On April 29, 2021, China released the second draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments, which replaced the first draft issued in October 2020. The PIPL is regarded as the “Chinese GDPR” and widely believed to have significant influence on the development of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 15 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.
The PIPL sets up a role that is similar to the position of data protection officer (DPO) under GDPR. It is called the “person in charge of personal information protection.” The PIPL decides whether such a role is mandatory based on the amount of personal information processed. However, the PIPL is ambiguous about what is required of a person taking this position, or what specific duties he/she is charged of. As he/she may bear personal liability under the PIPL, it is important to pay attention to industry practices or enforcement trends in this regard.
Although the “person in charge of personal information protection” under the PIPL is not entirely the same as DPO under GDPR, in this article, we will simply call it a DPO for the purpose of describing its requirements and duties in China.
I. Who is required to appoint a DPO?
According to Article 52 of the PIPL, if a personal information controller processes a number of personal information that reaches the threshold prescribed by the national network information department, it shall appoint a DPO.
Apparently, before the PIPL is enacted, it is unclear yet what the threshold would be like and we will have to wait for implementing rules. But China’s Personal Information Security Specification (GB/T 35273-2020) (PISS) – a nation-wide standard without binding effects but largely referenced in practice – gives us a clue. It provides that a personal information controller must appoint a DPO if: (i) its main business involves personal information processing and it has more than 200 employees; (ii) it processes or expects to process within 12 months the personal information of more than 1 million people; or (iii) it processes sensitive personal information of more than 100,000 people.
Different from GDPR which gives three scenarios of requiring a DPO, the PIPL sets out the criteria from the only dimension of the quantities of personal information processed. If competent authorities promulgate rules on relevant thresholds in the future, it is expected to become clear-cut for personal information controllers to decide whether such a role is mandatory or not.
In addition to the DPO role, the PIPL sets out another related obligation for those personal information controllers that provide basic Internet platform services, have a huge number of users, and have complex business types. Such a controller is required, among others, to establish an independent department mainly composed of external members to supervise personal information processing activities. This provision seems to be designed specifically for large Internet platforms, and the requirement of an independent supervisory department is much stricter than a pure DPO role.
II. Requirements of a DPO
Unlike GDPR or even the previous PISS, the PIPL does not have any requirement of the DPO role, for example, as to its independency (unless for large Internet platforms, as described above), expertise, or reporting line. It is only required that a personal information controller disclose its DPO’s contact information, and submit DPO’s name and contact information to competent authorities for records.
Because independency or expertise is not required, it means that a personal information controller could appoint any employee to serve this position to satisfy Article 52. And as it is not even explicitly required to be an employee, it may be an outsourced DPO. However, for the purpose of compliance, it is still sensible to appoint someone who is familiar with the controller’s data processing activities, has appropriate knowledge of data protection law and practices, or has received adequate training.
III. DPO’s duties
As to DPO’s duties, the PIPL takes very broad language that he/she shall be responsible for supervising personal information processing activities and protective measures taken. No further detail is specified, as under GDPR or the previous PISS.
But if Article 52 is read in combination with the whole Chapter V of the PIPL – Obligations of Personal Information Controllers – it follows that a DPO may need to take care of these obligations. Other than organizational requirements, Chapter V provides a personal information controller’s compliance measures, audit, risk assessment and data breach response requirements. As the person in charge of personal information protection, he/she is supposed to involve or take lead in fulfilling these responsibilities.
In addition, it is mentioned in Article 63 that if a competent authority requests to interview a personal information controller due to great risks associated with processing activities or a data breach incident, it could reach out to the controller’s legal representative or its DPO.
IV. Legal consequences for a DPO
While GDPR does not provide for DPO’s personal liability, the PIPL will penalize “directly responsible individuals” for violations, and a DPO could be a directly responsible individual. The fine for an individual is up to RMB100,000 (approx. €13,000), or when the circumstances are serious, up to RMB1 million (approx. €130,000). It remains to be clarified in practice under what conditions a DPO would be sanctioned, particularly whether and to what extent fulfilling duty of care could exempt one from person liabilities.
V. Relationship with other data protection or cybersecurity roles
Notwithstanding the above, it is important to consider at the same time other data protection or cybersecurity related roles provided in other laws or regulations. Because the PIPL does not require independency, a DPO may take concurrent positions within the controller, particularly when the jobs are more or less related.
For example, the Cybersecurity Law designates a person in charge of cybersecurity, who should be responsible for implementing protective measures of cybersecurity. For another instance, the Provisions on the Cyber Protection of Children's Personal Information requires to appoint a dedicated person to be responsible for the protection of children's personal information.
So far, there are no conflicts among their duties according to the law. Therefore, to reduce compliance costs, it is viable to appoint one employee to hold multiple positions at the same time. But on the other hand, from a practical perspective, it should be sorted out the responsibilities of each role in order to ensure that no legal obligations are omitted, and where possible, to separately appoint these roles based on corporate structure, actual workload and different candidates’ expertise.
Next Topic: [Risk Assessment]
Note: After April 29, 2021, our alerts will be based on the second draft of the Personal Information Protection Law. For those published before the date, they referred to the first draft.