China's Personal Information Protection Law took effect in 2021, yet many questions regarding the interpretation of key provisions remain. One such provision is Article 13, which, like the EU General Data Protection Regulation, requires organizations to have a lawful ground for collecting and processing personal data. Article 13 sets forth an illustrative list of legal bases, the majority of which are reproduced in other data protection laws around the world, including obtaining consent, compliance with legal obligations, protecting an individual's vital interest and fulfilling a task in the public interest.
The familiar concept of processing necessary data to fulfill a contract is also included in Article 13(2). Despite the similarity of language to the GDPR and other global data protection laws, contractual necessity remains an underexamined topic in Chinese data protection law. How do authorities like the Cyberspace Administration of China interpret this provision in practice, and what considerations should companies adopt when selecting this basis?
Existing guidance on contractual necessity
In China, regulators often release guidance or implement rules to clarify specific aspects of the law. These instruments, which come in different forms like regulations, administrative measures, guidelines and technical standards, play a key role in the regulatory and policymaking process in the country. These instruments vary in scope, significance and applicability — some are mandatory and codify broad terms of policy, while others are suggestive and reflect industry best practice. Yet they all serve an important function in how the law works in China.
Regulators use these instruments to implement laws adopted by the National People's Congress (which has expert committees often composed of representatives from these regulators) or policy opinions drafted by leading groups in the State Council and other government bodies. Additionally, they can help lay the groundwork for future regulations by incorporating feedback from industry and offering practical guidance. For instance, the National Information Security Standardization Technical Committee, which is housed within the Cyberspace Administration of China, has released many technical standards that later became core parts of regulation. For example, the 2020 Personal Information Security Specification predates the PIPL and continues to be one of the key guidance documents used in daily compliance.
In recent years, the CAC has issued many of these instruments to clarify key aspects of law and introduce rules for new policy developments. Some of these include guidance on existing legal obligations such as consent, crossborder data transfers, technical and organizational measures, important data identification, and data protection impact assessments. Others are tailored for specific sectors, like connected cars, or cover emerging regulatory priorities such as generative artificial intelligence, immersive tech, and algorithmic management systems.
Specific guidance on the interpretation of contractual necessity is notably absent from this corpus of regulations. Regulators have indirectly touched upon the topic in the recent Implementation Guidelines for Notification and Consent in the Processing of Personal Information, published earlier this year. Article 6.2.1 of this document introduces scenarios that would satisfy contractual necessity, including when processing personal data is necessary to provide a "basic business function," such as handling delivery addresses and contact information when delivering goods through e-commerce. Notably, in Article 6.2.1(a)(3), the guidelines stipulate that for processing to be "necessary," it must relate to the core basic part of the product and service, and have the least impact on the data subject in terms of the types and amounts of personal data used and the frequency of processing. Privacy policies that disclose processing details cannot be contracts within the meaning of the PIPL.
While the guidelines represent a notable step towards legal codification, they offer only a brief introduction to contractual necessity and leave many practical questions for compliance unanswered. However, there may be other sources organizations can turn to for insight into how this legal basis works in practice and the principles Chinese authorities may turn to when interpreting its applicability.
EU jurisprudence: A potential guide for organizations in China?
Despite the lack of guidance from the CAC, there is evidence that EU data protection law may be partially instructive. In its guidance on GDPR Article 6(1)(b), the European Data Protection Board stipulates that contractual necessity will not "cover processing which is useful but not objectively necessary for performing the contractual service … even if it is necessary for the controller's other business purposes." According to this guidance, organizations must be able to demonstrate there is no less intrusive way of providing the service, otherwise the processing will not be strictly necessary within the meaning of EU law. For transparency and fairness purposes, the service must also be one that the user reasonably expects to be the main part of the contract. It cannot merely be an included term or additional condition the business uses to indicate performance.
This interpretation came to a head in the recent WhatsApp decision issued by Ireland's Data Protection Commission. In this case, the EDPB — exercising its dispute resolution powers under GDPR Article 60(4) — found WhatsApp Ireland could not rely on contractual necessity to process user data to "improve its service," including using analytics. This was because the processing was not necessary to provide the "fundamental and mutually understood" purpose of the contract as reasonably expected of the user, which includes sending messages, videos, and other content to contacts. Notably, the Court of Justice of the European Union recently endorsed this interpretation in Meta v. Bundeskartellamt, when it found contractual necessity required the processing to be "objectively indispensable" to servicing the contract.
Chinese policymakers and data protection experts have nodded favorably at this approach. As it was being litigated, the case received attention in academic and professional posts in China, and it was even suggested that existing guidance in the country had already imposed a similar standard. For instance, the Personal Information Security Specification in Annex C distinguishes between "basic business functions," or core functions, and "extended business functions," or ancillary functions. Core functions refer to aspects that are essential to providing a product or service and are in accordance with the data subject's expectations.
Ancillary functions, by contrast, are additional features that add to or improve a users' experience with a product or service but are not necessary for their provision. According to Annex C.2.b, these include "improving service quality, enhancing consumer experience," and research and development features that are closely related to personalized advertising. In the past few years, authorities in China have released regulations that identify "necessary" information for commonly used mobile apps in a range of sectors, including e-commerce, payments and instant messaging.
The purpose of distinguishing between core and ancillary functions is to implement the principles of necessity and data minimization under PIPL Articles 5 and 6. Regulators have relied on this guidance to enforce consent rules and prevent organizations from illegally bundling or conditioning a service on obtaining consent. However, Chinese authorities may also adopt this distinction to interpret the necessity of a contract. This would notably resonate with the EDPB's treatment of the issue, namely covering scenarios in which conditioning the provision of the service on obtaining consent is permitted because the processing is necessary to provide the service, i.e., when it is necessary to perform the contract.
Practical insights and takeaways
Although this provides some guidance on how contractual necessity will work in China, organizations should be aware of the risks of relying on this basis in the absence of a codified rule or standard. In the past few years, the CAC has had the capacity to interpret and enforce consent rules, including hosting training seminars for its officials, launching regulatory investigations, and issuing guidance on notification and consent procedures. Because of this, consent presently offers greater legal certainty for organizations operating in China than other lawful grounds, including contractual necessity.
However, the possible convergence of PIPL Article 13(2) with the GDPR approach indicates a small sliver where standards may apply across borders and local contexts. The emergence of transnational commercial data protection law may be greater than just the similarity of legal text, extending to implementation and interpretation. Even with a legal system as unique as China's, the convergence of data protection rules continues.