June 13, 2021

Volume XI, Number 164

Advertisement

June 11, 2021

Subscribe to Latest Legal News and Analysis

China’s Personal Information Protection Law (Second Draft) – What to Expect

On April 29, 2021, China unveiled its second draft of the Personal Information Protection Law (draft PIPL). The draft is now available for public comments until 28 May 2021. The law aims to provide greater protections for personal information and create a data privacy regime that is more in line with the General Data Protection Regulation (GDPR) of the EU.

Some highlights of the draft PIPL are as follows:

Territorial scope

The draft PIPL applies to the processing of personal information within the People’s Republic of China (PRC), and the extraterritorial processing of personal information of natural persons within the territory of PRC under certain circumstances, such as for the purpose of providing products or services to these natural persons or under other circumstances regulated by laws and administrative regulations.

Key definitions

There are a number of obligations on “Personal Information Processors” (PIPs), which the PIPL defines as “organizations or individuals that independently make decisions on personal information processing matters such as the purpose and means of processing”.  This term appears to correlate with the “data controller” concept under the GDPR.

Obligations of PIPs and “data processors”

The obligations of PIPs are detailed in Chapter 5 of the draft PIPL. In particular, it is noted that PIPs who process personal information in a specified volume shall designate a personal information protection officer responsible for supervising personal information processing activities and adopt protective measures. PIPs are also required to conduct prior risk assessments of certain personal information processing activities e.g. those relating to sensitive personal information, and conduct regular audits. Entities entrusted to process personal information (entities similar to “data processors” under the GDPR) shall fulfill the same obligations under this Chapter 5.

Cross-border transfer of personal information

Under the draft PIPL, PIPs can only transfer personal information overseas by complying with at least one of the following: (1) undergo a security assessment administered by the National Cyberspace Administration (NCA); (2) obtain verification from professional institutions in accordance with the rules of the NCA; (3) enter into a transfer agreement with the transferee using the standard contract published by the NCA; or (4) follow the transfer mechanisms in accordance with other laws and regulations.

Individual rights

Individuals are entitled to various rights under the draft PIPL, including but not limited to the right to restrict or refuse the processing of their personal information, right of access to their personal information and the right to request correction and deletion of their personal information. PIPs would have to explain with reasons if they reject the above requests from individuals.

Violations of the draft PIPL could attract significant penalties. Fines of up to 1 million Renminbi (~USD 150,000) could be imposed on companies, with fines of 10,000 to 100,000 Renminbi (~USD 1,500 to 15,000) imposed on responsible individuals. In more serious cases, fines could be increased to 50 million Renminbi (~USD 7.5M) or 5% of the company’s total turnover in the preceding year for companies, and 100,000 to 1 million Renminbi (~USD 15,000 to 150,000) for responsible individuals.

It is impossible to predict whether the draft PIPL will be further modified prior to its final enactment.  Nonetheless, if passed, the legislation would be the first in the PRC dedicated to personal information protection and it will likely form the legal framework that governs personal data protection in the PRC for years to come.

© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume XI, Number 133
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Nicholas Chan Private Equity/Venture Capital Attorney Squire Patton Boggs Hong Kong
Partner

Nicholas (Nick) Chan is an experienced private equity/venture capital, merger and acquisition, commercial and compliance, TMT, employment, competition and regulatory lawyer with a computer science background and a regional practice covering 22 countries. He focuses on the telecommunications, broadcasting, information and emerging technologies, healthcare, aviation, energy, real estate, entertainment, advertising, logistics, global sourcing, petroleum and related industries. His expertise has been recognized in AsiaLaw Leading Lawyers since 2004. Most recently recognizing his...

852 2103-0388
Advertisement
Advertisement