Open a micro letter and sweep a two-dimensional code
Subscribe to our WeChat public number
Turn on the phone and sweep the two-dimensional code
You can access the website and share it with your friends through a mobile phone
Along with rapid development of the information society, the collection and use of personal information have become more extensive. However, people become concerned that personal data are also collected and obtained without the consent of the personal data subjects, bought and transferred for illegitimate purposes, endangering people’s lives and properties. The importance of personal information protection can never be overestimated. Some existing laws and regulations, including the Civil Code, the Cybersecurity Law, E-commerce Law and the Law on the Protection of Consumer Rights and Interests, include provisions relating to personal information protection. But this has not been enough to effectively protect it.
Responding to people’s concerns, China released a draft of the Personal Information Protection Law (the “Draft PIP Law”) to seek public opinion on October 21, 2020 after the first reading by the Standing Committee of the National People’s Congress, China’s top legislature.
1. Personal Information and Sensitive Personal Information
The Draft PIP Law introduces two concepts: “personal information” and “sensitive personal information”:
2. Personal Information Processing and Its Principles
Processing of personal information is defined broadly as the collection, storage, use, process, transmission, provision, or public disclosure of personal information. Accordingly, personal information processor is an organization or individual who discretionarily determines the purposes and methods of processing personal information.
The Draft PIP Law requires that the personal information shall be processed:
lawfully and justifiably;
in good faith;
for explicit and reasonable purposes;
to the minimum extent necessary for achieving processing purposes (it is not permissible to process any personal information irrelevant to the processing purposes);
in an open and transparent way after expressly disclosing the rule of personal information processing; and
in a precise way with timely update.
3. Personal Information Processing Requirements
Individuals’ Consent + Limited Exceptions
The Draft PIP Law sets out multiple legal bases for personal information processing with the idea of seeking “informed consents” at the core and underscores that processor can only process personal information under the following circumstances:
(1) the individual’s consent has been obtained;
(2) processing is necessary to enter into or perform a contract to which the individual is a party;
(3) processing is necessary to perform legal duties or statutory obligations;
(4) processing is necessary to respond to a public health emergency or to protect natural persons’ health and properties in an emergency;
(5) personal information is processed to a reasonable extent for purposes of carrying out news reporting and public opinion monitoring for public interests; or
(6) other circumstances permitted by laws and regulations.
Personal information processor shall inform the individuals of the following by using notable, explicit and easy to understand languages before processing unless applicable laws and regulations require otherwise:
identity and contact details of processor;
purposes and methods of processing and catalogues and storage period of personal information to be processed;
methods and procedures through which individuals can exercise their rights granted by the personal information protection law; and
other matters that are required to be informed by laws and regulations.
After being fully informed, individuals may give their explicit consents on a voluntary basis or each individual shall give his/her separate consent or written consent if laws and regulations require to do so. In the event of any change of processing purpose, processing method or catalogues of personal information to be processed, processor is obligated to reobtain individuals’ consents. Even so, each individual has the right to withdraw consent at his/her own discretion.
The Draft PIP Law, however, does not clearly define what a “separate consent” or a “written consent” is. The overwhelming understanding is that the separate consent or written consent requires a special formality in obtaining individual’s informed consent but what such special formality should be needs clarification from the law.
Period of Storage
Personal information shall be stored for a minimum period necessary for achieving the processing purposes.
Two or more processors shall agree on their respective rights and obligations prior to jointly processing personal information; and in the case of infringement, they will undertake liabilities severally and jointly.
Processor and its sub-processors must agree on the purposes of sub-processing, methods of processing, catalogues of personal information, protection measures and their respective rights and obligations. The Draft PIP Law prohibits sub-processors from appointing their sub-processors without the consent of the processor.
Transfer of Personal Information
In the event of transfer of personal information due to processor’s merger, division or other reasons, processor shall inform of the individuals of the information relating to the recipient and such recipient shall assume the obligations of processor; however, if the original purposes of processing or methods of processing change, processor/recipient is required to reinform the individuals and obtain their consents.
Provision of Personal Information to Third Parties
The Draft PIP Law does not allow a processor to provide personal information to third parties unless and until it has informed individuals of the information relating to such third parties, purposes of processing, methods of processing and catalogues of personal information and obtained separate consents from the individuals. Any change to the original purposes of processing and methods of processing require informing individuals and obtaining their consents.
Processor cannot disclose any personal information it has processed unless a separate consent has been obtained or applicable laws and regulations provide otherwise.
Processing Sensitive Personal Information
The Draft PIP Law obligates personal information processor to process sensitive personal information only when
(1) its processing has specified purposes and sufficient necessity;
(2) it has informed the individuals of necessity of processing sensitive personal information and impact on individuals; and
(3) it has obtained separate consents from individuals (or written consents if appliable laws and regulations require so).
4. Cross-border Transfer of Personal Information
A personal information processor may transfer personal information overseas once it can meet the following:
(1) Separate informed consent: The Draft PIP Law imposes separate informed consent obligations on processor for cross-border transfer of personal information, on top of general informed consent requirements for in-country collection and use of personal information:
Processor to inform individuals of identity and contact details of the overseas recipient, purposes of processing, methods of processing, catalogues of personal information and means to exercise, against the overseas recipient, personal information subject rights;and
Processor to obtain individuals’ separate consent.
(2) Prior risk assessment: Processor should conduct a risk assessment prior to cross-border transfer of personal information according to Article 51 of the Draft PIP Law.
(3) At least one of the legal bases: The Draft PIP Law requires processor to complete any one of the followings before cross-border personal information transfer, in addition to obtaining the separate informed consent and conducting prior risk assessment:
Certification by professional institutions of personal information protection in accordance with provisions of CAC; or
Execution of contracts with overseas recipients specifying their respective rights and obligations and ensuring the overseas recipients can meet the personal information protection standards as established by the Draft PIP Law; or
Other conditions as required by the applicable laws and regulations or CAC.
In short, the above proposed provisions indicate a much more positive and flexible mechanism on cross-border data transfer, compared with the previous daft measures on personal information and important data export released in 2017 and 2019, pursuant to which any type of cross-border personal information transfer will require complicated and time-consuming security assessment.
Data Local Storage
Critical information infrastructure operators as defined by the Cybersecurity Law and processors who process personal information reaching certain quantity threshold set by CAC shall store the personal information they collect and generate within the territory of China and cannot transfer such personal information overseas unless they have passed security assessment.
5. Individuals’ Rights in Personal Information Processing
The Draft PIP Law grants the following main rights to individuals in respect of personal information processing:
Right to know;
Right to make decision;
Right to restrict or refuse other parties to process his/her personal information;
Right to access and copy personal information;
Right to modify and supplement personal information;
Right to delete personal information; and
Right to demand processor to explain rule of processing.
6. More Obligations to Personal Information Processors
(1) Processor is obligated to take necessary measures including the following:
To formulate internal management rules and operation protocols;
To classify personal information and manage personal information based on classification;
To take technological safety measures including encryption and de-identification;
To determine reasonably operation authorization of personal information processing and give staff regular security education and training;
To formulate and implement emergency plan for personal information security incidents; and
To adopt other measures as required by appliable laws and regulations.
(2) Processor is obligated to appoint a personal information protection officer (applicable when the quantity of processed personal information reaches certain threshold);
(3) Overseas processor is obligated to set up a local presence in China or appoint a representative and make filing with the relevant authorities;
(4) Processor should conduct regulator audit; and
(5) Processor should conduct risk assessment prior to any of the following personal information processing activities (risk assessment reports and relevant records should be retained for a period of at least three years):
Processing sensitive personal information;
Automated decision by utilizing personal information;
Sub-processing personal information, providing personal information to third parties and making public personal information;
Transferring personal information overseas; and
Other personal information processing activities that may have significant impact on individuals.
7. Extra-territorial Effect of the Draft PIP Law
It is foreseeable that there will be further drafts after the public opinion solicitation is completed. As the new milestone of unified protection for personal information, the legislation development deserves our special attention.