On October 21, 2020, the People’s Republic of China issued the first draft Personal Information Protection Law (PIPL). Compared to the previous Cybersecurity Law(CSL) of 2017 the draft PIPL consists of 70 articles divided in 8 chapters which cover several topics such as:
-Personal information processing;
-Cross-boarder transfer of personal information;
-Personal information related to users’ rights;
-Obligations for the personal information processors;
-The authority responsible for personal information;
From a merely comparative perspective, we can say that the content of the draft is comparable with the content of EU's General Data Protection Regulation (GDPR).
Following the end of April 2021, a second draft PIPL, which will be discussed in the second part of the report, was officially released. Naturally, as for many other national laws, further specifications concerning the application of PIPL will be implemented by following administrative regulations.
Key aspects of the draft PIPL
Definition of roles and principles related to data processing
The draft PIPL provides different principles concerning the activity of data processing, including transparency, lawfulness, fairness, purpose limitation and data minimization. The "Personal Information Processors" (PIPs) is the subject that has to accept and stand by these principles. According to the draft PIPL, the PIPs is an "organization or individual that in an independent way takes decisions on personal information processing matters”.
Extended scope of personal information
The draft provides a broad definition of personal information. Article 4 of the draft defines personal information as “a variety of information that is recorded by electronic or other means and relating to an identified or identifiable natural person”. The introduction of the standard of “pertinence” combined with the standard of “identification” (provided by the CSL) allows a potential extension of the scope of the definition of personal information.
In contrast with the principle of cyber-sovereignty found in Article 2 of the CSL, which concerns “construction, service, protection, usage and supervision of the web within national boundaries”, article 3 of the drat PIPL proposes extraterritorial application to overseas organizations and individuals that process personal data of data subjects in China. The extraterritorial scope shall apply if overseas entities provide products or services to data subjects in the PRC or they analyze and evaluate the activities of individuals in the PRC; or under other circumstances dictated by laws and regulations. Furthermore, overseas organizations dealing in the processing of personal data within China must set up "special institutions or designated representatives" in China.
The PIPL dictates that the processing of personal data must happen under specified lawful basis, which do not include the legitimate interest of the PIPs or a third party. The processing can occur under the data subject clear and voluntary consent, and also under the necessity of the conclusion or performance of a contract or the performance of statutory duties; the necessity to respond to public emergencies; for journalism or media supervision in the public interest; or other circumstances allowed by Chinese law and regulations. Furthermore, the consent for sensitive data such as race, ethnicity, religious beliefs, personal health, must be collected separately, and the PIPs that process personal information of a minor under 14 years old must obtain the consent of the minor’s guardian.
More protection for the data subject’s rights
The draft PIPL comprehends more protection for data subject’s rights such as general communications and privacy notice, access and request for a copy of personal data, correction, object processing, withdrawing consent and deletion.
The draft introduces several restrictions for PIPs with the purpose of improving the security of data processing, including the storage of data as long as it is necessary for the processing activities and the elimination of data under certain circumstances.
New rule on cross-border transfer of personal data
Cross-border transfer of personal data requires a separate consent of the individual. The PIP needs to pass a government security assessment and obtain a professional certification. The government may block the data transfers if its processing is considered harmful for Chinese citizens. It is important to notice that the PIPs are required to stipulate a contract (see article 38 of the second draft) with the overseas recipient. Furthermore, PIPs that process large amount of data in the PRC will be subjected to data localization requirement.
The draft PIPL dictates that for serious circumstances of illegal processing of personal data or failure to adopt necessary measures, PIPs can be fined up to 50,000,000 RMB ($7.4 million) or up to 5% of the preceding year's revenue (unclear if it is Chinese or global revenue). In the case of serious violation, the penalty may be the suspension of the operation or the revocation of the business license, or, concerning personal liability, a fine up to 1 million RMB.
On 29 April 2021, during the PRC National People's Congress Standing Committee meetings, the second draft PIPL was officially released. As for the first draft, the second draft has been submitted for a public consultation period which ended on May 28th，2021. The framework of the second draft is the same as the preceding version, hereafterthe most significant changes will be presented:
-Article 16 expresses that data processors must provide convenient way for data subjects to withdraw data consent. Moreover, it is specified that withdrawal of consent should not affect processing activities that developed before the withdrawn.
-Article 22 specifies more conditions for data processing by a third party. Not only a third party will be subjected to contractual obligations imposed by PIPs but it will have to complied with the obligations provided by the PIPL. One of such obligations dictates that if the data processing agreement with a third party does not become effective or is invalid, revoked or terminated, the third party must return the personal information to the data processor or delete it.
-In regard of the contract which should regulate the export of personal information out of China, article 38 of the second draft specifies that it should be a "standard contract" appointed by the National Cyberspace Administration of China (CAC). This solution resembles the solution adopted in the GDPR. Although such “standard contract” is not yet available, it seems possible that the CAC will draw reference to the standard contractual clauses prescribed by the European Commission. Thus it will be easy for companies that are already GDPR-compliant to conform to this new regulation;
-Article 41 introduces limitations to the export of personal information from China to another country. It is prescribed that the supply of personal information stored within the PRC’s territory to a foreign entity must comply with at least one of the following: (1) succeed a security assessment applied by the National Cyberspace Administration (CAC); (2) stipulate a transfer agreement with the recipient using the standard contract (article 38); (3) follow the transfer mechanisms in accordance with other laws and regulations. (4) acquire certification from professional institutions as stipulated by the rules of the National Cybersecurity Administration.
-Article 49 provides an important change regarding the post-mortem privacy rights inasmuch it directly authorized the closed relative of a deceased data subject to exercise his/her rights.
-In accordance with the proliferation of antitrust investigations into China's most dominant tech companies, article 57 introduces three main requirements on Internet platform providers that process large volume of users data with complex business model: (1) establish an independent body composed of independent members to supervise personal data processing activities; (2) stop servicing the products or service provided that seriously violate laws or administrative regulations in handling personal data; (3) regularly publish social responsibility reports;
-Article 61 states that the Cybersecurity Administrationof China (CAC) is the leading authority regarding the formulation of personal information protection rules and standards for existing and consolidated technologies as well as for new technologies and new applications regarding sensitive personal information, facial recognition, artificial intelligence, etc. The CAC is a charge of supporting the research and development of safe electronic identity verification technology and of fostering the construction of service systems to communicate personal information protection.
-Other changes relate to tighter control of personal information processors activities as the requirement for PIPs to provide an opt out channel when using automated decision making (article 25); PIPs is not required to acquire the consent of data subjects for processing publicly available personal information within a reasonable scope (article 13), but if it can’t prove otherwise, it will be liable for any harm to interests related to personal data ( article 68).