Countries around the world are coming around on the need to address privacy, including China and India, which carry a combined population of more than 3 billion people. There has been much hype about proposals for China's Personal Information Protection Law and India's Personal Data Protection Bill, but both draft laws have been stuck in neutral in their respective legislative processes for months.
During the opening panel discussion of the IAPP's Global Privacy Summit Online 2021, Rui Bai Law Firm Head of Corporate Barbara Li and Future of Privacy Forum Senior Fellow Malavika Raghavan indicated the stagnant status of each proposal is likely to change in the months ahead and finalization of the laws is possible before the end of 2021.
In fact, Li broke the news that privacy professionals may see new developments with China's PIPL before the end of April. She said the Standing Committee of the National People's Congress of the People's Republic of China has the PIPL and a proposed data security law on the agenda during its session April 26 to 29.
"If things move around quickly, I sense we may probably see this law is finalized very soon," Li said. "Definitely stay tuned. There's likely to be a very quick step in these coming months or just the coming weeks."
The draft PIPL was proposed last October and has already undergone a public consultation. According to Li, the quick moves on data protection legislation are attributable to China's fast-growing digital economy and data use issues stemming from the growth, including the "use or processing of personal data beyond what is reasonable or allowed under the law." On the other hand, Li noted that the Chinese government is also "very keen to strike a proper balance" enabling economic growth while "providing very strong support and protection of personal data."
The update on India's PDPB was not as inspiring, as Raghavan noted India's situation is "quite the reverse" of China with two delays pushing the final report on the bill from a Joint Parliamentary Committee to "sometime in June or July." She said it's an interesting situation given the bill's process began in 2017 and appeared to be on track to be finalized or up for final passage by now instead of "still playing the waiting game."
"Basically it could be either reintroduced for passage, which has happened in the recent past," Raghavan said of what comes after the JPC's report. "I think there are enough numbers, and it's not as polarizing of an issue to be passed. So it could be passed by the end of July or there could be further deliberation, but we're expecting to have, by the end of the year, a formal law."
Reports surfaced out of the Indian Parliament last December that the PDPB could end up being rewritten, which would presumably trigger the further deliberations Raghavan alluded to. Also fueling the concept of a drawn-out process are the more than 80 proposed amendments that have been brought forward.
Li and Raghavan also offered analysis of the Chinese and Indian bills as currently constituted, including a look at provisions for international data transfers under each draft law.
Li said the PIPL's provisions on transfers divert some from those of China's standing regulation, the Cybersecurity Law of the People's Republic of China, because the draft legislation focuses more on personal data. What remains consistent between the two Chinese standards is that transfers will require some form of adequacy check before their completion.
"There are express provisions saying that if a business operator is a (critical information infrastructure operator) then generally they will be required to pass some kind of security assessment conducted by the Chinese authority," Li said. "For non-CIIs that handle a large volume of data, the PIPL also provides for additional legal obligations to comply with … and there is also consent required from data subjects when transferring their data abroad."
Li added that businesses can also utilize PIPL-approved transfer mechanisms, including engaging a certified third-party security assessor or entering into a cross-border data transfer agreement.
With India's PDPB, Raghavan outlined provisions for two categories of data, with yet-to-be-defined "critical" personal data being subject to a localization while "sensitive" personal data — which correlates to the EU General Data Protection Regulation definition of sensitive data — will be allowed to be lawfully transferred. According to Raghavan, transfers will be subject to consent and "things that look, sound and smell like standard contractual clauses" while also being required to remain stored in India and returned at some point. The Indian government also has the power to refuse data access to certain countries under the proposed law.
Enforcement was another key topic broached by panelists, who revealed a difference in approach as far as a private right of action goes. Li explained China allows for a relatively broad right of action in addition to general enforcement by the Cyberspace Administration of China, while Raghavan said Clauses 63 and 83 of India's proposal will vacate the private right of action for individuals.
"I think this is going to be controversial because a similar vacating of rights under the Aadhaar Act was actually struck down at the end of the constitutional challenge of that act," Raghavan said. "It remains to be seen whether it will be challenged again, but there are very few laws I know that carry this kind of vacation. Maybe there are ways it can be justified."
PDPB enforcement would come from a newly created data protection authority, which would have many tools, including reprimands and warnings, at its disposal before resorting to a fine.
On the topic of financial penalties, Li pointed out the PIPL establishes a potentially costly fining scheme."PIPL has hugely increased the volume for sanctions," Li said. "The maximum penalty CAC can impose on violators can go up to like 50 million RMB or 5% annual turnover. That could end up being quite significant to a very large company."