Open a micro letter and sweep a two-dimensional code
Subscribe to our WeChat public number
Turn on the phone and sweep the two-dimensional code
You can access the website and share it with your friends through a mobile phone
China released the second draft of the Personal Information Protection Law (the “Draft PIP Law”) to seek public opinion on April 29, 2021 after the second reading by the Standing Committee of the National People’s Congress, China’s top legislature (the first draft was released on October 21, 2020). The following are the highlights of the Draft PIP Law based on its second draft.
1. Personal Information and Sensitive Personal Information
The Draft PIP Law introduces two concepts: “personal information” and “sensitive personal information” (Articles 4 and 29):
2. Personal Information Processing and Its Principles
Processing of personal information is defined broadly as the collection, storage, use, process, transmission, provision, or public disclosure of personal information. Accordingly, personal information processor is an organization or individual who discretionarily determines the purposes and methods of processing personal information.
The Draft PIP Law requires that the personal information shall be processed:
lawfully, justifiably and in good faith (It is not allowed to process any personal information in a way of misleading, fraud or coercion);
for explicit and reasonable purposes;
to the minimum extent necessary for achieving processing purposes and in a way with minimum impact on personal interest (it is not permissible to process any personal information irrelevant to the processing purposes);
in an open and transparent way which includes the public announcement of the rule of personal information processing and the explicit disclosure of purposes, methods and scopes of processing; and
ensuring the quality of personal information and avoiding adverse impact on personal interest by inaccuracy or incompleteness of the personal information.
3. Personal Information Processing Requirements
Individuals’ Consent + Limited Exceptions
The Draft PIP Law sets out multiple legal bases for personal information processing with the idea of seeking “informed consents” at the core and underscores that processor can only process personal information under the following circumstances:
(1) the individual’s consent has been obtained;
(2) processing is necessary to enter into or perform a contract to which the individual is a party;
(3) processing is necessary to perform legal duties or statutory obligations;
(4) processing is necessary to respond to a public health emergency or to protect natural persons’ health and properties in an emergency;
(5) processing, to the reasonable extent pursuant to the PIP Law, personal information that has been made public;
(6) personal information is processed to a reasonable extent for purposes of carrying out news reporting and public opinion monitoring for public interests; or
(7) other circumstances permitted by laws and regulations.
The Draft PIP Law makes it clear that no individual’s consent is required under any of the circumstances of above items (2) to (7).
Personal information processor shall inform the individuals of the following by using notable, explicit and easy to understand languages before processing unless applicable laws and regulations require otherwise:
identity and contact details of processor;
purposes and methods of processing and catalogues and storage period of personal information to be processed;
methods and procedures through which individuals can exercise their rights granted by the personal information protection law; and
other matters that are required to be informed by laws and regulations.
After being fully informed, individuals may give their explicit consents on a voluntary basis or each individual shall give his/her separate consent or written consent if laws and regulations require to do so. In the event of any change of processing purposes, processing methods or catalogues of personal information to be processed, processor is obligated to reobtain individuals’ consents. Even so, each individual has the right to withdraw consent at his/her own discretion. Withdrawal of consent would not affect the validity of personal information processing that has been completed based on individual’s consent. Processor should provide to individuals convenient ways of withdrawal.
The Draft PIP Law, however, does not clearly define what a “separate consent” or a “written consent” is. The overwhelming understanding is that the separate consent or written consent requires a special formality in obtaining individual’s informed consent but what such special formality should be needs clarification from the law.
Period of Storage
Personal information shall be stored for a minimum period necessary for achieving the processing purposes.
Two or more processors shall agree on their respective rights and obligations prior to jointly processing personal information; and in the case of infringement, they will undertake liabilities severally and jointly.
Processor and its sub-processors must agree on the purposes of sub-processing, term, methods of processing, catalogues of personal information, protection measures and their respective rights and obligations. Sub-processors is obligated to return or destroy personal information when the sub-processing contract does not take effect, becomes invalid, has been cancelled or terminated. The Draft PIP Law prohibits sub-processors from appointing their sub-processors without the consent of the processor. The Draft PIP Law further requires sub-processors to undertake the obligations that are appliable to processors to take necessary measures to safeguard the personal information to be processed (Article 58).
Transfer of Personal Information
In the event of transfer of personal information due to processor’s merger, division or other reasons, processor shall inform of the individuals of the information relating to the recipient and such recipient shall assume the obligations of processor; however, if the original purposes of processing or methods of processing change, processor/recipient is required to reinform the individuals and obtain their consents.
Provision of Personal Information to Third Parties
The Draft PIP Law does not allow a processor to provide personal information to third parties unless and until it has informed individuals of the information relating to such third parties, purposes of processing, methods of processing and catalogues of personal information and obtained separate consents from the individuals. Any change to the original purposes of processing and methods of processing requires informing individuals and obtaining their consents.
Processor cannot disclose any personal information it has processed unless a separate consent has been obtained.
Personal images and personal identity feature information collected by image capturing and personal identification equipment installed in public places may only be used for the purpose of maintaining public security, and may not be publicized or provided to others, unless the individual’s consent has been obtained.
Processing of any personal information that has been made public shall conform to the purposes for which such personal information is made public; where such processing is beyond the reasonable scope relating to the purposes, the personal information processor shall inform the individual concerned and obtain his/her consent.
Processing Sensitive Personal Information
The Draft PIP Law obligates personal information processor to process sensitive personal information only when:
(1) its processing has specified purposes and sufficient necessity;
(2) it has informed the individuals of necessity of processing sensitive personal information and impact on individuals; and
(3) it has obtained separate consents from individuals (or written consents if appliable laws and regulations require so).
4. Cross-border Transfer of Personal Information
A personal information processor may transfer personal information overseas once it can meet the following:
(1) Separate informed consent: The Draft PIP Law imposes separate informed consent obligations on processor for cross-border transfer of personal information, on top of general informed consent requirements for in-country collection and use of personal information:
processor to inform individuals of identity and contact details of the overseas recipient, purposes of processing, methods of processing, catalogues of personal information and means to exercise, against the overseas recipient, personal information subject rights; and
processor to obtain individuals’ separate consent.
(2) Prior risk assessment: Processor should conduct a risk assessment prior to cross-border transfer of personal information according to Article 55 of the Draft PIP Law
(3) At least one of the legal bases: The Draft PIP Law requires processor to complete any one of the followings before cross-border personal information transfer, in addition to obtaining the separate informed consent and conducting prior risk assessment:
prior security assessment organized by Cyberspace Administration of China (CAC); or
certification by professional institutions of personal information protection in accordance with provisions of CAC; or
execution of contracts, based on the template provided by CAC, with overseas recipients specifying their respective rights and obligations and ensuring the overseas recipients can meet the personal information protection standards as established by the Draft PIP Law; or
other conditions as required by the applicable laws and regulations or CAC.
In short, the above proposed provisions indicate a much more positive and flexible mechanism on cross-border data transfer, compared with the previous daft measures on personal information and important data export released in 2017 and 2019, pursuant to which any type of cross-border personal information transfer will require complicated and time-consuming security assessment.
Data Local Storage
Critical information infrastructure operators as defined by the Cybersecurity Law and processors who process personal information reaching certain quantity threshold set by CAC shall store the personal information they collect and generate within the territory of China and cannot transfer such personal information overseas unless they have passed security assessment.
5. Individuals’ Rights in Personal Information Processing
The Draft PIP Law grants the following main rights to individuals in respect of personal information processing:
Right to know;
Right to make decision;
Right to restrict or refuse other parties to process his/her personal information;
Right to access and copy personal information;
Right to modify and supplement personal information;
Right to delete personal information; and
Right to demand processor to explain rule of processing.
The Draft PIP Law added a new Article 49, stating that the deceased’s above rights can be exercised by his/her close relatives.
6. More Obligations to Personal Information Processors
(1) Processor is obligated to take necessary measures including the following:
to formulate internal management rules and operation protocols;
to classify personal information and manage personal information based on classification;
to take technological safety measures including encryption and de-identification;
to determine reasonably operation authorization of personal information processing and give staff regular security education and training;
to formulate and implement emergency plan for personal information security incidents; and
to adopt other measures as required by appliable laws and regulations.
(2) Processor is obligated to appoint a personal information protection officer (applicable when the quantity of processed personal information reaches certain threshold);
(3) Overseas processor is obligated to set up a local presence in China or appoint a representative and make filing with the relevant authorities;
(4) Processor should conduct regulatory audit;
(5) Processor should conduct risk assessment prior to any of the following personal information processing activities (risk assessment reports and relevant records should be retained for a period of at least three years):
processing sensitive personal information;
automated decision by utilizing personal information;
sub-processing personal information, providing personal information to third parties and making public personal information;
transferring personal information overseas; and
other personal information processing activities that may have significant impact on individuals.
(6) Internet platforms who provide basic platform services, have huge quantity of users and operate complex business types shall undertake the following special obligations:
to set up an independent organization mainly consisted of external members to supervise personal information processing;
to cease provision of services if a dealer on the platform processes personal information in violation of laws and regulations;
to publish social responsibility report in terms of personal information protection on a regular basis.
The Draft PIP Law has not yet defined what “basic platform services” are and what the standard of the “huge quantity” or “complex business types” is.
7. Presumption of Fault
The Draft PIP Law underscores the principle of presumption of fault in determining the liability of personal information processors. Specifically, in the event that personal information interest is damaged by the personal information processing activities and personal information processor cannot prove it is not at default, it shall be liable for compensation for damages.
8. Extra-territorial Effect of the Draft PIP Law
It is foreseeable that there will be further drafts after the public opinion solicitation is completed. As the new milestone of unified protection for personal information, the legislation development deserves our continued attention.
7F Wheelock Square, 1717 Nanjing West Road, Shanghai 200040, PRC