On 21 October, China’s Personal Information Protection Law (Draft) was officially published. The draft inherits and develops the personal information protection framework outlined in the Civil Code and the Cybersecurity Law, openly draws upon mainstream extraterritorial legislation, such as the EU’s General Data Protection Regulation (GDPR), and defines a more targeted and practicable design for the cross-border personal data system, the legal basis for data processing, rights in personal information, etc.
It is noteworthy that the draft significantly increases penalties, with offending enterprises facing fines of up to RMB50 million (US$7.6 million), or the equivalent of 5% of the previous year’s turnover, and responsible personnel facing fines of up to RMB1 million.
Extraterritorial effect: Long-arm jurisdiction under a cross-border scenario
The second paragraph of article 3 of the draft provides that activities outside of China that involve the processing of the personal information of natural persons in China, for the purpose of offering products or services to such persons, or for analysing or evaluating the behaviour of such persons, are also required to comply with the draft.
Common situations include enterprises sending goods to users in China using renminbi, or conducting targeted marketing in Chinese. The draft requires a foreign personal information processor to set up an establishment, or appoint a representative in China, specifically tasked with handling matters relating to the protection of personal information, and submitting relevant information to the regulator. The draft is silent on the requirements in respect of the qualifications of such an establishment or representative, and the legal liability it, he or she is required to bear.