The draft Personal Information Protection Law of the PRC (个人信息保护法, "Draft Law") has been made available for public consultation until November 19, 2020, after being tabled for first reading by the Chinese legislature in October 2020.
The 70-article Draft Law specifies various data protection principles, including legality, transparency, accuracy, explicit purpose, minimum necessity, data security and accountability. When enacted, it will supplement different legislations, such as the Cybersecurity Law, the recently adopted Civil Code and the newly released Draft Data Security Law.
This article summarises some key highlights of the Draft Law.
Consistent with existing statutory definitions, "personal information" and "handling of personal information" are broadly defined to cast a wide net for data protection. Personal information covers various data related to identified or identifiable individuals, which are recorded by electronic or other means, but excludes anonymised data. The handling of personal information includes the collection, storage, use, processing, transmission, making available and publication of this information. Consent requirements from the data subjects vary depending on the different scenarios in which personal data is handled.
The Draft Law also identifies "sensitive personal information" as personal information which, if leaked or used illegally, can lead to discrimination against the individual or serious damage to the safety of the individual or his property. Such information includes one's race, ethnicity, religious beliefs, personal biometrics, medical history, financial accounts, personal location tracking, etc. The relevant provisions require that sensitive personal data can only be handled when there is a specific purpose and sufficient necessity.
Legal basis for handling personal information
Aside from where the data subject has given consent, the Draft Law also authorises the handling of personal information when:
- it is necessary for the execution or performance of a contract to which the data subject is a party;
- it is necessary for the performance of statutory duties or obligations;
- it is necessary for responding to a public health emergency or for the protection of the life, health and property of a natural person in an emergency;
- acting in the public interest for news reporting or media supervision within a reasonable scope; or
- permitted by other laws and regulations.
On the other hand, separate opt-in consent is required for the handling of sensitive personal information, and parental consent is required for data subjects under the age of 14. Specific disclosure in the privacy notice and separate consent is required for the transfer or sharing of personal data.
Data localisation and cross-border transfer
Operators of critical information infrastructure and data handlers whose handling activities reach the prescribed levels must store the personal information collected and generated in China within the territory. Cross-border transfer will only be allowed for those transferors who have passed the security assessment conducted by the designated network security authority.
On the other hand, ordinary transfers of personal information outside China are permissible if a data handler:
- has passed the security assessment conducted by the Chinese regulator;
- has obtained relevant personal information protection certification from a professional institution; or
- has imposed contractual obligations for the foreign data recipient(s) to comply with PRC data protection laws.
The Draft Law explicitly asserts exterritorial jurisdiction for the first time. It will apply not only to the handling of personal information of natural persons within China, but also to handling activities that take place outside of China, relating to the provision of goods or services to Chinese customers or the behavioural analysis/assessment of Chinese data subjects.
Foreign data handlers that collect and analyse data for the aforementioned purposes will need to establish a special organisation or appoint a representative in China to deal with data protection related matters, and to report the contact information of such organisation and representative to relevant Chinese regulators. Failure to comply could result in being put on a "blacklist" and be restricted or forbidden from receiving personal information from China.
The Draft Law expands the range of penalties beyond those provided under the Cybersecurity Law. In addition to the rectification, confiscation of illegal income, warning, administrative fines, suspension of business for rectification, and revocation of relevant licenses or business licenses, the Draft Law also imposes fines of up to RMB 50 million (approximately US$7.4 million) or 5% of the offender's revenue in the previous year.
It is anticipated that the Draft Law would be finalised and officially be promulgated late next year at the earliest. Once passed, it will complete an important piece of the Chinese legal requirements for the protection of personal information. It will also have significant impact on foreign companies and overseas parent companies of Chinese subsidiaries that deal with personal information collected from China.