September 19, 2021

Volume XI, Number 262

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

Update on the State of Privacy Law in China

China is continuing to move forward with its first comprehensive privacy law. China recently issued a second version of the draft Personal Information Protection Law (Draft PIPL) which will be open for public comments until May 28, 2021. (An earlier version of the law was released at the end of 2020.) The law is anticipated to come into effect sometime in the next one to two years.

Current State of Laws

China does not currently have a comprehensive data privacy law. There are some rules about data protection and use scattered in existing laws, national standards and governmental guidelines. For example, the country’s current Cybersecurity Law, which came into effect in June 2017, is focused on the “critical information infrastructure.” Specifically, the law is directed at “network operators” (anyone owning or operating a computer system network), and suppliers of network products and services.

Over the past several years, China has also issued other related guidance. While still in draft form, this includes the Security Assessment on Cross-border Transfer of Personal Information and Guidelines for Personal Information Security Engineering. Other recent sectoral guidance also indirectly impact how companies use and protect information in China. For e-commerce, this includes the Measures for the Supervision and Administration of Online Transactions. There have also been several rules released aimed at improving data governance in China’s financial sector (e.g., Guidelines for Data Capacity-Building in the Financial Industry). And other recently released standards touch on facial recognition data and data collected from connected cars.

Draft Data Security Law

Worth keeping in mind when thinking about the impact PIPL will have is China’s draft Data Security Law (DSL), the second version of which was also recent released. The Draft DSL It primarily applies to “important data” or data that has national security concerns for China. Practically speaking, this law may require the need to designate data security personnel and management bodies to ensure responsibility over data security. It may also require conducting risk assessments and submitting reports of those assessments to the applicable authorities. The Draft DSL also calls for mandatory reporting requirements for data security incidents. Once finalized, the PIPL and DSL, coupled with the Cybersecurity Law, will form the over-arching legal framework for data privacy and protection in China.

Preparing for PIPL

The Draft PIPL has a broad extra-territorial effect similar to that of the EU’s GDPR. Namely, the law applies to processing of personal information that happens outside of China if the purpose of the processing is to (i) to provide products or services to individuals in China, (ii) to “analyze” or “assess” the behavior of individuals in China, or (iii) for other purposes to be specified by laws and regulations. Thus, even if an organization does not have a physical presence or legal entity in China, the law could still apply.

While the law is still in draft form, companies that expect PIPL to apply to them may want to begin thinking now through some of the potential operational changes of this law. Some of these considerations are highlighted below:

  • Basis of Processing. Unlike the current Cybersecurity Law, where “consent” is the only available legal basis for collecting and using of personal information, the Draft PIPL is more like GDPR. It permits multiple legal bases for processing. Nonetheless, there are still some types of processing that must be based on consent. For example, when processing information about someone under 14, sharing biometric-type information for non-security purposes, and processing sensitive information. The law also calls for processing to be based on a “minimum necessary” standard. Like GDPR, there are requirements for engaging in automated decision-making.

  • Data Subject Rights. The Draft PIPL proposes various data subject rights. This includes a right to information and explanation on the data processing. Individuals will also have a right to access, right to correction, right to object processing, right to withdraw consent and a right to deletion.

  • Localization. Critical information infrastructure operators and entities who process personal information of a certain volume (the threshold is currently unspecified) are required to store the personal information collected and generated within the borders of China. If information needs to be transferred overseas, a company will have to pass a security assessment organized by the Cyberspace Administration of China.

  • Cross-border Transfers. In addition to the security assessment for certain organizations, the law requires notice and consent for cross-border transfers. Companies must carry out an internal risk assessment prior to transferring data out of China and keep records of such transfers. A lawful transfer mechanism such as a standard transfer agreement, or a security assessment administered by the Cyberspace Administration of China is also required.

  • Data Breach Notification. In the event of a data breach, the Draft PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. The text itself does not provide a time limit for notification (e.g., 72-hours).

  • Penalties. Under the Draft PIPL, an organization that unlawfully processes personal information or fails to take necessary security measures to protect personal information may be subject to a baseline fine up to 1 million RMB. If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organization’s annual revenue for the prior financial year.

Putting it Into Practice. Companies who are already addressing GDPR or CCPA requirements will find some aspects of China’s draft laws familiar. While the laws have not yet been finalized, they are expected to be passed in the next year or two. Now is a good time, then, to start thinking about how to offer GDPR-type rights in China, as well as preparing for breach notice requirements and data transfer issues.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 133
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
Advertisement
Advertisement
Advertisement