the first time provides the PIIA requirements as binding law. Under the Draft, companies should conduct a PIIA prior to the following data processing activities:
- Processing sensitive personal information
- Using personal information to conduct automated decisionmaking
- Entrusting third parties to process personal information, providing personal information to third parties, or publishing personal information
- Providing personal information abroad
- Other personal information processing activities that will impose a major influence on individuals
The risk assessment reports and data processing records should be retained for at least three years.
INCREASE OF PENALTIES FOR NONCOMPLIANCE
The Draft increases the penalties from the capped amount of RMB 1 million (approx. $149,000) to RMB 50 million (approx. $7,456,000) or 5% of the last year's turnover of the violator. The violator's business license may also be revoked.
The consultation period of the Draft will last until November 19, 2020; it is anticipated that the law will likely take effect in the following one or two years. Most of the provisions in the Draft, such as “extraterritorial jurisdiction” and “PIIA,” could be found in previous national standards and draft regulations, the contents of which are largely the same. So for companies that are already on their way to establishing a data compliance program, these rules should not be extra burdens. For some provisions, such as “DPO” and “data localization” requirements, there are changes to the original provisions, but the change may alleviate the compliance burden on general companies.
The release of the Draft marks a critical step forward in the personal information protection area, but it still leaves some areas open for the development of further implementation measures. For example, the specific amount thresholds of the data localization and DPO requirements are awaited to be published by the competent government authorities.