China’s draft data protection law creates new risks

On 30 April 2021, the Legislative Affairs Commission of the National People’s Congress Standing Committee released the second review draft of the Personal Information Protection Law for public consultation. The draft marks the development and improvement of China’s legal system for personal information security. It covers regulations on key issues such as face recognition, so-called “cyber manhunts”, automated decision-making, desensitisation and cross-border transfer of data, and sets higher requirements for internet enterprises’ compliance and government regulation.

Given that a few issues are still open to debate, such as the identification of subjects of liability, enterprises should keep an eye on these issues and adjust their business practices accordingly.

Unlike the Chinese draft, the EU’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act (DPA) divide subjects of liability into data controllers and data processors.

Article 72 of China’s draft gives the definition for personal information processors. The relevant provisions only address information processing acts and information processors, without reference to data controllers and data control activity. Article 65 only provides for the legal liabilities for “processing” personal information in violation of the provisions of this law.

The draft adopts an overarching regulatory framework to simplify the rules and uses broader concepts to dovetail with the concept of third parties in the Civil Code. However, given the special nature of personal information processing and protection, this intentional generalisation may give rise to a number of problems.

According to article 4(7) of the GDPR, “a controller is a natural person, legal entity, public body, agency or other organisation that can decide, individually or jointly, the purpose and manner of processing personal data”. And article 4(8) stipulates that processors are the above-mentioned subjects who process personal data for controllers. The GDPR distinguishes controllers from processors based on whether the subject of information processing has autonomy. A subject with an independent will to determine the purpose and manner of information processing is an information controller, while an information processor is only the subject responsible for specific information processing.

However, article 72 of the draft stipulates that “a processor of personal information is an organisation or individual who independently makes a decision on the purpose and manner of processing personal information”, and such a stipulation is the definition of data controller under the GDPR. The draft also stipulates that the processing of personal information includes the collection, storage, use, processing, transmission, provision and disclosure of personal information.

Apparently, these acts cannot be equated with autonomous determination of the purpose and manner of information processing, and thus do not reflect the content of the acts that should comply with the definition of responsible subject. Therefore, the draft does not define a personal information processor clearly and may give rise to controversies.

The distinction between data controllers and data processors under the GDPR and DPA is of practical significance because data controllers are often independent of data processors in the course of personal data processing, particularly in situations where governmental public sectors assign their data to data processing service providers for processing.

All of the above-mentioned rules have enumerative provisions on the acts of data processing, and thus the status of a subject engaged in a certain act can be determined. A subject responsible for actual processing jobs is usually considered as a data processor, while a data controller is responsible for providing for and interpreting the purpose of data processing.

In principle, when disclosure of personal data or other infringements are caused by violation of applicable regulations, the information controller should assume the legal liabilities that arise from that.

Absolute controllers and processors are relatively extreme concepts. If one party decides how personal data is processed and provides detailed processing instructions for the other party to follow, and the other party is strictly restricted by such instructions, the party giving instructions is a data controller. The other party is an information processor.

An example of this would be where a public personal information collector obtains a large amount of personal information, and then hands the data over to an IT service provider which stores and sorts the data out for it, and where the purpose and manner of data use and period of storage is controlled by the collector. Though the IT service provider has the right to decide a safe way to store and access the data by virtue of its professional ability, the right to decide the purpose and method of data processing is in the hands of the collector all the time. Therefore, the collector, as a data controller, should be liable for any violation and infringement in the course of personal information processing.

It is worth noting that there is greater flexibility in determining the status of subjects in specific data processing scenarios. For example, in the case that a bank contracts a market survey company to conduct a survey of customer satisfaction with the bank’s services, although the company conducts the survey on behalf of the bank, it actually performs the role of information controller because it has the autonomy to decide how to collect information, how to take samples, and how to present the results.

In the event of any violation, the company should be held liable according to the extent of its role as a controller. Additionally, going back to the earlier example, if the IT service provider’s information processing behaviour goes beyond the contract between the IT service provider and the collector, and thus causes damages, the IT service provider has performed the role of controller and is liable for infringement and for breach of its contract with the collector.

A clear identification of data controllers and processors is crucial to determining and judging their rights and responsibilities, and therefore, further clarification and adjustments should be introduced. Based on the current structure of the draft, as an enterprise conducts business activities related to personal information, it should fully consider its processing behaviour, rights and responsibilities as a data controller and a data processor, and take the initiative to complete a thorough review of its compliance, regardless of whether it has the independent will to determine the purpose and method of information processing.

In particular, when entering into a contract on information processing, the purpose and duration of information processing, processing method, type of personal information, protection measures, and rights and obligations of both parties shall be fully stipulated in the contract. In addition, the information processing activities carried out by the authorised party must be monitored.

Chen Yuxuan is a partner and Tian Chenguang is a counsel at Yuanhe Partners