Observations on the People's Republic of China Draft Law on Personal Information Protection: A Cross-Border Perspective
The full text of the Law of the People’s Republic of China on Personal Information Protection (Draft) (the Draft) was released on 21 October 2020 for public comments by 19 November 2020.
The Draft consists of 70 articles, which are divided into eight chapters and mainly touch upon the following five areas:
- Scope of application;
- Rules on personal information processing;
- Rules on the cross-border provision of personal information;
- Rights of individuals and obligations of processors during the processing of personal information; and
- Authorities fulfilling the duty of protecting personal information.
It is believed that the Draft will bring a full and profound impact on foreign undertakings doing business in the People’s Republic of China (PRC) when it becomes a law, not only for its rules for the cross-border provision of personal information, but also for its potential extraterritorial jurisdiction and hefty administrative fine.
Scope and Extraterritorial Effect
The Draft applies to any activities conducted by entities or individuals that process the personal information of a natural person within the territory of the PRC. The nationalities of the personal information subjects or personal information processors are not distinguished by the Draft.
More importantly, it also applies to activities outside of the territory of the PRC of processing the personal information of individuals residing within the territory of the PRC under any of the following circumstances:
- The processing of personal information is to serve the purpose of providing products or services for individuals residing within the territory of the PRC;
- The processing of personal information is to serve the purpose of analyzing and assessing the behaviors of individuals residing within the territory of the PRC; or
- Other circumstances as stipulated by laws or administrative regulations.
The Draft applies to the processing of personal information in the context of the activities of a personal information processor and the location of a personal information subject, regardless of whether the processing takes place in the PRC or not. The extraterritorial effect of the Draft will impact business models or operations of undertakings doing cross-border business in China. For example, some internet undertakings provide services to customers in China and use teams outside China to analyze their feedback to ensure the feedback is not fraudulent or biased. The analysis activities are included in the Draft.
Similar to the General Data Protection Regulation of European Union (GDPR), the Draft also requires, where the extraterritorial rule applies, the personal information processor to set up a specialized agency or designate a representative in the PRC to take responsibility for handling matters that concern personal information protection and to report the name of such agency or the name and contact information of the representative to regulatory authorities.
Requirements of the specialized agency or the representative are ambiguously worded in the Draft. For example, it is unclear if the agency must be registered in China. It is also unclear who can act as the representative of a foreign personal information processor in China.
It is worth noting that China plans to launch pilot programs on cross-border data transmission security management in Beijing, Shanghai, Hainan, and Xiongan New Area within three years from 2 August 2020. It is anticipated that those cities or areas will be among the first to adopt the pilot implementation rules, which address the foregoing issues.
Cross-Border Provision of Personal Information
If the extraterritorial effect will impact the business model of an undertaking doing cross-border business in the PRC, rules on cross-border provision of personal information will substantially change the internal management (human resources, finance, and others) of multinational enterprises (MNEs), which do business in the PRC and generally centralize their global management through cross-border data transfer.
Under the Draft, key definitions cover any operation that is performed based on personal information in the PRC:
- Personal information refers to all information related to identified or identifiable natural persons that are recorded by electronic or other means, excluding information after anonymization treatment.
- Sensitive personal information is also defined in the Draft as personal information that, once leaked or illegally used, may lead to personal discrimination or serious harm to personal or property safety, including race, nationality, religious belief, personal biological features, medical history, health, financial account, personal whereabouts etc.
- Personal information processor refers to any entity or individual that determines the processing purpose, processing method, or any other matter relating to the processing of any personal information at its sole discretion.
- Personal information processing includes all activities relating to personal information, such as collection, storage, use, processing, transmission/transfer, provision, disclosure, and other activities.
In this context, Chapter III of the Draft, among others, puts forward stricter requirements on cross-border provision of personal information.
The Cybersecurity Law of the PRC requires critical information infrastructure operators (the CIIO) store within the territory of the PRC, the personal information that they collect and/or generate in China. The Draft extends the same requirements to State authorities and personal information processors who process personal information up to the amount as specified by the State cyberspace authorities. If it is necessary to provide personal information overseas, CIIOs and specified personal information processors shall pass security assessment organized by the State cyberspace authorities generally.
It is advisable for internet (content) services providers doing cross-border business in China or MNEs having thousands of employees in China to note the development of this rule.
Conditions and Methods of Cross-Border Provision
Where, for business needs, personal information processors need to provide personal information outside the territory of the PRC, they shall meet one of the following conditions:
- Having passed the security assessment organized by the State cyberspace authorities;
- Having undertaken personal information protection certification conducted by professional agencies; or
- Having signed a contract with the overseas receiving parties to provide for rights and obligations of parties thereto, and supervising their personal information processing activities to ensure that the personal information protection standards under PRC law are met.
In addition to the foregoing safeguards, a risk assessment of cross-border provision of personal information in advance and the relevant records are required under the Draft.
Separate Consent of Personal Information Subject
The Draft introduces a separate “notification-consent” requirement for cross-border provision of personal information. According to Article 39 of the Draft, a personal information processor shall notify the personal information subject of the identity and contact information of the overseas receiving party, the processing purpose and method, the type of personal information to be processed, as well as the way by which the individual can exercise his or her rights under the Draft over the receiving party and obtain separate consent of the personal information subject.
Compared with GDPR, the Draft does not include rules about transfer on the basis of an adequacy decision or rules regarding appropriate safeguards within members of a group of undertakings, such as binding corporate rules. Whether the compliance requirements under the Draft will be burdensome for undertakings doing cross-border business in China is worth further observation after the law comes into force.
Details of some key issues are lacking in the Draft at this stage. For example, it is unclear what the necessary contents and methods of risk assessments are, what procedures and time limits for mandatory security assessment are, and whether any standard contractual clauses should be adopted in the contract with an overseas receiving party.
Under the Draft, in the event of serious infringements, authorities may, among other things, impose administrative fines of up to RMB 50 million or 5 percent of last year’s annual turnover. Although the scope of personal information processors, which are subject to administrative fines, is not clear in the Draft, we cannot rule out the possibility that it refers to an undertaking rather than a single entity given the practice under GDPR.
Undertakings doing cross-border business in the PRC, including MNEs, are encouraged to keep a close eye on regulatory developments spearheaded by the Draft.