A Further Step Forward: China Releases Draft Personal Information Protection Law for Public Comment

Below is a summary of the key provisions of the Draft PIP Law.

Definitions of Personal Information and Sensitive Personal Information
Under the Draft PIP Law, “personal information” is defined as various types of information recorded in electronic or other forms relating to an identified or identifiable natural person, excluding information after anonymization. This is similar to the definitions under the General Data Protection Regulation (GDPR) of the European Union (EU) and California Consumer Privacy Act (CCPA).

The Draft PIP Law gives a non-exhaustive list of sensitive data while the GDPR prohibits processing of defined special categories of personal data unless a lawful justification for processing applies. The term “sensitive personal information” under the Draft PIP Law is defined as “personal information, of which leakage or unlawful use may lead to discriminatory treatment or serious damage to personal or property safety, including race, ethnicity, religious beliefs, personal biometrics, medical health information, financial accounts, and personal whereabouts, etc.

Rules for Processing Personal Information

The Draft PIP Law sets forth general rules for processing personal information and special rules for processing sensitive personal information in Chapter 2. Most of these rules are consistent with those scattered among various existing laws and regulations.

We address a few important rules for personal information processing below.

1. Individual Consent and Other Legal Basis for Processing

Under the Draft PIP Law, the processing of personal information is not limited only to where consent has been obtained by the individual, as provided by the Cybersecurity Law. Under the Draft PIP Law, a personal information processor can process personal information on the ground of the following legal basis:

a. Processing personal information is necessary to enter into or perform a contract to which the individual is a party;

b. Processing personal information is necessary to perform legal duties or legal obligations;

c. Processing personal information is necessary to respond to a public health emergency or to protect life, health and property safety of a natural person in an emergency;

d. Processing personal information to a reasonable extent for the purpose of carrying out news reporting and public opinion monitoring for public interests;

e. Other circumstances specified by laws and administrative regulations.

As compared to the GDPR, the Draft PIP Law spells out the need to process personal information in responding to public health emergency, which apparently addresses the continuing COVID-19 situation. However, the Draft PIP Law does not include “legitimate interests pursued by the controller or by a third party” under the GDPR as a legal basis for processing personal information.

2. Personal Information Processor

Unlike the GDPR, the Draft PIP Law does not distinguish between “data controller” and “data processor.” The Draft PIP Law only specifies liability and compliance requirements on “personal information processor” that refers to organizations or individuals that independently determine the purpose, scope and methods of processing of personal information. The personal information processor defined in the Draft PIP Law is similar to the data controller under the GDPR.

A personal information processor must not refuse to provide products or services on the grounds that an individual does not give consent to the processing of his or her personal information or withdraws his or her consent, except where the processing of personal information is essential for providing the products or services.

Processors are obligated to adopt necessary measures to protect personal information, such as formulating internal management systems and operating procedures; categorizing personal information for management; adopting security technical measures (e.g., encryption and de-identification); conducting regular safety education and training; formulating and organizing the implementation of emergency plans for personal information security incidents.

A processor that processes personal information at a certain volume specified by the Cyberspace Administration of China (CAC) is required to designate a person specifically in charge of personal information protection whose name and contact information should be published and reported to the regulators. A processor is also required to conduct regular audits to ensure that its practice complies with the applicable laws and regulations.

3. Joint Data Processing and Data Processing by an Entrusted Third Party

In case of joint processing, while the joint processors may agree on their respective contractual rights and obligations, the joint processors are jointly liable for any infringement on the rights and interests of an individual.

Where a data processor entrusts a third party to process personal information, both parties shall execute an agreement that includes the means of processing, types of personal information, protective measures and rights and obligations of both parties. The processor should monitor the processing activities carried out by the third party. The third party is not allowed to further engage another party to process personal information without consent from the processor. After completion of performance of the contract or termination of entrustment, personal information shall be returned or deleted.

4. Processing of Sensitive Personal Information

The Draft PIP Law provides more restrictions on the processing of sensitive personal information. A personal information processor can only process sensitive personal information if it has specific purposes and such processing is sufficiently necessary, but the Draft PIP Law does not provide further interpretation of what constitutes “specific purposes” and “sufficiently necessary.” Separate consent or written consent from the data subjects must be obtained before processing sensitive personal information.

Extraterritorial Application
Multinational companies may be most interested in the contemplated extraterritorial jurisdiction of the Draft PIP Law, which might increase compliance risk for foreign companies that have operating subsidiaries in China or do not have a legal presence in China but provide products or services to Chinese individuals. The Draft PIP Law would apply to companies overseas:

1. that process personal information of individuals in China in order to provide products or services to them;
2. that analyze and assess the activities of individuals in China through the collection of personal information; or
3. for other purposes specified by laws and administrative regulations.

The above provision is similar to its counterpart under Article 3 of the GDPR, which applies, among other things, to the processing of personal data of data subjects in the EU by a controller or processor not established in EU.

In addition, the Draft PIP Law also resembles the GDPR provision and requires offshore processors that process personal information of individuals in the PRC to establish a designated office or appoint a representative in the PRC to be responsible for personal information protection in the PRC. Name and contact information of such office or representative should be submitted to the regulators.

Cross-Border Information Transfer
A key issue about which many multinational companies with business in the PRC are concerned is the rules on cross-border information transfer.

Article 38 of the Draft PIP Law provides that if a processor has business or other needs to transfer personal information to outside of the PRC, the processor must fulfil at least one of the following conditions:

1. undergo a security assessment administered by the Cyberspace Administration of China (CAC) in accordance with Article 40 of the Draft PIP Law, which requires that operators of Critical Information Infrastructure (CII)¹ and processors that transfer a certain volume of personal information (to be specified by CAC) must locally store personal information collected and generated in the PRC and must undergo a security assessment if cross-border transfer is necessary, unless such security assessment is not required by laws, administrative regulations and CAC rules.
2. obtain certification from a professional institution in accordance with the applicable CAC rules;
3. enter into an agreement with the offshore recipient in which the agreement should specify the rights and obligations of both parties, and monitor and ensure that the offshore recipient can meet the protection standards provided in the Draft PIP Law; or
4. other condition(s) to be specified by laws, administrative regulations or CAC rules.

It is likely that most processors would prefer to choose to meet item (3) since it does not involve a CAC security assessment or certification by a professional institution which may take time and incur additional cost. Item (3) is more likely to be chosen if the processor and the offshore recipient are affiliated companies. How this article will be passed in the final version of the law is an area to be closely watched.

Even if a processor is allowed to transfer personal information to an offshore party, it is required to notify individuals of at least the following information: identity and contact information of the offshore recipient; purposes and means of processing; categories of personal information to be transferred; and the means to exercise rights under this law against the offshore recipient.

In addition, the processor must obtain a separate consent from everyone for such cross-border transfers.

Similar to other recently published laws (e.g., Export Control Law) and regulations (e.g., Provisions on Unreliable Entity List), the Draft PIP Law also contemplates a “blacklist” to which the CAC has the power to designate offshore organizations or individuals conducting personal information processing activities that infringe rights and interests of PRC citizens relating to personal information, or endangering national security or public interest of the PRC. Processors will be prohibited or restricted from transferring personal information to such parties on the blacklist.

In addition, the Draft PIP Law provides that if any country or region imposes any prohibitive, restrictive or other similar measures in a discriminatory manner against the PRC with respect to personal information protection, the PRC may, based on actual circumstances, take corresponding measures against said country or region.

Legal Liability
The Draft PIP Law imposes a fine of up to RMB1 million (approximately USD150,000) on the processor and up to RMB100,000 (approximately USD15,000) on the responsible personnel in case of a violation of the law. If the violation is considered serious, the fine may be up to RMB50 million (about USD7.5 million) or 5% of the processor’s annual revenue for the prior year. While it is unclear whether the Draft PIP Law would combine the annual revenues of a group company in assessing fines on a processor, the proposed fine amount is significant.

Conclusions
For multinational corporations that have subsidiaries in the PRC that process personal information and/or transfer personal information to the overseas’ headquarters and affiliates, and for overseas organizations and individuals that collect information directly from individuals in the PRC for purposes specified in the Draft PIP Law, it is important to closely follow any developments of the Draft PIP Law. Multinational companies and domestic companies are recommended to start improving internal procedures and systems with reference to the Draft PIP Law. We expect that the NPC will review comments received from the public and publish a second draft for public comment or legislative review in the coming months. We will closely monitor further developments.

^{1 CII is a term broadly defined by the Cybersecurity Law to cover networks and systems in military, government affair, key industries and other sensitive areas.}