China’s draft Personal Information Protection Law was published for public comment Oct. 21, 2020, and the comment period ended Nov. 19, 2020. As the first comprehensive law governing personal information protection and the basis for the future privacy framework in China, the milestone legislation received a large number of comments from industry and other organizations within and outside of China.
These comments can provide critical insights on what are the key concerns from the stakeholders and how the next draft could improve. Some of the comments also highlight the difference between the draft PIPL and privacy laws in major jurisdictions, including the EU General Data Protection Regulation.
With that in mind, here are five key issues mentioned in the comments, presented here with the hope that they can shed more light on the road ahead for the draft PIPL.
Consent and legal grounds for processing (Article 13)
Under the draft PIPL, consent is one of the legal grounds for processing personal information. The draft PIPL requires “separate consent” under certain special circumstances, such as international transfer of personal information, processing of sensitive personal information, including biometric data, and sharing of personal information with third parties.
While many comments agree that consent remains important for processing personal information under many circumstances, some highlight that obtaining consent could be impractical, impossible or ineffective in many cases. Thus, it is recommended to reduce the number of provisions that require consent from personal information subjects. Moreover, some believe that clearer definitions are needed for different forms of consent, such as the “separate consent” and “written consent” described in Article 30.
In addition to limiting the scope of consent requirements and providing definitions for different forms of consent, some comments recommend adding more legal basis for the processing of personal information, such as “legitimate interests” and “pre-contractual measures,” as more grounds of a legal basis for processing could allow companies to carry out processing activities according to their actual operational needs.
Extraterritorial jurisdiction (Article 3)
The draft PIPL extends its territorial scope to the processing of personal information conducted outside of China, provided that the purpose of the processing is (1) to provide products or services to individuals in China; (2) to “analyze” or “assess” the behavior of individuals in China; or (3) for other purposes to be specified by laws and regulations.
Many commenters worry that this broad extraterritorial scope will subject any possible processing of personal information originated from China to the draft PIPL. Considering the global flow of data, such a broad jurisdiction may potentially create uncertainties and potential conflicts of law issues. Thus, many comments suggest clarifying the extraterritorial jurisdiction or providing more information on the circumstances that organizations outside of China will be subject to the draft PIPL.
Localization and cross-border transfer of personal information (Articles 38–43)
Many commentators believe that, in general, restrictive provisions about cross-border data transfer and local storage of data could bring substantial challenges for multinational companies, especially if these provisions can be interpreted broadly. They worry about the uncertainties and extra burden imposed by the draft PIPL would have a negative impact on the use of technologies in China that rely on global networks.
Meanwhile, comments emphasize the necessity to clarify Article 40, which requires non-critical information infrastructure operators that hold personal information exceeding a volume threshold (currently unspecified) to either localize their data or conduct a security assessment for transfers. As the details of the security assessment were not provided in the draft PIPL, many commentators urged regulators to clarify the scope, process and criteria related to the security assessment as soon as possible. Also, some comments believe that the volume threshold alone should not be deemed a risk indicator because there are distinctions among different categories of personal information. Thus, they urge that the security assessment only be applicable in limited scenarios.
Penalties and enforcement (Articles 62–67)
- Penalties
Article 62 of the draft PIPL states that when a violation is “serious,” authorities can impose a fine of up to 50 million RMB or 5% of an organization’s annual revenue for the prior financial year, among other penalties. Commentators suggest that it is unclear what could constitute a “serious” violation. In addition, it is unclear whether an organization’s annual revenue will be calculated on a global basis when assessing fines. Commentators are concerned that vague definitions may result in disproportionately severe penalties for relatively light violations.
- Requirements for multiple types of assessments
The draft PIPL mentions multiple assessment requirements. For instance, Article 54 requires a “risk assessment” under several circumstances, such as processing sensitive personal information and transferring personal information overseas. Article 38 lists “security assessment” as one of the permitted mechanisms for cross-border transfer of personal information. Commentators believe some of the assessments are overlapping and the names of different types of assessments are confusing. Therefore, they suggest further refinement and standardization of these requirements.
- Representative and entity responsible for personal information protection (Article 52)
Under Article 52, an overseas personal information “processing entity” (a term that appears to be the Chinese law equivalent of the “data controller” concept under the GDPR) is required to establish an entity or appoint a representative in China to handle personal information related issues. Commentators worry about unnecessary burdens and costs to organizations outside of China and hope that the draft PIPL can clarify the responsibilities of a representative or an entity.
- Transition period
Commentators also recommend that a transition period be provided because the adjustment to the new substantial compliance requirements under the draft PIPL will take a long period. Moreover, comments suggest that a general data protection agency be established to have a unified and systematic enforcement mechanism.
Important terms need to be defined/clarified
- Third party
Article 24 requires a personal information “processing entity” to notify individuals if it shares their personal information with “third parties.” However, it is unclear whether such “third parties” include entities such as vendors or service providers of the “processing entity” and whether this requirement applies to all scenarios (e.g., whether the sharing with affiliates is covered). Thus, commentators suggest using defined terms rather than a general description so the regulatory requirements for sharing data with different types of entities can be clarified.
- Anonymization and deidentification
Many commentators believe that the definition of anonymization in Article 69 is a high standard and certain anonymized information that cannot be used to identify a natural person today may be able to do so in the future. They suggest the law should be clarified as requiring a materiality standard rather than an absolute standard. Furthermore, commentators urge more clarity on the requirements for “de-identification.”
The draft PIPL introduces the term “de-identification” but does not specify whether a “processing entity” is mandatorily required to adopt such a technical measure.
Photo by Macau Photo Agency on Unsplash