Recently, the Standing Committee of the 13th National People’s Congress, China’s top legislature started its 28th session to review multiple draft laws and amendments, among which, the widely-expected drafts of the Personal Information Protection Law (PIPL) and the Data Security Law (DSL) were submitted for the second review.
The second exposure drafts of the PIPL and the DSL, which have been published on April 29, 2021, fully absorbed the opinions of all parties on the first drafts, and at the same time responded to several concerns of the public. Compared with their previous versions, they are more mature and complete.
As the two laws are expected to be finally approved within this year, and will come into force early next year with a grace period, it is highly important for entities operating in China to pay close attention to them. Here we are going to introduce what’s new in the second drafts of the PIPL and the DSL, compared with their predecessors, for kind reference.
I. Major Amendments in the Second Draft of PIPL
Overall, in consideration of the issues such as excessive and unscrupulous collection of personal information, the second draft of the PIPL further enhances the protection of personal information, by improving the principles and rules for processing personal information, clarifying the duties of competent authorities and requiring additional obligations on Internet giants, specifically as follows.
1. Emphasizing the Principle of Minimum Necessary
Article 6 of the second draft of the PIPL emphasizes the principle of minimum necessary, by requiring that personal information processing shall be limited to the minimum scope necessary to achieve the processing purpose, and shall be conducted through a method with the smallest influence on the individual’s rights and interests.
2. Adding a New Legal Basis for Processing Personal Information
The second draft of the PIPL adds a new legal basis for processing personal information in Article 13 by providing that, when processing previously disclosed personal information within a rational scope, consent will not be required. Notably, processing personal information on this basis shall also be subject to Article 28 of the PIPL, which specifies the rules for using disclosed personal information.
3. Improving the Rules for Withdrawing Consent
The first draft of the PIPL has provided that an individual has the right to withdraw his/her consent to the processing of personal information based on his/her consent. Article 16 of the second draft of the PIPL further requires that personal information handler (which is similar to “data controller” under the GDPR) shall provide individual with an easy way to withdraw consent. In addition, the withdrawal of consent shall not affect the effects of personal information processing activities undertaken on the basis of individual consent before the consent was withdrawn.
4. Adjusting the Rules for Using Automated Decision-making
Article 25 of the second draft of the PIPL adjusts the wording of the rules for using automated decision-making, by stipulating that those conducting commercial marketing or information push delivery through automated decision-making methods, shall simultaneously provide the option to not target an individual’s characteristics, or provide the individual with a method to refuse. Besides, when the use of automated decision-making produces decisions with a significant influence on the rights and interests of the individual, he/she has the right to require the personal information handler to give an explanation, and the right to reject the decision made only through automatic decision-making methods.
5. Adding the Protection of Deceased Person’s Personal Information
Article 49 of the second draft of the PIPL adds protection of deceased person’s personal information, by providing that the rights of the individual who is deceased as to personal information processing activities shall be exercised by the next of kin.
6. Imposing More Obligations on Internet Giants
In view of the Internet giants’ market dominance and the prominent problems in the sector such as the lack of transparency in collecting and using user data, Article 57 of the second draft of the PIPL stipulates higher requirements for personal information handlers providing basic Internet platform services, who have a large number of users, or whose business models are complex.
Specifically, those personal information handlers shall (1) set up an independent body mainly composed of outside members to supervise personal information processing activities; (2) stop providing services to products or service providers on the platform that seriously violate laws or administrative regulations in processing personal information; and (3) publish personal information protection social responsibility reports regularly, and accept society’s supervision.
7. Clarifying the Duties of the Party Entrusted to Processing Personal Information
The first Draft of the PIPL has provided obligations on personal information handlers to take institutional, organizational, and technical measures to protect personal information. On this basis, the second draft of the PIPL makes it clear in Article 58 that, the party entrusted to processing personal information (which is similar to “data processor” under the GDPR) shall also perform the relevant duties as the personal information handlers, to take necessary measures to safeguard the security of the personal information they process.
8. Indicating the Responsibilities of Cyberspace Administration
Article 61 of the second draft of the PIPL clarifies the duties of the national cyberspace administration, which is the main authority responsible for coordinating the protection of personal information and relevant supervision and administration work. The duties including (1) formulating personal information protection rules and standards; (2) formulating specialized personal information protection rules and standards for new technologies and new applications regarding sensitive personal information, facial recognition, artificial intelligence, etc.; (3) supporting the research and development of secure and convenient electronic identity authentication technology; and (4) promoting the construction of service systems to socialize personal information protection, and supporting relevant organizations to carry out personal information protection evaluation and certification services.
9. Establishing the Doctrine of Presumption in Determining Personal Information Infringement
Article 68 of the second draft of the PIPL establishes the doctrine of presumption in determine personal information infringement, by providing that when personal information rights and interests are harmed due to personal information processing activities, the personal information handler shall take responsibility for the violation of rights through compensation and other liabilities, if the handler cannot prove it is not at fault.
II. Major Amendments in the Second Draft of DSL
The second draft of the DSL further echoes and supplements the rules on security management of data under the Cybersecurity Law of China, by reiterating the importance of data classification and categorization protection system and multi-level protection system, clarifying the restriction on cross-border transfer of important data by non-critical information infrastructure operators (“Non-CIIOs”), and adding penalties on unauthorized provision of data to overseas authorities, specifically as follows.
1.Establishing the Data Classification and Categorization Protection System
The second draft of the DSL, for the first time, prescribes at the level of law that, the state is to establish data classification and categorization protection system, and determine the important data catalog to strengthen the protection of important data (Article 20). The local departments shall determine the specific catalog of important data in the region, sector, and related industries and fields in accordance with the important data catalog, and adopt special protection for the data listed in the catalog.
2. Emphasizing the Importance of Multi-level Protection System
Article 26 of the second draft of the DSL adds a requirement on data security management that, data processing activities shall be carried out on the basis of the multi-level protection of cybersecurity system. Such requirement echoes and is in line with the provisions under Article 21 of the Cybersecurity Law of China.
3. Expanding the Restriction on Important Data Export by Non-CIIOs
The Cybersecurity Law of China has provided that the important data collected and generated by critical information infrastructure operators (CIIOs) in operations within the territory of China shall be stored in China and exported subject to security assessment by authorities. Article 30 of the second draft of the DSL further clarifies that, the export of important data collected and generated by Non-CIIOs shall also comply with the relevant management measures to be made by authorities, thereby enhances the protection of important data.
4. Adding the Penalties on Unauthorized Provision of Data to Overseas Authorities
The first draft of the DSL has required organizations and individuals to cooperate with the collection of data by public and national security organs as necessary to lawfully preserve national security or investigate crimes; and at the same time, not to provide data to judicial or law enforcement bodies outside China without the approval of competent authorities. On this basis, Article 46 of the second draft of the DSL further provides the penalties for the violation of the above requirements.
Specifically, those refusing to cooperate with security organs’ data collection shall be ordered to make correction, warned and imposed a fine up to CNY500,000 (about US$77,250), meanwhile, the person directly in charge and other directly responsible persons shall be fined up to CNY100,000 (about US$15,450). Those providing data to overseas authorities without approval shall be ordered to make correction, warned and imposed a fine up to CNY1 million (about US$154,500), and the person directly in charge and other directly responsible persons shall be fined up to CNY200,000 (about US$30,900).
III. Practical Observation and Looking Forward
To summarize, the second draft of the PIPL further enhances the protection of personal information by imposing higher requirements and stricter burden of proof on personal information handlers. In particular, tougher data protection rules are provided towards Internet giants, under which, big Internet platforms may have to set up an independent body to supervise personal information processing activities and adopt other necessary measures to protect personal information. The second draft of the DSL highlights the adoption of data classification and categorization protection system and multi-level protection system again, and adds the restriction on cross-border transfer of important data by Non-CIIOs.
As aforementioned, these two laws are expected to be enacted within 2021 and will enter into effect early 2022, companies operating in China are suggested to get prepared for them, for example, completing the filing of multi-level protection of cybersecurity; and to keep an eye on the formulation of the laws, to update the data compliance policies as the case may be.