Analysis of China's Draft Personal Information Protection Law
On October 21, 2020, China published a draft of its Personal Information Protection Law (个人信息保护法, the Draft PIPL), and invited public comment through November 19.1 Although this is the first draft of this law, it builds on existing regulations to create a structure that is similar to the European Union's General Data Protection Regulation (GDPR).2 An English language translation of the Draft PIPL is available here.3
As a draft law, it may be revised before it is finally enacted, and public comments received will be critical in assessing any issues with the law. As with other Chinese laws, after it takes effect, regulators will likely issue implementing regulations and/or interpretations. Because the Draft PIPL consolidates existing Chinese regulations and because of its similarity to the GDPR, we will not review every provision of the draft, but focus on key elements and changes.
Under the Draft PIPL, individuals or entities who collect and process data are referred to as "processors."4 The meaning of this term is similar to the GDPR definition of "controller,"5 while the GDPR definition of "processor" is paralleled by the Draft PIPL's references to "recipients"6 or "entrusted parties."7
Expanded Definition of Personal Information
The Draft PIPL uses a definition of personal information similar to but broader than the definition used in China's Personal Information Security Specification (信息安全技术 个人信息安全规范, The Specification)8 and closer to the definition found in the GDPR. Personal information is defined as "any information relating to identified or identifiable natural persons recorded by electronic or other means, excluding anonymized information"9 whereas the Specification defined personal information as more limited to information that could identify a person, not just relate to a person.10
Like the GDPR, the Draft PIPL provides a definition of "sensitive personal information," which is subject to heightened protections, although its definition differs slightly from the GDPR. Both the GDPR and the Draft PIPL classify information on race, ethnicity, religion, and health as sensitive.11 The Draft PIPL is potentially broader than the GDPR in that it classifies information on individuals' financial accounts and individuals' location and movement as sensitive.12 In contrast, the GDPR classifies information on trade-union status, political opinions, genetic and biometric data, and sex life or sexual orientation as sensitive,13 but these categories are not included in the Draft PIPL definition of sensitive information.
New Options for Cross-Border Data Transfers
The Draft PIPL eases previously proposed restrictions on cross-border transfers of personal information.
Article 38 of the Draft PIPL permits the cross-border transfer of personal information if the organization transferring the information has:
- Passed a security assessment conducted by the Cyberspace Administration of China (CAC);
- Undergone personal information protection certification conducted by a specialized organization in accordance with CAC regulations;
- Executed a contract with the overseas recipient of personal information setting forth both parties' rights and obligations and supervising the overseas entity's processing of the personal information; or
- Met other requirements set forth by the CAC.
This process, particularly the ability to transfer data pursuant to a contract with the overseas data recipient, is less strict than a prior draft regulation, the Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft for Comments) (个人信息出境安全评估办法(征求意见稿)),14 which required security assessments for all cross-border transfers of personal information. While the Draft PIPL does not clarify the review process, if any, for such contracts, the Draft Measures for Security Assessment for Cross-Border Transfer of Personal Information propose a security assessment process that would include review of contracts and whether they can be effectively carried out.15 Although these draft Measures have not yet been finalized, this draft regulation may indicate how China's personal information protection regime will develop.
Although the Draft PIPL parallels the GDPR in many ways, it does not contain provisions for adequacy determinations with respect to other nations. Article 38(2) does appear to create a process for qualifying specific overseas recipients to receive personal information, similar to the GDPR's adequacy determinations,16 but conducted on an entity level, rather than a national level. As with many other elements of the Draft PIPL, it remains to be seen how this assessment process would be implemented: the factors considered when conducting these assessments, and whether these assessments will be required for each individual transfer of data or can be used for multiple transactions are two of the issues which will hopefully be clarified by future revisions to the Draft PIPL or its implementing regulations.
Unclear Data Localization Requirements
The Draft PIPL maintains prior proposals for data localization, although the conditions under which data must be localized remain undefined. Article 40 of the Draft PIPL requires companies that process personal information in a "quantity specified by the CAC" to either store the information in China or undergo a security assessment by the CAC before transferring the information overseas.17 The Draft PIPL does not specify what quantity of personal information would trigger these requirements; this question may be clarified in a subsequent draft, when the PIPL is finalized, or after the PIPL is finalized in subsequent implementing regulations or interpretations. For reference, another prior draft regulation, the Measures for the Security Assessment for Cross-Border Transfer of Personal Information and Important Data (Draft for Comments) (个人信息和重要数据出境安全评估办法(征求意见稿))18 proposed that any entity which planned to transfer personal information for more than 500,000 individuals or more than 1,000 gigabytes of data would need to undergo security assessment, which may give some insight into regulators' views on the quantity of data that would trigger security assessment requirements. 19
Because anonymized data is excluded from the definition of personal information,20 the cross-border transfer of anonymized data would be exempt from the localization and cross-border transfer provisions.
Extra-Territorial Application
The Draft PIPL's extra-territorial application appears to be similar to but narrower than the GDPR. The Draft PIPL applies to the processing of personal information outside China's borders if the personal information being processed belongs to individuals in China and the processing is carried out for the purpose of either providing goods or services to individuals in China, or analyzing or evaluating the activities of individuals in China.21 Unlike the GDPR, the Draft PIPL does not apply to the processing of personal information that takes place overseas but is carried out "in the context" of a domestic company's business.22
Consent No Longer Only Basis for Processing Personal Information
The Draft PIPL provides additional bases for lawfully processing personal information. Under the Cybersecurity Law consent was the only lawful basis for collecting and processing personal information.23 The Draft PIPL allows consent to also be implied from an individual's entry into a contract if the processing of their personal data is necessary for the execution of that contract.24 The Draft PIPL also sets forth additional conditions under which personal information may be processed without consent, most of which are not generally applicable, e.g., to respond to a public health emergency, to report on news, or to carry out a public opinion survey.25
Blacklisting of Foreign Entities and Governmental Countermeasures
The Draft PIPL also contains provisions which may reflect current trends in some of China's international trade relationships. Article 42 provides that if an overseas organization or individual takes actions which are detrimental to the personal information rights of Chinese citizens, or to China's public interest or national security, that organization or individual may be added to a blacklist and restricted or prohibited from receiving personal information. Article 43 states that if any foreign government imposes restrictions or prohibitions that discriminate against China with respect to the protection of personal information, China may take countermeasures against that foreign government. Although there are no similar provisions in the Cybersecurity Law or other current regulations, another recent draft law, the Data Security Law of the People's Republic of China (Draft) (Draft Data Security Law), published July 3, 2020, and which has not yet taken effect, does contains similar language.26 Article 24 of the Draft Data Security Law provides that if foreign governments impose discriminatory restrictions or prohibitions on trade or investment relating to data or the development of data technology, China may take corresponding countermeasures. Since neither the Draft PIPL or the Draft Data Security Law has been finalized, it remains to be seen how these provisions will be implemented.
Deletion of Data
The Draft PIPL Article 47 gives individuals the right to request that their personal information be deleted, similar to the GDPR Article 17 Right to Erasure. Under the Draft PIPL, the conditions under which data should be deleted vary slightly from the GDPR, the primary difference being that the Draft PIPL requires entities to delete personal information if they stop providing related goods or services.
Draft PIPL | GDPR |
The agreed storage period has expired or the purpose for processing personal information has been achieved 27 | Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed 28 |
The personal information processor stops providing products or services29 | N/A |
The individual withdraws consent 30 | The data subject withdraws consent. . . .31 |
The processing of personal information violates laws, administrative regulations, or the agreement [under which the personal information was processed] 32 | The personal data have been unlawfully processed 33 |
Detailed Investigative Provisions and Increased Penalties
The Draft PIPL clarifies Chinese regulators' investigative powers and significantly increases the penalties for violations of personal information rights, including penalties for individual employees.
Although the Cybersecurity Law granted regulators the power to investigate potential violations of personal information rights,34 it did not clarify what measures regulators were authorized to use when carrying out such investigations. The Draft PIPL Article 59 now provides a detailed list of investigative measures which may be employed by regulators, including the right to question employees, to conduct on-site investigations, to review and copy business records, and to check and seal or seize equipment used to process personal information. As noted above, these powers could potentially be used against entities that are established and operating outside China.
The Draft PIPL's penalty clauses authorize fines for companies and individual employees that are 10-50 times higher than those in the Cybersecurity Law. Companies which violate the Draft PIPL will be subject to confiscation of illegal gains and fines of up to RMB 50 million (USD 7.4 million / euro 6.3 million) or 5% of the prior year's revenue.35 In contrast, the maximum fine for companies under the Cybersecurity Law was RMB 1 million (USD 149,000/ euro 126,000).36 The Draft PIPL also increases the fines for individual employees responsible for violations of personal information protection regulations, with fines of RMB 100,000 to RMB 1 million (USD 14,900 - 149,000/ euro 12,600 - 126,000),37 10 times higher than under the Cybersecurity Law.38
As with the implementation of the GDPR, there is a possibility that once the PIPL takes effect, Chinese regulators may begin aggressively enforcing the new regulations. State owned media have commented favorably on the rollout of the GDPR when analyzing the Draft PIPL.39
Many Provisions Parallel the GDPR Structure
Other elements of the PIPL are not dissimilar to the GDPR. Like the GDPR, the Draft PIPL requires personal information processors to ensure that personal information is processed in accordance with the law and for a clear and reasonable purpose.40 Moreover, processing should be transparent and personal data should be retained for the minimum time needed to achieve the purpose of the processing.41 The relationship between processors and entrusted parties must be governed by conditions set out in the Draft PIPL similar to the data processing agreements between data controllers and processors required by the GDPR.
Both the Draft PIPL and the GDPR create mechanisms for the protection of data subjects' rights and interests, including detailed rules on informed, voluntary, and clear consent,42 the right to withdraw consent,43 automated decision-making,44 and transparency of processing (e.g., a requirement to inform data subjects of the identity of the entities handling their information, to where that information is transferred, what information is processed, and the like).45 The Draft PIPL and the GDPR also require entities processing personal data to implement effective mechanisms for data subjects to exercise their rights.46
Like the GDPR, the Draft PIPL also requires corporations to ensure the confidentiality and security of personal data, including conducting security and impact assessments as well as handling personal data breaches.47 The role of the Data Protection Officer under the GDPR is not dissimilar from the role of the persons in charge of personal information protection under the Draft PIPL.48
Conclusion
The Draft PIPL represents a new iteration of China's data privacy regulations. While this draft may undergo further revision, and it remains to be seen how some provisions will be interpreted and enforced, companies which have been following China's regulatory developments or which are already compliant with the EU GDPR should have a good basis and starting point for ensuring compliance with the law when it is finalized. If you have any questions about this law, or are interested in submitting comments on the draft law, please do not hesitate to contact us.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
-
Geren Xinxi Baohu Fa (Cao'an) Zhengqiu Yijian (个人信息保护法(草案)征求意见) {Personal Information Protection Law (Draft) for Comments)} (published by the Standing Comm. Nat'l People's Cong., Oct. 21, 2020, not yet effective), (last visited Oct. 28, 2020).
-
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), O.J. (L 119 4.5.2016) 1, (last visited Oct. 28, 2020).
-
Draft PIPL, translated in CHINA'S DRAFT 'PERSONAL INFORMATION PROTECTION LAW' (FULL TRANSLATION) LONG-AWAITED LEGISLATION ON PERSONAL DATA RELEASED FOR PUBLIC COMMENT (Creemers R., Shi M., Dudley L., Webster G., New America, Oct. 21, 2020), (last visited Oct. 28, 2020).
-
-
-
Draft PIPL, art. 23, 38(3) & 39.
-
Draft PIPL, art. 22; GDPR, art. 4(8).
-
Xinxi Anquan Jishu Geren Xinxi Anquan Guifan (信息安全技术 个人信息安全规范) {Personal Information Security Specification} GB/T 35273-2020 (promulgated by the State Admin. for Mkt. Regulation, Mar. 6, 2020, effective Oct. 1, 2020), (last visited Oct. 28, 2020).
-
-
-
Draft PIPL, art. 29; GDPR, art. 9, §1
-
-
-
Geren Xinxi Chujing Anquan Pinggu Banfa (Zhengqiu Yijian Gao) (个人信息出境安全评估办法(征求意见稿)) {Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft for Comments)} (published by the Cyberspace Admin. of China, June 13, 2019, not yet effective), (last visited on Oct. 28, 2020).
-
Measures for Security Assessment for Cross-Border Transfer of Personal Information (Draft for Comments), art. 6(3).
-
-
Draft PIPL Article 40 also imposes these requirements on Critical Information Infrastructure Operators, which are public communication and information services, power networks, and other critical infrastructure which might seriously endanger national security or the public interest if experiencing a loss of function or data breach. Foreign companies operating in China are unlikely to be classified as Critical Information Infrastructure Operators.
-
Geren Xinxi He Zhongyao Shuju Chujing Anquan Pinggu Banfa (Zhengqiu Yijian Gao) (个人信息和重要数据出境安全评估办法(征求意见稿)) {Measures for the Security Assessment for Cross-Border Transfer of Personal Information and Important Data (Draft for Comments)} (published by the Cyberspace Admin. of China, Apr.11, 2017, not yet effective), (last visited Oct. 28, 2020).
-
-
-
-
-
Zhonghua Renmin Gongheguo Wangluo Anquan Fa (中华人民共和国网络安全法) {Cybersecurity Law of the People's Republic of China} (promulgated by the Standing Comm. Nat'l People's Cong., Nov. 7, 2016, effective on June 1, 2017), art. 22, 41 & 42, (last visited on Oct. 28, 2020).
-
-
-
Zhonghua Renmin Gongheguo Shuju Anquan Fa (Cao'an) (中华人民共和国数据安全法(草案)) {Data Security Law of the People's Republic of China (Draft)} (published by the Standing Comm. Nat'l People's Cong., July 3, 2020, not yet effective), (last visited Oct. 28, 2020).
-
-
-
-
-
-
-
-
Cybersecurity Law of the People’s Republic of China, art. 49, 51-58.
-
-
Cybersecurity Law of the People’s Republic of China, art. 64.
-
-
Cybersecurity Law of the People’s Republic of China, art. 64.
-
Cao S. & Chen Q., China Unveils First Law on Personal Data Protection, Global Times, People's Daily, Oct. 13, 2020, (last visited Oct. 28, 2020).
-
Draft PIPL, art. 6; GDPR, art. 5, §1(b).
-
Draft PIPL, art. 7 and 20; GDPR, art. 5, §§1(a) & (e).
-
Draft PIPL, art. 14; GDPR, art. 4, §(11).
-
Draft PIPL, art. 16; GDPR, art. 7, §3.
-
Draft PIPL, art. 25; GDPR, art. 22.
-
Draft PIPL, art. 18 & 24; GDPR, art. 12.
-
Draft PIPL, art. 49; GDPR, art. 24(3), 40, & 42.
-
Draft PIPL, art. 38 and 55; GDPR, art. 5(1)(f).
-
Draft PIPL, art. 51; GDPR, art. 13, 14, 30, 33, 35, 36, 37-39, 47, and 57.