China is continuing to move forward with its first comprehensive privacy law. China recently issued a second version of the draft Personal Information Protection Law (Draft PIPL) which will be open for public comments until May 28, 2021. (An earlier version of the law was released at the end of 2020.) The law is anticipated to come into effect sometime in the next one to two years.
Current State of Laws
China does not currently have a comprehensive data privacy law. There are some rules about data protection and use scattered in existing laws, national standards and governmental guidelines. For example, the country’s current Cybersecurity Law, which came into effect in June 2017, is focused on the “critical information infrastructure.” Specifically, the law is directed at “network operators” (anyone owning or operating a computer system network), and suppliers of network products and services.
Over the past several years, China has also issued other related guidance. While still in draft form, this includes the Security Assessment on Cross-border Transfer of Personal Information and Guidelines for Personal Information Security Engineering. Other recent sectoral guidance also indirectly impact how companies use and protect information in China. For e-commerce, this includes the Measures for the Supervision and Administration of Online Transactions. There have also been several rules released aimed at improving data governance in China’s financial sector (e.g., Guidelines for Data Capacity-Building in the Financial Industry). And other recently released standards touch on facial recognition data and data collected from connected cars.
Draft Data Security Law
Worth keeping in mind when thinking about the impact PIPL will have is China’s draft Data Security Law (DSL), the second version of which was also recent released. The Draft DSL It primarily applies to “important data” or data that has national security concerns for China. Practically speaking, this law may require the need to designate data security personnel and management bodies to ensure responsibility over data security. It may also require conducting risk assessments and submitting reports of those assessments to the applicable authorities. The Draft DSL also calls for mandatory reporting requirements for data security incidents. Once finalized, the PIPL and DSL, coupled with the Cybersecurity Law, will form the over-arching legal framework for data privacy and protection in China.
Preparing for PIPL
The Draft PIPL has a broad extra-territorial effect similar to that of the EU’s GDPR. Namely, the law applies to processing of personal information that happens outside of China if the purpose of the processing is to (i) to provide products or services to individuals in China, (ii) to “analyze” or “assess” the behavior of individuals in China, or (iii) for other purposes to be specified by laws and regulations. Thus, even if an organization does not have a physical presence or legal entity in China, the law could still apply.
While the law is still in draft form, companies that expect PIPL to apply to them may want to begin thinking now through some of the potential operational changes of this law. Some of these considerations are highlighted below:
Basis of Processing. Unlike the current Cybersecurity Law, where “consent” is the only available legal basis for collecting and using of personal information, the Draft PIPL is more like GDPR. It permits multiple legal bases for processing. Nonetheless, there are still some types of processing that must be based on consent. For example, when processing information about someone under 14, sharing biometric-type information for non-security purposes, and processing sensitive information. The law also calls for processing to be based on a “minimum necessary” standard. Like GDPR, there are requirements for engaging in automated decision-making.
Data Subject Rights. The Draft PIPL proposes various data subject rights. This includes a right to information and explanation on the data processing. Individuals will also have a right to access, right to correction, right to object processing, right to withdraw consent and a right to deletion.
Localization. Critical information infrastructure operators and entities who process personal information of a certain volume (the threshold is currently unspecified) are required to store the personal information collected and generated within the borders of China. If information needs to be transferred overseas, a company will have to pass a security assessment organized by the Cyberspace Administration of China.
Cross-border Transfers. In addition to the security assessment for certain organizations, the law requires notice and consent for cross-border transfers. Companies must carry out an internal risk assessment prior to transferring data out of China and keep records of such transfers. A lawful transfer mechanism such as a standard transfer agreement, or a security assessment administered by the Cyberspace Administration of China is also required.
Data Breach Notification. In the event of a data breach, the Draft PIPL requires entities to take “immediate” remediation actions and notify the relevant agency and affected individuals. The text itself does not provide a time limit for notification (e.g., 72-hours).
Penalties. Under the Draft PIPL, an organization that unlawfully processes personal information or fails to take necessary security measures to protect personal information may be subject to a baseline fine up to 1 million RMB. If the violation is considered serious, the fine may be increased up to 50 million RMB or 5% of the organization’s annual revenue for the prior financial year.
Putting it Into Practice. Companies who are already addressing GDPR or CCPA requirements will find some aspects of China’s draft laws familiar. While the laws have not yet been finalized, they are expected to be passed in the next year or two. Now is a good time, then, to start thinking about how to offer GDPR-type rights in China, as well as preparing for breach notice requirements and data transfer issues.