At-a-glance: China’s draft Personal Information Protection Law

China last week published a first draft of its comprehensive Personal Information Protection Law (Draft PIPL) which aims to provide national level protection of personal data for residents of mainland China.

The draft consists of 70 articles and provides similarities to the EU’s GDPR, emphasising seven principles for data processing – legality, explicit purpose, minimum necessity, transparency, accuracy, accountability and data security.

The PIPL will be a comprehensive fundamental law that will operate alongside China’s Cybersecurity Law, Data Security Law, and the PRC E-Commerce Law, to harmonise the country’s data protection regulation.

Scope

When the law comes into effect it will provide new compliance obligations for organisations operating in China. Additionally, the law will provide protection of personal information of PRC residents processed outside of mainland China for the purposes of: sales and goods, analysis of residents’ behaviour, or in other circumstances as provided by Chinese laws and regulations. The PIPL would not apply to an individual processing their own or their family’s data.

Entities outside of China that collect and analyse data for these purposes will need to appoint a data protection representative or organisation in China.

The departments responsible for personal information protection include the Cyberspace Administration of China (CAC), the relevant department of the State Council and the relevant department of local government at the level of county or above.

Legal basis for processing personal data

As outlined in the draft, under PIPL a data processor may process personal data based on:

• consent of the data subject
• the necessity of executing or performing a contract
• the necessity of performing a legal obligation or legal duty
• a response to an emergent public health event or the necessity of protecting the safety of an individual’s life and property
• the publication of news and the supervision by public opinion for the public interest within reasonable scope

Consent

Separate opt-in consent is required for processing sensitive personal data and processors will need to require parental consent if they aware the data subject is under 14 years of age. Additionally, when using automated decision-making systems or sharing personal data, separate consent as well as specific disclosure in the privacy notice is required.

Data subject rights 

The draft PIPL includes the right to information and explanation on the data processing, right to access and request for a copy of personal data, right to correction, right to object processing, right to withdrawing consent and right to deletion.

Cross-border transfer of personal Information and localisation 

There are three methods for transferring personal data across border outlined in the draft:

• obtaining certification issued by the organization as authorized by CAC
• signing cross-border data transfer agreement with overseas data receiver(s)
• other mechanisms as provided by other laws and regulations

Due to more expansive data localisation requirements outlined in the draft PIPL, personal data processors that process over a certain amount of data in the PRC and CIIO are subject to the data localization requirement and any cross-border data transfer is subject to security assessment to be conducted by the Chinese regulators.

Cross-border transfers of personal data to foreign authorities will still require Chinese regulators’ prior approval under the draft PDPL.

Legal liability 

The draft PIPL extends the penalties given under China’s Cybersecurity Law. Serious violations of the draft PDPL, such as illegal processing of personal data or failure to adopt necessary safeguards to protect personal data, can be fined up to RMB 50,000,000 ($7.4 million) or up to 5% of the preceding year’s revenue.

What happens next?

The draft PIPL is now open for public comment following the first review by the Standing Committee of the National People’s Congress. According to Dentons’ report, a legal team specializing in China’s data compliance, the PIPL “may be finalized and officially promulgated around the middle or late next year at the earliest.”

In its report, Dentons also suggest areas where further clarification is needed, stating:

“As far as the Draft itself is concerned, there are still many provisions that need to be clarified, supplemented or improved. For example: whether a foreign PI handler can appoint a domestic third-party organization as the designated representative; what is the quantity threshold for PI localization; what are the “specific departments performing PI protection duties”; is there any mitigation or exemption of fines, etc.”