On April 29, 2021, China unveiled its second draft of the Personal Information Protection Law (draft PIPL). The draft is now available for public comments until 28 May 2021. The law aims to provide greater protections for personal information and create a data privacy regime that is more in line with the General Data Protection Regulation (GDPR) of the EU.
Some highlights of the draft PIPL are as follows:
The draft PIPL applies to the processing of personal information within the People’s Republic of China (PRC), and the extraterritorial processing of personal information of natural persons within the territory of PRC under certain circumstances, such as for the purpose of providing products or services to these natural persons or under other circumstances regulated by laws and administrative regulations.
There are a number of obligations on “Personal Information Processors” (PIPs), which the PIPL defines as “organizations or individuals that independently make decisions on personal information processing matters such as the purpose and means of processing”. This term appears to correlate with the “data controller” concept under the GDPR.
Obligations of PIPs and “data processors”
The obligations of PIPs are detailed in Chapter 5 of the draft PIPL. In particular, it is noted that PIPs who process personal information in a specified volume shall designate a personal information protection officer responsible for supervising personal information processing activities and adopt protective measures. PIPs are also required to conduct prior risk assessments of certain personal information processing activities e.g. those relating to sensitive personal information, and conduct regular audits. Entities entrusted to process personal information (entities similar to “data processors” under the GDPR) shall fulfill the same obligations under this Chapter 5.
Cross-border transfer of personal information
Under the draft PIPL, PIPs can only transfer personal information overseas by complying with at least one of the following: (1) undergo a security assessment administered by the National Cyberspace Administration (NCA); (2) obtain verification from professional institutions in accordance with the rules of the NCA; (3) enter into a transfer agreement with the transferee using the standard contract published by the NCA; or (4) follow the transfer mechanisms in accordance with other laws and regulations.
Individuals are entitled to various rights under the draft PIPL, including but not limited to the right to restrict or refuse the processing of their personal information, right of access to their personal information and the right to request correction and deletion of their personal information. PIPs would have to explain with reasons if they reject the above requests from individuals.
Violations of the draft PIPL could attract significant penalties. Fines of up to 1 million Renminbi (~USD 150,000) could be imposed on companies, with fines of 10,000 to 100,000 Renminbi (~USD 1,500 to 15,000) imposed on responsible individuals. In more serious cases, fines could be increased to 50 million Renminbi (~USD 7.5M) or 5% of the company’s total turnover in the preceding year for companies, and 100,000 to 1 million Renminbi (~USD 15,000 to 150,000) for responsible individuals.
It is impossible to predict whether the draft PIPL will be further modified prior to its final enactment. Nonetheless, if passed, the legislation would be the first in the PRC dedicated to personal information protection and it will likely form the legal framework that governs personal data protection in the PRC for years to come.