DaHui Lawyers

English  |  中文

rss feed

Search

Search This Section

26 Oct 2020

China Releases Draft Personal Information Protection Law

On 21 October 2020, China released a draft Personal Information Protection Law (“Draft PI Protection Law”). Its 70 articles comprise both high-level and specific rules for a broad range of issues related to the processing of personal information of individuals. On the one hand, its coverage overlaps with several laws, regulations, recommended national standards, etc. promulgated in the last few years, such as the Cybersecurity LawCivil Code, and Information Security Technology — Personal Information Security Specification (“PI Specification”),[1] and thus may serve as a synthesis of rules, and will supersede existing rules that conflict with the Draft PI Protection Law. On the other hand, it both contains new or extended rules and leaves some aspects of the protection of personal information to other sets of rules, including the recently released draft Data Security Law.[2] Furthermore, even if the Draft PI Protection Law is promulgated substantially in its present form, its use will be limited until implementing rules are issued to further guide regulators, businesses, and private individuals. Nevertheless, this Newsletter summarizes the principle provisions of the Draft PI Protection Law, particularly from the perspective of how businesses may be affected.

Who and What Are Protected

The Draft PI Protection Law defines “personal information” (“PI”) as “all kinds of information recorded by electronic or other means related to identified or identifiable natural persons”, explicitly excluding anonymized information,[3] and “processing” as “collection, storage, use, processing,[4] transmission, provision, publishing, and other such activities”. These definitions are in line with existing and other draft laws, regulations, standards, etc. of China. 

Based on these definitions, the Draft PI Protection Law provides that it applies to any processing, by any individual or entity, of PI done within China’s borders.[5] It also provides for two circumstances in which processing of PI of natural persons within China done outside China will be subject to the Draft PI Protection Law (plus a catch-all “other circumstances provided for by [other] laws and administrative regulations”): (1) the processing is for the purpose of providing products or services to natural persons within China; (2) the processing is for analyzing and evaluating the behavior of natural persons within China. Furthermore, the offshore parties undertaking such PI processing are required to “establish special institutions or designated representatives” within China for dealing with matters related to the protection of PI, and the information about special institutions or designated representatives are required to be submitted to authorities performing personal information protection duties. 

The Draft PI Protection Law arguably gives a significant signal of “extraterritorial” legal effects on particular service providers. However, from a practice perspective, the two extraterritoriality standards are vague. Further implementing rules are needed to clarify: (1) the kind(s) of connection between PI processing and offering of products or services such that an offshore processor may be subject to the law; (2) what constitutes “analyzing and evaluating the behavior of natural persons”; (3) the specific forms, establishment procedures, etc. of the special institutions and designated representatives; (4) to which authorities are such special institutions and designated representatives required to submit information, and (5) what legal liability can be imposed on such  special institutions or representatives if the offshore parties fail to comply with the Draft PI Protection Law, not to mention what consequences might there be if no special institution is established or no representative is designated. 

Conditions to General Processing of PI

For how PI should be processed, the Draft PI Protection Law includes both several generic principles (e.g., the processing must be “open”,  “transparent”, and “minimum for achieving the reasonable purpose”), which may have some general interpretative value, and a plethora of provisions that are more specific yet still open to wide interpretation and application. The following are the most notable specific conditions to processing PI:

  • The processing can only be done if:
    • consent has been obtained from the individual whose PI is processed (“PI Subject”);
    • it is necessary for the conclusion or performance of a contract to which the PI Subject is a party;
    • it is necessary for the performance of legally-prescribed duties or obligations;
    • it is necessary for responding to public health incidents or protecting natural persons’ lives, health, or property in an emergency;
    • done within a reasonable range in order to carry out acts such as news reporting and public opinion oversight in the public interest; or
    • other laws or administrative regulations provide for the processing.
  • Before processing PI, processors must inform PI Subjects of the following (in a conspicuous fashion and in clear and understandable language):
    • the identity and contact information of processor;
    • the purpose, manner, type of PI, and storage time of the processing;
    • how PI Subjects can exercise their rights under the Draft PI Protection Law; and
    • other matters provided for by other laws or administrative regulations.
  • PI retention periods must be the shortest necessary to realize the purpose of the processing.

Some of the above are subject to further requirements, exceptions, or other rules. For example, in the case of processing PI by obtaining consent: it must be “voluntary and explicit”; it must be obtained anew if the purpose, methods, or type of PI of the processing change; PI Subjects have the right to withdraw consent; and products and services cannot be refused to PI Subjects who do not consent unless the processing is “necessary to provide the products or services”. As another example, processors do not need to inform PI Subjects of the information mentioned above in circumstances where laws or administrative regulations provide that secrecy shall be preserved or notification is not necessary or in certain emergency circumstances (though the PI Subjects must be notified after the end of the emergency). The “consent” is further notable in likely being a heightened standard, “voluntary and explicit”, as compared to the generic consent so far understood in practice to apply (except in a limited set of circumstances) under the Cybersecurity Law: “explicit consent” is defined in the PI Specification as an act whereby a PI Subject explicitly authorizes the specific processing of his/her PI by making a written statement, including by electronic means, or an oral statement, or by making an affirmative action[6] of his/her own accord.

Processing “sensitive personal information” (PI that, if leaked or illegally used, may cause individuals to suffer discrimination or serious harm to their security in their persons and property; “SPI”) will be subject to additional rules. However, the rules specific to SPI under Draft PI Protection Law are few and vague: processing it must have a specific purpose and sufficient need; processing based on consent requires “specific consent”; and PI Subjects must be informed of “the necessity of processing sensitive personal information and the impact on the individuals”. Neither the Draft PI Protection Law nor any other effective or draft laws, regulations, etc. define “specific consent”:[7] if not defined in the version of the law that will be promulgated, it will be left to implementing rules or other measures to define. 

Conditions Specifically to Overseas Transfer of PI

The Draft PI Protection Law includes several provisions for situations in which two parties are “jointly” processing PI, one party entrusts another party to process PI from and on the first party’s behalf, or the processor “changes” as a result of merger, division, etc., but the requirements and other rules governing such situations mostly flow from the conditions to general processing of PI (see above). The Draft PI Protection Law’s more significant rules concerning transfer of PI are aimed at cross-border and foreign activities.

To transfer PI outside China due to business needs, a business must:

  • pass a “security assessment” organized by the Cyberspace Administration of China (“CAC”) when PI transferors are “critical information infrastructure operators” (“CIIOs”)[8] or the PI volume to be processed by the processors reaches a threshold specified by CAC;[9]
  • obtain a personal information protection certification from a specialized body designated by CAC;
  • have an agreement with the overseas party including on both sides’ rights and obligations (to satisfy the rights and obligations provided by the Draft PI Protection Law) and supervise the overseas party’s PI processing to ensure it complies with the Draft PI Protection Law; or
  • meet other conditions provided for by laws, administrative regulations, or provisions of the State Internet information departments.

In addition, the PI Subjects must be notified of the foreign recipient’s identity and contact method, the purpose, manner, and type of PI to be processed, and the ways the PI Subject may exercise its rights under the Draft PI Protection Law in relation to the foreign recipient – and specific consent for the overseas transfer is needed.

In comparison to the above, the draft Measures for the Security Assessment for Cross-Border Transfer of Personal Information[10] (“Draft Measures”) provide that before any network operator may transfer personal information out of China, it must conduct and report a “security assessment” for the review of the provincial CAC branch. The Draft PI Protection Law limits the requirement for a “security assessment” to CIIOs and parties who process more PI than a threshold (to be) set by CAC, thus going back on the apparent broadening of the requirement that might have applied under the Draft Measures. Relatedly, the Draft PI Protection Law refers to a “local storage” requirement (for PI collected or originated within China), but it does so also only with respect to CIIOs and volume processors, and it remains to be seen what, if any, changes could result in the wider PRC cybersecurity requirements for storing data onshore.

Finally, the Draft PI Protection Law includes sets of rules that are very similar to rules already in effect and/or rules in the draft Data Security Law: providing PI outside China for international judicial assistance or administrative law enforcement assistance requires prior approval from relevant PRC authorities; if foreign individuals or organization process PI in ways that harm PI rights or interests of PRC citizens, or the national security or public interests of the PRC itself, they may be subject to such measures as specific prohibitions or restrictions on providing or being provided PI; China may adopt retaliatory measures against any country that adopts discriminatory prohibitions, limitations or other similar measures against China in the area of PI protection.

Other Obligations on PI Processors

The Draft PI Protection Law includes various other standing obligations on any party that processes PI. Some such obligations derive from “rights” accorded to PI Subjects. For example, PI Subjects have the right to access and copy their PI from PI processors as well as to have any errors corrected, so conversely, PI processors must satisfy such requests “in a timely manner”. Furthermore, processors must have in place mechanisms for dealing with applications from PI Subjects attempting to exercise their rights, must explain the rules of the PI processing, and must explain reasons for any rejections of PI Subjects’ applications.

Other obligations have wider scope. For example, processors must delete PI where any of the following circumstances arises, either upon a request from a PI Subject or “actively” on the processors’ own initiative: 

  • The retention period has expired, or the processing purpose has been achieved.
  • The PI processor has ceased the provision of products or services.
  • The PI Subject has rescinded consent.[11]
  • The processing has violated laws, administrative regulations, or agreements.
  • Other circumstances provided by laws or administrative regulations.

Some obligations are of wider scope but relative to the specifics of the PI processing. For example, processors have to adopt certain measures to ensure their processing of PI complies with relevant laws and administrative regulations, and more generally prevents unauthorized access, disclosure, theft, tampering, or deletion of the PI; however, while the Draft PI Protection Law specifies some such measures, it provides that the measures that should be adopted depend on the purposes and methods of the processing, the types of information to be processed, the impact and potential risks to individuals, etc.:

  • Formulating internal management structures and operating rules.
  • Implementing tiered and categorized PI management.
  • Adopting corresponding technical security measures such as encryption, de-identification, etc.
  • Reasonably determining operational limits for PI processing, and regularly conducting security education and training for employees.
  • Formulating and organizing the implementation of PI security incident response plans.

Moreover, PI processors must conduct periodic audits (by designated organizations, if required by relevant PRC authorities) of their measures and conduct and record risk assessments in advance of:

  • processing SPI;
  • using PI to conduct automated decision-making[12];
  • entrusting the processing of PI, or providing PI, to third-parties, or otherwise disclosing PI;
  • providing PI abroad; or
  • “other personal information processing activities that have a major impact on individuals”.

Likewise, upon discovery of a leak of PI, processors must take remedial measures, including notifying affected individuals, unless the processors take measures that can effectively avoid the harm caused by the information leakage, and in any case notifying relevant PRC authorities (who may require notification to affected individuals notwithstanding effective measures to avoid the harm having been taken).

Regulatory Oversight and Penalties

The Draft PI Protection Law includes provisions on the powers (as well as duties) of regulatory authorities in relation to PI protection. Most notable are their empowerment to:

  • question the relevant parties and investigate circumstances related to PI processing activities;
  • access and reproduce contracts, records, account book, and other materials related to the parties and PI processing activities;
  • conduct on-site inspections and investigate suspected illegal PI processing activities;
  • check the equipment and items related to PI processing activities (and seal or seize any found to be illegal); and
  • request “informal conversations” (“yuetan” in Chinese), in which regulators demand clarifications or provide warnings, perhaps alongside some nonsignificant fines.

For the avoidance of doubt, the Draft PI Protection Law explicitly provides that parties “shall provide assistance and cooperate, and must not refuse or obstruct” the regulatory authorities when the latter “are lawfully performing their duties”.

When authorities identify illegal PI processing, they can give warnings, order “corrections” (i.e., that the illegal processing be brought in line with law or ceased), and/or confiscate illegal gains – and if corrections are not done, the authorities can impose a fine of up to RMB 1 million on the entity and between RMB 10,000 and 100,000 on the directly responsible management and other directly responsible personnel. If the illegal processing is “serious”, in addition to warnings and confiscation, the following further penalties can be given straightaway: a fine of RMB 50 million or five percent of the previous year’s annual business volume, suspension of relevant operations, suspension of business for “correction”, and revocation of relevant business permits or licenses, plus fining directly responsible persons RMB 100,000 to 1 million. Furthermore, where the illegal processing infringes on rights or interests of private individuals, or constitutes a crime or violation of public security administration, processors can suffer further penalties.

Setting the highest penalty at RMB 50 million or five percent of the previous year’s annual business volume under the Draft PI Protection Law seems to indicate that China is intending to tighten its regulation on PI.

Takeaways

The Draft PI Protection Law includes many provisions apparently imposing concrete responsibilities on parties processing PI. However, most such provisions have their precursors in promulgated or draft laws, regulations, etc., and most of these repeated rules have not been significantly augmented or clarified. Many specifics still need to be set out, likely in implementing measures to be issued in the months and years after the Draft PI Protection Law is promulgated. Thus, in some respects, the Draft PI Protection Law does not represent a major addition or alteration to the regime heralded by the Cybersecurity Law over four years ago and being filled in by implementing regulations and other measures since then. Aside from reinforcing that regime, however, the Draft PI Protection Law – if passed in substantially its present form – would likely bring some innovations (though still subject to how they would be implemented, interpreted, and applied), e.g., the extraterritoriality standards and the heightened (i.e., “specific”) consent standard. Parties who process PI may wish to identify the most crucial innovations, but they need not rush to any conclusions or actions about changing their internal systems or businesses more generally.



[1] Cybersecurity Law of the People’s Republic of China (《中华人民共和国网络安全法》), promulgated by the Standing Committee of the National People's Congress on 7 November 2016 and effective as of 1 June 2017; Civil Code of the People's Republic of China (《中华人民共和国民法典》), promulgated by the National People's Congress on 28 May 2020, to take effect on 1 January 2021; Information Security Technology — Personal Information Security Specification (《信息安全技术-个人信息安全规范》), issued by the State Administration for Market Supervision of the People’s Republic of China and Standardization Administration of the People’s Republic of China on 6 March 2020 and implemented on 1 October 2020.

[2] The Data Security Law of the People’s Republic of China (Draft for Comments) (《数据安全法(草案)征求意见》), released by the Standing Committee of the National People's Congress on 3 July 2020.

[3] Article 69 of Draft PI Protection Law defines “anonymization” as the process of handling any PI to make it unable to identify a specific natural person and unable to be restored to its original state.

[4] The Chinese term corresponding to “processing” here is “加工”, whereas the Chinese word corresponding to the more general word “processing” used in all other places in this Newsletter (and generally in English-language versions of China’s cybersecurity laws, regulations, etc.) is “处理”.

[5] China’s borders in this Newsletter refer to mainland China’s borders, i.e., not including Hong Kong SAR, Macao SAR, and Taiwan Region. In this Newsletter, “China” will generally be used to refer to mainland China in this way.

[6] Affirmative action includes situations where a PI Subject checks or clicks “agree”, “register”, “send”, “dial”, fills in a form, or provides his/her PI of his/her own accord.

[7] Note the Draft PI Protection Law requires “specific consent” for other activities as well, e.g., a processor providing its collected PI to third parties, publishing PI, installing image collection and personal identity recognition devices in public places, and transferring PI outside China.

[8]The Cybersecurity Law defines “critical information infrastructure” as infrastructure “used for public communications, information services, energy, transport, water conservancy, finance, public services, e-government affairs, and other important industries and fields and other critical information infrastructure that will result in serious damage to the national security, national economy, and people’s livelihood and public interests if they are destroyed, there are lost functions or they are subject to data leakage.”

[9] According to the Inspection Guidance on National Network Security (《国家网络安全检查操作指南》), issued by the Office of the Central Cyberspace Affairs Commission on 1 June 2016 and effective as of the same date, online service providers meeting following threshold might be deemed as CIIOs by relevant authorities: (1) the service provider’s website’s registered users exceed 10 million, or the number of active users (logging in one time per day) exceeds 1 million; (2) if a security incident occurs, more than 1 million people’s PI will be leaked or 1 million people’s lives will be affected.

[10] The Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment) (《个人信息出境安全评估办法(征求意见稿)》), issued by the CAC on 13 June 2019.

[11] Though not made clear in the Draft PI Protection Law, the applicability of this circumstance should be limited to cases in which the PI was processed on the basis of consent, rather than one of the other basis as set out above.

[12] Article 69 of Draft PI Protection Law defines “automated decision-making” as the activity of using an individual’s PI to make any analysis, assessment, and decision, concerning the behaviors, habits, interests, hobbies, or financial, health, or credit status, or any other situation of the individual, automatically through a computer program.

› More Insights