China unveils new draft data privacy law

On 21 October 2020, the National People's Congress of the People's Republic of China released a first draft of the Personal Information Protection Law (“Draft PIPL”) for public comments. The full text of the Draft PIPL is available here. This consultation will close on 19 November 2020. 

In this update, we set out some of the key points of the Draft PIPL and brief comments from us on those points. 

1. Introduction

China has historically had a patchwork of different laws (both in effect and in draft (but influential) form) containing different data protection requirements, including:

• Cybersecurity Law – having become effective on 1 June 2017. 
• E-Commerce Law – having become effective on 1 January 2019. 
• Personal Information Security Specification – having been updated on 6 March 2020 and taking effect on 1 October 2020 (noting these are technical standards rather than mandatory regulations, though they are considered best practice in China and regularly considered by authorities in any action). 
• Data Security Law – a draft was released on 3 July 2020, with public consultation having closed on 16 August 2020. It is the first law in China aimed at regulating the collection, processing, control and storage of data involving national security, business secrets and personal data.

The Draft PIPL attempts to consolidate various existing data protection obligations under those different laws – and particularly important given that, as the NPC noted, China had (as of March 2020) more than 900 million internet users, 4 million websites and 3 million mobile applications. However, it is important to note that the draft PIPL does not replace those different laws, and therefore organisations will need to continue being cognisant that while the Draft PIPL will be extremely important, it will also be one element of that wider patchwork of laws. 

Liu Junchen, deputy director of the Legal Affairs Committee of the Standing Committee of the National People's Congress, noted the importance of the protection of personal information (our translation): 

"… the formulation of a personal information protection law is an objective requirement to further strengthen the legal protection of personal information protection; is a practical requirement for maintaining a healthy cyberspace; and an important step in promoting the healthy development of the digital economy."

The Draft PIPL, in its consolidation of those existing obligations, also means that various "best practice" obligations will become binding law. It is influenced in significant parts by the General Data Protection Regulation in the European Union ("GDPR"), while retaining a significant "China" flavour. 

While public consultation is continuing on this, we expect that the Draft PIPL will (even in draft, unimplemented form) would be effectively treated as law by relevant China government regulators. In that light, it is important that businesses understand what it requires – and we will continue to closely monitor developments, including any further drafts of the Draft PIPL (given there have already been many consultation responses provided since the consultation commenced). 

An important qualification to this update is that, given the Draft PIPL is in draft and consultation form, and given the importance of implementing regulations and regulator guidance to the interpretation of laws in China – there will remain a degree of uncertainty regarding how the Draft PIPL will be implemented (if and when it is implemented) until such regulations and guidance are released. For example:

• As discussed above, the relationship between the Draft PIPL and other relevant laws (and how any overlap/conflict will be interpreted) is to be confirmed. 
• From experience in other jurisdictions, some of the below discussed areas will require significant further details. As examples, we will be looking for further details regarding:
  
  • the definition of "separate consent",
  • how any PIRA will be carried out, and
  • how data breach notifications will occur in practice (this has been a key issue in overseas jurisdictions that have implemented data breach notification requirements).

Clarification of above areas may require further regulations or guidance from regulators. 

2. Data protection principles and key terms

The Draft PIPL is based on seven data protection principles – legality, explicit purpose, minimum necessity, transparency, accuracy, accountability and data security. This is important for framing the wider effects arising from the Draft PIPL. 

"Personal information" under the Draft PIPL refers to the various types of information recorded in electrical or other formats related to identified or identifiable individuals – and includes both information that can identify data subjects or related to the data subjects.

The Draft PIPL uses the term "data processor" to reference what many other data privacy laws would describe as "data controller" (and the Draft PIPL does not use the term "data controller"). For clarity, we have used "organisation" to describe the data processor (i.e. data controller) under the Draft PIPL. 

3. Responsible governmental departments for the Draft PIPL

The departments responsible for the Draft PIPL include the CAC, relevant department of the State Council, and relevant department of local government at county level or above.

One of the nuances that many multinational organisations face in complying with data privacy laws in China are the various regulatory authorities that may have oversight of (and power to enforce) those laws. This will likely continue under the Draft PIPL. 

4. Extra-territorial effect

The Draft PIPL proposes to be applicable outside of China to the extent necessary to protect the interests of data subjects in China. 

In particular (and with a significant nod to the GDPR), the Draft PIPL will:

• apply to data processing activities outside of China, where their purpose is to provide products or services to individuals in China or to analyse and make assessments about the behaviour of individuals in China; and
• require organisations located outside of China but governed by the Draft PIPL to establish entities or appoint representatives in charge of personal information protection, and with those representatives or entities' details to be registered with the relevant government department. 

5. Cross-border transfer and data localisation

The Cybersecurity Law and the Personal Information Security Specification both had specified significant cross-border data transfer restrictions. For example, as part of the Personal Information Security Specification, the China government had proposed mandatory security assessments obligations on all businesses in mainland China operating networked IT systems. 

Cross-border transfer restrictions remains one of the key issues that multinational organisations face in their compliance with data privacy obligations under China law, and has been a key contributor to many multinational organisations effectively segregating their China IT systems from the rest of their international network. 

The Draft PIPL attempts to prepare a more "unified" cross-border data transfer legislative framework for organisations to follow. Broadly speaking and subject to various restrictions as set out below, it proposes that most organisations will be permitted to access and transfer most personal data outside of China, if it complies with all of the following: 

• The organisation has obtained explicit consent from the relevant data subject for the access/transfer.
• The organisation has undertaken a personal information risk assessment ("PIRA") on such access/transfer – see Section ‎8. 
• The access/transfer satisfies one of the following requirements:
  
  • Contractual obligations with the offshore data processor that satisfy relevant requirements under the Draft PIPL.
  • A security impact assessment has been conducted that has been approved by the Cyberspace Administration of China ("CAC") ("Security Assessment").
  • A personal information protection certification has been obtained via a certification body accredited by the CAC.

There are some notable exceptions/qualifications to the above:

• The following organisations will only be able to access/transfer personal information outside of China if it has conducted a CAC Security Assessment: 
  
  • Critical information infrastructure operators.
  • Data processors meeting certain data processing volume thresholds (to be specified) will only be able to access or transfer personal information outside of Mainland China if they have conducted a security assessment which has been approved by the CAC. Otherwise the personal information in question cannot be transferred or accessed overseas.

• The Draft PIPL does not indicate whether, when personal data is transferred outside of China, retaining a local copy in China is also required.

• The above framework does not override industry-specific data localisation rules, and prohibitions of overseas transfers of certain other restricted (personal and non-personal) data, such as state secrets and “important data”.

6. Consent and lawful bases for data processing

The Draft PIPL continues to rely on consent as being the key basis for data processing. However and in line with the GDPR, the Draft PIPL also references various lawful bases under which personal information can be processed without consent, including:

• Necessity for entering into/performance of agreement with data subject. 
• Complying with legal obligations or as required by law. 
• Publication of news / public interest. 
• Responding to public health incidents or protecting safety of individual's life or property. 

Separate consent will be required for processing of sensitive personal information (see below), overseas transfers (see above), disclosures to third parties, public disclosures and collection of biometric information. 

We expect that organisations will need to update their data privacy policies to account for the above. 

7. Sensitive personal information

The Draft PIPL sets out specific restrictions on the processing of sensitive personal information, defined as "information that once leaked or abused may cause damage to personal reputation or seriously endanger personal and property safety" – and includes race, nationality, religion, biometric information, health, financial account, personal whereabouts and other information. 

Under the Draft PIPL, processing of sensitive personal information:

• will be only permitted if it is for a specific purpose, is sufficiently necessary, and separate consent (or if required by law, separate written consent) from the data subject has been obtained; and
• requires the organisation to inform the data subject of the necessity of processing that information and such processing's impact on the data subject. This requirement is in addition to the basic information to be informed to the data subject under the article 18 of the Draft PIPL. 

8. Personal information risk assessment

The Draft PIPL requires organisations to make a PIRA before conducting any of the following actions: 

• processing of sensitive personal information;
• using personal information to conduct automated decision-making;
• providing personal information to any third party (to be confirmed whether such third parties will include group companies);
• appointing a third-party data processor;
• disclosing any personal information publicly;
• cross-border transfer of personal information; and
• any other processing activities that may have “significant impact to an individual”.

National authorities will only be able to transfer personal information outside of China if it has conducted the PIRA (either by itself or with the assistance of other authorities).

Such assessment report must be kept for at least three years. The Draft PIPL further sets out what content is required to be in a PIRA.

9. Data breach notifications

If there is a data breach, the organisation shall take remedial measures immediately and notify the relevant government department and data subjects. The Draft PIPL provides specific content to be included in the notification. 

The Draft PIPL also specifies that the organisation will not be required to notify data subjects of a data breach if it has taken measures to effectively avoid damages caused by the disclosure of personal information, unless the relevant government department determines the disclosure may result in damage.

10. Liabilities arising from breach of Draft PIPL

The Draft PIPL significantly increases potential penalties beyond those provided in the Cybersecurity Law. 

The Cybersecurity Law had provided for various penalties, including rectification, confiscation of illegal gains, warnings, penalties under 1 million RMB, business suspensions, business halts for rectification, and the revocation of relevant permits or business licenses.

The Draft PIPL has a few significant points in relation to liabilities and regulatory enforcement:

• Significant increase of the financial penalties – by reference to a maximum of 5% of the organisation’s previous financial year’s annual turnover or RMB 50,000,000. It is unclear whether the turnover reference is to the organisation's global turnover (such as under the GDPR) or their local turnover (such as under the proposed Singapore PDPA Amendment Bill). 
• Increase of regulators’ powers of investigation and enforcement (including if an organisation’s non-compliance impacts multiple data subjects).
• Prior regulatory approval required if an organisation is asked or required to disclose personal data overseas “to assist international enforcement or litigation”. This will be a key point for multinational organisations – who may feasibly find themselves in a "between a rock and a hard place" situation. We will keep a close eye on how this point develops going forward. 

11. Other key points of the Draft PIPL

The Draft PIPL also introduces other key points that organisations should be aware of:

• Third-party data processors and sub-processors. In line with international trends, the Draft PIPL inserts specific obligations on third-party data processors. We note the following: 
  
  • Broadly speaking, the obligations for appointing of third-party data processors are broadly similar to the current framework and international practices.
  • The Draft PIPL prohibits third-party data processors from appointing sub-processors without the prior consent of the data processor.
  • Joint data processors are acknowledged. If multiple data processors process personal information together, the co-processors shall bear joint liability for any infringements.
  • Where an organisation appoints a third party to process personal information, both parties are required to execute a data processing agreement - that includes the purpose of data processing, the processing mode, the types of personal information processed, protection measures and both parties’ rights and liabilities. The organisation will be responsible for supervising the data processing activities. After completion of the relevant data processing, the personal information must be returned or deleted.

• Data subject rights. In addition to existing rights of access, correction, deletion and withdrawal of consent remain, data subjects' rights are expanded so as to (under certain circumstances) have the right to request deletion of their personal information, the right to withdraw consent and the right to request that the organisation explain how any processing is to be conducted.
• Data Privacy Officers. Organisations will be required to appoint a DPO if they meet certain data processing volume thresholds (to be confirmed), with the DPO to be registered with the relevant government department.

With special thanks to Yeqi Fei (Trainee Solicitor) and Louisa Wang (Intern) for their contributions.