On 21 October, China’s Personal Information Protection Law (Draft) was officially published. The draft inherits and develops the personal information protection framework outlined in the Civil Code and the Cybersecurity Law, openly draws upon mainstream extraterritorial legislation, such as the EU’s General Data Protection Regulation (GDPR), and defines a more targeted and practicable design for the cross-border personal data system, the legal basis for data processing, rights in personal information, etc.
It is noteworthy that the draft significantly increases penalties, with offending enterprises facing fines of up to RMB50 million (US$7.6 million), or the equivalent of 5% of the previous year’s turnover, and responsible personnel facing fines of up to RMB1 million.
Extraterritorial effect: Long-arm jurisdiction under a cross-border scenario
The second paragraph of article 3 of the draft provides that activities outside of China that involve the processing of the personal information of natural persons in China, for the purpose of offering products or services to such persons, or for analysing or evaluating the behaviour of such persons, are also required to comply with the draft.
Common situations include enterprises sending goods to users in China using renminbi, or conducting targeted marketing in Chinese. The draft requires a foreign personal information processor to set up an establishment, or appoint a representative in China, specifically tasked with handling matters relating to the protection of personal information, and submitting relevant information to the regulator. The draft is silent on the requirements in respect of the qualifications of such an establishment or representative, and the legal liability it, he or she is required to bear.
Legal basis for the processing of personal information: Consent no longer the sole way
On the basis of the “consent of the person whose information is collected” established by current laws and regulations, the draft adds other legal bases for the processing of personal information, e.g., as required for the performance of a contract, for the performance of statutory duties or obligations, for the protection of the interests of natural persons, for safeguarding the public interest, as well as other statutorily defined circumstances.
This provision offers personal information processors a variety of options, which is conducive to resolving such issues as the rigidity and abuse of consent, and the difficulties in operationalising it in specific situations, making “consent” more genuine, effective and relevant.
Informed consent: Scenario-dependent differentiated requirements and right of choice of information subjects
On the above-mentioned legal bases, the draft sets out more stringent compliance requirements for “informed consent”, providing more detail in respect of the contents of notifications, exceptions to notification, prohibition against compelling consent, withdrawal of consent, etc., which is conducive to giving information subjects the opportunity to make effective choices regarding specific processing activities while being sufficiently aware of the situation.
Furthermore, the draft requires that an individual’s separate consent be secured before his or her personal information is provided to a third party. The processing of information that has entered the public domain is required to be consistent with the purpose for which the personal information was originally disclosed, and if the reasonable scope related to such purpose is to be exceeded, consent is required to be secured anew.
Processing of sensitive personal information: Not permitted if not necessary
For the first time, the draft provides an explanation of “sensitive personal information” at the level of law, requiring that, before processing such information, a prior risk assessment be conducted, that there be a specific purpose and sufficient necessity, that the individual be informed, and if the processing of such information is to be done based on consent, separate consent is to be secured from the individual.
With a view to regulating the collection of information on whereabouts and personal identifying information, the draft provides that, where image capture and personal identification equipment is installed in public places, the same must be necessary for safeguarding public safety, and be conspicuously marked. This information may only be used for safeguarding public safety, and may not be made public, or provided to third parties.
Individual rights: Right to know and control
The draft specifies that the individual has, in the course of personal information processing activities, the right to know, right to decide, right of limitation, right of refusal, right of search, right to duplicate, right to correct, right of deletion, right of explanation, and the right to object to decisions made automatically.
The draft sets out conditions for application of the right of deletion, including expiration of the specified period, achievement of the processing objective, cessation of use or withdrawal of consent by the user, unlawful processing of personal information by an enterprise, etc. Other issues such as the conditions and time limits for, and costs of, exercising personal information rights, etc., still await clarification by the regulator.
Data cross-border compliance: Multiple means under differential considerations
Based on the different risks to national security that can be posed by the exit from China of personal information, the draft specifies that, before transmitting personal data abroad, the key information infrastructure operator, and the personal information processor that processes personal information in a quantity that reaches what is specified by the regulator, are required to undergo a security assessment arranged by the state internet information authority.
Other personal information processors may opt for different exit methods, such as a security assessment, personal information protection certification, execution of a contract with the receiving party, etc. While ensuring security, this is conducive to reducing the cost of sending personal information abroad, and promoting the orderly use of data.
Conclusion and outlook
On the whole, the author believes the draft fully draws on the advanced experiences from legislation around the world, and the beneficial results in domestic law enforcement activities, and effectively balances multiple interests, such as personal information protection, use and circulation, national security, and the public interest.
Before the law is officially promulgated and implemented, enterprises should compare and analyse the current state of their personal information protection work, systematically identify compliance risks, address gaps and shortcomings, and enhance their personal information protection level, so as to reduce the risks of being involved in litigation and suffering penalties.