China unveiled its draft of Personal Data Protection Law for public consultation Oct. 21, 2020. Taking a closer look at the draft PDPL, it is easy to see many provisions in it are inspired by the EU General Data Protection Regulation.
The draft PDPL, which contains 70 articles and hefty fines, once it comes into force, will be China’s first comprehensive law on the protection of personal data. No doubt it will bring significant impact to companies with operations in China or targeting China as a market despite no business presence in China.
The draft PDPL also specifically provides various data protection principles, including transparency, fairness, purpose limitation, data minimization, limited retention, data accuracy and accountability.
Extraterritorial application of law
The draft PDPL applies to the processing of individuals’ personal data that takes place in China regardless of the nationality of such individuals. Unlike the PRC Cyber Security Law, which provides limited extraterritorial application, the draft PDPL proposes clear and specific extraterritorial application to overseas entities and individuals that process the personal data of data subjects in China (1) for the purpose of provision of products and/or services to data subjects in China; (2) for analyzing or assessing the behavior of data subjects in China; or (3) in other circumstances as provided by Chinese laws and regulations.
Considering certain resemblance of this provision to Article 3(2) of the GDPR, it would not be a surprise going forward if Chinese regulators consider the regulatory approach as illustrated in the European Data Protection Board "Guidelines 1/2018 on Territorial Scope."
The definition of “personal data” and “processing” under the draft PDPL are almost as broad as its equivalent term under the GDPR. Organizations or individuals outside China that fall into the scope of the draft PDPL will need to set up a dedicated organization or appoint a representative in China and also report relevant information of their domestic organization or representative to Chinese regulators.
More clarity on categorization of roles for data processing
Unlike the GDPR, the draft PDPL does not differentiate between a data controller and data processor, instead only allocates liability and compliance requirements to “personal data processor,” which under the draft PDPL refers to organizations or individuals that independently determines the purpose, scope and means of processing of personal data. The personal data processor under the draft PDPL is akin to the data controller under the GDPR.
The draft PDPL does not propose specific obligations on the party that is entrusted by the personal data processor (similar to data processor under the GDPR) to process personal data except for such entrusted third-party needs to process the personal data in compliance with the data-processing agreements with the personal data processor and no further outsourcing to a third party in the absence of a personal data processor’s consent.
Joint personal data processors are required by the draft PDPL to determine their respective rights and obligations among themselves by way of an agreement and to assume joint liability toward data subjects.
More lawful bases for processing of personal data aside from consent
The draft PDPL finally addresses one much-debated issue in the CSL, i.e., data subject’s consent as the only lawful basis for processing of personal data. The draft PDPL provides the following lawful basis except legitimate interest:
- Data subject’s consent.
- Necessary for the conclusion or performance of a contract to which the data subject is a party.
- Necessary for the fulfillment of statutory duties or obligations.
- Necessary for responding to public health incidents or necessary for the protection of life, health and property of the data subject or other individuals in emergent cases.
- To the reasonable extent for journalism or media supervision in the public interests.
- Other circumstances as provided by Chinese laws and regulations.
The much-awaited clarity on the consent requirement is also provided in the draft PDPL, i.e., the consent must be an informed, specific, freely given, indication of wishes of the data subject. Aside from this, there are more specific consent requirements in various contexts:
- Separate opt-in consent required for processing sensitive personal data, which includes but not limited to race, ethnic group, religious beliefs, personal biometric data, health data, financial account data and location data.
- Parental consent is required for processing personal data of minors below the age of 14 if the personal data processor knows or should have known that it processes the data of a child.
- Specific disclosure in the privacy notice and separate consent is required for the transfer or sharing of personal data, automatic decision-making mechanisms, etcetera. What “separate consent” means in practice should be kept in view.
The requirements on privacy notice under the draft PDPL do not differ much from the current rules as provided in the CSL and various other regulators’ guidance.
More expansive data localization requirements and clearer rules on cross-border transfer of personal data
The draft PDPL proposes a more expansive data localization requirement compared with the existing data localization requirement applicable to operators of critical information infrastructure under the CSL. The personal data processor that processes personal data over certain amounts in the PRC and CIIO are subject to the data localization requirement under the draft PDPL and any cross-border data transfer is subject to security assessment to be conducted by the Chinese regulators. The number threshold will be further provided by the Cyberspace Administration of China once the law is promulgated.
The options of mechanisms for cross-border transfer of personal data are provided in the draft PDPL. A separate consent of data subjects is required regardless of which mechanism of cross-border data transfer is used. For the personal data processors and CIIO that are subject to the data localization requirement, the completion of the security assessment organized by CAC is required. Other personal data processors can use any of the following mechanisms:
- Obtaining certification issued by the organization as authorized by CAC.
- Signing cross-border data transfer agreement with overseas data receiver(s).
- Other mechanisms as provided by other laws and regulations.
Cross-border transfer of personal data to foreign authorities requires Chinese regulators’ prior approval under the draft PDPL. This is consistent with the draft Data Security Law and the recently amended China Securities Law, which to a certain extent, sheds light on Chinese regulators’ view in this regard.
More data subject rights
The draft PDPL proposed various data subject rights, including the right to information and explanation on the data processing, right to access and request for a copy of personal data, right to correction, right to object processing, right to withdrawing consent and right to deletion. The right to deletion is subject to less restriction under the draft PDPL as opposed to the same right as provided under the CSL.
More protective obligations on personal data protection
The draft PDPL provides various management and security measures that are not exhaustively defined with aims to enhance the protection of personal data throughout the whole lifecycle of personal data, such as regular compliance audits, risk assessments, periodic employee training, records of personal data processing activities, protocols to respond to data subjects’ requests, data breach reporting, remedial measures to data breach, and designating a data protection responsible person (number threshold to be further provided by CAC).
While in a way the draft PDPL incorporated existing rules that scattered in various laws and regulations on cybersecurity and data protection, the draft PDPL requires personal data processors adopt a holistic data protection compliance program to protect personal data.
Enhanced legal liability of violation of draft PDPL and privacy litigation
Serious violations of the draft PDPL, such as illegal processing of personal data or failure to adopt necessary measures to protect personal data, can be fined up to RMB 50,000,000 ($7.4 million) or up to 5% of the preceding year's revenue.
When calculating the fine, the draft PDPL is silent on whether “personal data processor” will be a specific legal entity or a group of affiliated legal entities globally or in China that are involved in data processing, as well as whether the revenue of the preceding year will be global or just Chinese. It is worth watching the space if the legislator may consider the similar concept “undertaking” under the GDPR when calculating the fine.
In terms of personal liability in the context of a violation of the draft PDPL, the personnel who is directly responsible for the personal data processing may be fined up to RMB 1 million.
There is also some resemblance to Article 82 of the GDPR where the draft PDPL assumes the personal data processor is at fault when being claimed against by data subject(s) or representation of data subjects, unless the personal data processor can prove that it is not at fault. This provision seems to have shifted the burden of proof to the personal data processor when comparing with the soon-to-be effective China Civil Code that provides rules on tort related to the infringement of the right to data protection. Because the personal data processor is not entirely “liability free” but still subject to the discretion of court even if the personal data processor can prove that it is not at fault, this seems to be stricter than Article 82 of the GDPR.
Fangda Partners Associate Katharina Zhang also contributed to this legislative update.
Photo by Liam Read on Unsplash
If you want to comment on this post, you need to login.