China Data Protection Update: The First Draft of The Long-Awaited PRC Personal Information Protection Law released

Key highlights 

The Draft PI Protection Law is a significant piece of legislation as it is going to be the first piece of comprehensive and dedicated personal information protection law in China. It comprises a total of eight chapters and 70 articles, covering a variety of matters relating to data protection. We summarise briefly below some of the key features of this important piece of draft legislation:

Extra-territorial application

In general, PRC laws do not have extra-territorial effect. However, the Draft PI Protection Law will apply not only to the processing of personal information of natural persons within the PRC, but will have a long-arm, extra-territorial application to any personal information processing activities of organisations (including individuals) carried out outside the PRC and falling into one of the following circumstances: 

• for the purpose of providing goods or services to natural persons within the PRC;
• to analyse or assess behaviours of natural persons within the PRC; or
• other circumstances as stipulated by laws and regulations.

A non-PRC-established organisation that is subject to the PI Protection Law due to the extra-territorial application should appoint a representative in the PRC to deal with data protection related matters.  Such extra-territorial application appears to follow the approach taken by the General Data Protection Regulation ("GDPR") of the European Union.

New legal bases for data processing

In addition to a data subject’s consent, which has long been established as the only legal basis of processing of personal information in China under existing laws and regulations, the Draft PI Protection Law introduces other new legal bases for personal information processing, including where the processing is necessary:

• for the execution or performance of contract;
• for legal duties or obligations;
• to respond to a public health emergency or to protect the life, health or property of a natural person in an emergency;
• in the public interest for journalism, media supervision, etc. within a reasonable scope; and
• other circumstances as stipulated by laws and regulations.

Data localisation and cross-border data transfer

The issue of data localisation and cross-border data transfer has been the subject of much discussion and debate since the Cyber Security Law ("CSL") came into force in 2017. Under the new Draft PI Protection Law, in addition to the data localisation requirements for Critical Information Instructure Operators as stipulated under the CSL, personal information reaching an amount threshold designated by the Cyberspace Administration of China ("CAC") should also be stored within the PRC, and export of such data shall be subject to a security assessment by the CAC (the official "data protection authority" under the new law).

For other types of data export, the Draft PI Protection Law states that export can be achieved if the data exporter: (i) obtains relevant data protection certification as designated by the CAC; (ii) enters into an appropriate agreement with its foreign data recipients; or (iii) other circumstances as may be provided by laws, regulations or other conditions as may be prescribed by the CAC. 

These draft provisions indicate a positive change and more open attitude on cross-border data transfer, as it no longer follows the previous draft measures on data export published in 2017 and 2019 which gave the impression that onerous requirements  on cross border data transfer would apply to almost all businesses that intend to export data from China to other countries.

Fines up to RMB 50 million (US$7.5 million) or 5% of annual turnover

The Draft PI Protection Law introduces much larger fines than under existing laws and regulations governing personal information protection, i.e. organisations violating the law could be imposed with fines up to RMB 50 million (US$7.5 million) or 5% of last year’s annual turnover, together with business suspension, license revocation etc., and could bear civil or criminal liability. In addition, class litigation can be submitted by the People's Procuratorates, relevant governmental bodies, or organisations determined by the government.   

Other requirements for personal information protection 

The Draft PI Protection Law also stipulates, among others, requirements for consent, requirements on processing of sensitive personal information, the respective roles and responsibilities between a personal information processor (i.e. similar to a data controller under the EU GDPR) and an entrusted party (i.e. similar to a data processor under the EU GDPR), rules for data sharing with third parties, automatic decision making, individuals’ rights (rights to be informed/restrict or object/access and obtain a copy/rectify/delete etc.), security obligations (e.g. DPIA, data breach notification, etc.), etc.  We will be issuing separate newsletters to discuss in further detail some of these additional provisions of the Draft PI Protection Law in the coming weeks.

Observations

When the Personal Information Protection Law is passed, it will be a significant milestone in China's road to personal information protection. The current draft echoes not only the existing data protection provisions under the Cyber Security Law, the recently-adopted Civil Code and the newly-released Draft Data Security Law, but it also enhances data protection by introducing new concepts and codifying the accumulated best practices from home (e.g., the national standards on Personal Information Specification) and abroad (e.g., the EU GDPR) into law. It will take personal information protection in China to a whole new level.