On 21 October 2020, China’s Standing Committee of the National People’s Congress published the first draft of the Personal Information Protection Law (PIPL) for public comment. The PIPL is China’s first attempt to integrate and expand its provisions on the protection, collection, and processing of personal information under one omnibus law.
In its 70 articles, the draft legislation incorporates many data privacy and protection principles from China’s existing legislation, among them the Cybersecurity Law of 2017 and the Personal Information Security Specification. However, it does not stop there. Chinese lawmakers went a step further and, taking a page from the EU’s General Data Protection Regulation (GDPR), delved into the thorny issues of cross-border data transfers, extraterritoriality and, most significantly, adopted steep penalties in line with the GDPR.
The draft PIPL extends the extraterritorial reach of Chinese data protection legislation which was limited under the country’s Cybersecurity Law. The PIPL will apply to any company or individual processing the personal information of data subjects located in China, regardless of the data subjects’ nationality.
Similar to the GDPR, processing and personal data is very broadly defined in the PIPL draft. There are three main processing categories that fall under its incidence: processing personal data for the purpose of provision of products and/or services to data subjects in China, for analyzing or assessing the behavior of data subjects in China, or in other circumstances as provided by Chinese laws and regulations.
Any company outside of China that will be subject to the PIPL will have to appoint a representative in the country or set up a dedicated organization in China to act as a point of contact for Chinese regulators.
Cross-border Data Transfers and Data Localization
Critical information infrastructure operators (CIIOs) are required to store personal information collected or generated in China within the country’s territory. While this is in line with existing requirements under the Cybersecurity Law, the PIPL expands the data localization requirements to data processors that exceed a certain volume of personal information processed. The threshold will be determined by Chinese cyberspace regulators at a later date.
PIPL also makes security assessments necessary for cross-border transfers. These can be obtained through professional certification organizations designated by Chinese regulators, or by concluding a contract with the overseas data recipient and supervising its data processing activities. The PIPL draft also includes a provision that will allow Chinese regulators to easily add further cross-border data transfer mechanisms in the future.
Data processors will also need to inform data subjects about cross-border data transfers, obtain their consent for the transfer and notify them of the identity of the overseas recipient, how they can be contacted, their purpose and methods of processing, the types of personal information involved in the transfer and how the data subject can exercise their rights against the recipient.
New rights for Chinese data subjects
The draft PIPL brings a new wave of rights for Chinese data subjects, including the right to deletion, the right to information and explanation of data processing, the right to access and request a copy of personal data, and the right to withdraw consent. The right to deletion, already included in the Cybersecurity Law, faces fewer restrictions under the PIPL.
An expanded basis for processing
Under China’s Cybersecurity Law, the only lawful basis for data processing of personal data was a data subject’s consent. The draft PIPL expanded this definition to include processing that is necessary for the conclusion or performance of a contract to which the data subject is a party, the fulfillment of statutory duties or obligations, or to respond to public health incidents. Data can also be lawfully processed if it is necessary for the protection of life, health, and property of the data subject or other individuals in emergency cases, for journalistic purposes or media supervision in the public interest as well as other circumstances as provided by Chinese laws and regulations.
Consent, when given by a data subject, must be an informed, specific, freely given, indication of the wishes of the data subject. Separate consent is required for the processing of sensitive personal data such as race, ethnic group, religious beliefs, personal biometric data, health, and financial data. Parental consent is required for the processing of personal information of minors below the age of 14.
Data Protection Officers
Companies that exceed an as-of-yet undefined volume of personal information processed, will need to appoint a data protection officer (DPO) responsible for the processing of personal data. The name and contact of the DPO will be made public and filed with the relevant authority.
Including penalties already specified in the Cybersecurity Law such as warnings, confiscation of illegal gains, business suspensions, business halts for rectification, and the revocation of relevant permits or business licenses, the PIPL draft adds a significant increase in fines to the list as well.
In a move clearly inspired by the GDPR’s notoriously high penalties, the draft legislation stipulates that fines can reach up to CNY 50 million (approximately $7.6 million) or 5% of a company’s turnover in the previous year. The text of the law does not currently specify how the 5% will be calculated or whether it refers to a company’s turnover in China or worldwide.
If adopted, the PIPL is likely to significantly impact companies operating in China or targeting the Chinese market without having a business presence in the country. Companies likely to fall under the incidence of the PIPL must follow the legal developments and ensure that any compliance efforts take into consideration PIPL-specific requirements to guarantee smooth data processing and transfers and to avoid any potential future penalties.