On April 29, 2021, China issued a second version of the draft Personal Information Protection Law (“Draft PIPL”). The Draft PIPL will be open for public comments until May 28, 2021.
While the framework of this version of the Draft PIPL is the same as the prior version issued on October 21, 2020, below we summarize the material changes in the second version of the Draft PIPL.
Legal Basis for Processing Personal Information
Article 13 adds one legal basis for processing personal information. The data processor is not required to obtain the consent of data subjects for processing publicly available personal information within a reasonable scope pursuant to the Draft PIPL.
Minor’s Personal Information
Article 15 provides a higher standard to process a minor’s personal information. Regardless of whether the data processor knows or should know that it processes personal information of an individual under 14 years old, it must obtain the consent of the minor’s parents or other guardian.
Article 16 requires the data processor to provide a convenient way for data subjects to withdraw consent. Withdrawing consent will not affect any processing activity that took place before consent was withdrawn.
Data Processing by a Third Party
Article 22 provides more conditions for data processing by a third party. If the data processing agreement with a third party does not become effective or is invalid, revoked or terminated, the third party must not keep the personal information and must return it to the data processor or delete it.
Standard Contract Clauses for Cross-Border Data Transfer
Pursuant to Article 38, the Cyberspace Administration of China will provide a standard contract to data processors for reference and guidance when entering into contracts with recipients outside of China, which may enable them to transfer relevant personal information to recipients outside of China.
Decedent’s Personal Information
Article 49 adds provisions regarding the protection of personal information of decedents, whose rights provided under the Draft PIPL may be exercised by near relatives on the decedent’s behalf.
Specific Data Processor
Article 57 imposes specific obligations on data processors that provide basic online platform services to a “huge” number of users and have complex business types. These include obligations to (1) set up an external independent institution to supervise personal data processing; (2) stop servicing the products or service providers that have seriously violated laws and regulations; and (3) publish periodic social responsibility reports. Nonetheless, the second version of the Draft PIPL does not illustrate the specific standard for identifying the covered data processors, such as by identifying, for example, how many users constitute “a huge number of users.”
Inversion of Burden of Proof
Pursuant to Article 68, in cases of harm to interests related to personal data, if the data processor could not prove that it is without fault, it will be liable for a tort and the relevant compensation.