On April 29, 2021, China released the second draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments, which replaced the first draft issued in October 2020. The PIPL is regarded as the “Chinese GDPR” and widely believed to have significant influence on the development of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 15 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.
Similar to GDPR, the PIPL provides a specific clause on an individual’s right to compensation for personal information handlers’ infringement. It sets out the standard of “presumptive fault”, which means that a personal information handler shall be liable for the damage caused by processing unless it can prove it is not at fault. This clause would relieve a plaintiff’s burden of proof in a civil action and facilitate damage claims. On the other hand, it also indicates the importance of compliance records for a personal information handler so that upon becoming a defendant it will be able to rebut the presumption of fault.
In addition, the PIPL also includes a clause recognizing the public interest litigation based on personal information infringement, which in practice has been an important way of pursuing unlawful processing activities and collecting meaningful compensation. Personal information handlers should be aware of the potentially growing tendency of public interest litigations after the PIPL.
I. Principle of presumptive fault
Article 68 of the Draft provides that if the interests of personal information are infringed due to personal information processing activities, and the personal information handler cannot prove that it is not at fault, it shall be liable for damages. It means that personal information handlers are presumed to be at fault and liable. But the presumption can be rebutted and a personal information handler can exempt from liability thereby. It is close to Article 82(3) of GDPR, which says that a controller or processor shall exempt from liability by proving it is not in any way responsible for the event giving rise to the damage.
This Draft establishes the principle of presumptive fault. Its language is different from the first draft. In the first draft released in October 2020, it was provided that if a personal information handler can prove that it is not at fault, it may relieve or exempt from liability. The language was ambiguous as to whether the principle of presumptive fault applies (though it implied so) or whether the person information handler can entirely exempt from liability by proving non-fault. Therefore it stirred quite some controversy. Now the modification in this Draft reflects consideration in this regard, and it is widely believed that the principle of presumptive fault will stick in the final PIPL.
For personal information handlers, it shows the significance of keeping compliance records in case they need to rebut the presumption of fault. Such compliance duties could be understood in combination with Chapter 5 of the PIPL, including internal management policy and protocol, data classification, technical measures such as encryption and pseudonymization, access control, employee training, incident response, auditing, risk assessment, etc.
As to the amount of damage, the Draft provides that it shall be determined in accordance with the loss suffered by the individual or the profits obtained by the personal information handler. If it is difficult to determine the loss and the profits, the amount of compensation shall be determined according to the actual situation by the competent court.
II. Public interest litigation
Article 69 of the Draft provides the public interest litigation based on personal information infringement. It reads that where a personal information handler processes personal information in violation of the provisions of this law and infringes on the rights and interests of many individuals, the people's procuratorates, the competent departments, and the organizations designated by the State Cyberspace Administration may file a lawsuit in the court in accordance with this law.
It is not a new provision. Actually, public interest litigations based on personal information infringement have been common in practice so far. They could be pursuant to the Civil Code or the Consumer Protection Law and are usually brought by consumer organizations or procuratorates at various levels. Some civil actions brought by procuratorates are collateral to criminal proceedings when they are dealing with crimes of personal information infringement. As individuals may be reluctant to bring costy and lengthy lawsuits to protect their personal information, public interest litigations will play an increasingly important role in this regard, particularly upon the recognition by the PIPL.
III. Predicting damage claims after the PIPL
Currently, according to China’s Civil Code (and its predecessor Tort Liability Law), a tort claim is generally fault-based unless concrete laws provide presumptive fault or strict liability. It means that, as a default rule, in civil procedure a plaintiff has the burden to prove defendant’s fault. It sets a very high bar for potential plaintiffs – usually individuals without knowing how his/her personal information is leaked.
In judicial practice, some courts have tried to ease plaintiffs’ burden by re-allocating the burden of proof in individual case. For example, in 2015, a man sued an online travel agency and an airline company after he received a scam text message related to his airline ticket, which presumably was due to the defendants’ data breach. The court held that, though fault-based liability applies, the plaintiff has satisfied his burden by showing that it is highly likely that his personal information was leaked by the defendants, and it would have been impossible for him to prove the defendants’ fault by collecting evidence as to their internal data management. The defendants were ordered to apologize publicly while the plaintiff’s damage claim for mental harms was dismissed. The plaintiff won the case, but this court’s holding was later criticized as legally baseless and is not a generally binding rule.
After the PIPL confirms the principle of presumptive fault, plaintiffs’ burden will be lowered to a great extent. It will without doubt facilitates and even stimulates damage claims against big companies concerning the processing of user personal information.
However, Article 68 remains conceptual as to how the damage will be calculated, when most of time individuals suffer mental instead of monetary harms as a result of data breach and it is hard to materialize how much a company could benefit from one or several pieces of personal information. In reality, it is easier in public interest litigations than individual actions to prove and collect damage. But according to current cases of public interest litigations, the amount is often tens to hundreds of thousands RMB, which makes it questionable whether it would be a sufficient deterrent. As the PIPL stipulates harsh administrative penalty – up to 5% of a handler’s turnover – it remains to be seen whether damage claims through courts, particularly public interest litigations, will be as toothed as administrative enforcement in the future.
Note: After April 29, 2021, our alerts will be based on the second draft of the Personal Information Protection Law. For those published before the date, they referred to the first draft.