This newsletter is the second "deep-dive" newsletter on the new draft Personal Information Protection Law ("Draft PI Protection Law") which was published for public consultation on 21 October 2020. Please refer to the Latest News for our earlier newsletters on the Draft PI Protection Law. In this newsletter, we will take a closer look at three key aspects of the Draft PI Protection Law that serve as the foundation to almost any data protection regulation: (i) the data protection principles, (ii) the legal bases of processing; and (iii) the consent requirements, and we will also discuss how these draft provisions compare with those under other data protection regimes.
Data Protection Principles (“DPPs”)
Unlike data protection laws in many other jurisdictions e.g. the General Data Protection Law of the European Union ("GDPR") the Draft PI Protection Law does not single out a separate section on "data protection principles". Nevertheless, the draft law includes a number of articles setting out the key principles of personal information protection:
- Lawfulness and legitimacy principle (Article 5): Personal information shall be processed in a legal and legitimate manner and in compliance with good faith principle and shall not be processed in a deceptive and misleading manner.
- Legitimate purpose and data minimisation (Article 6): Personal information shall be processed under clear and legitimate purposes and only the minimum amount essential to meet the purpose of data processing shall be processed. Personal information that is not relevant to meet the purposes shall not be processed.
- Transparency (Article 7): Personal information processors ("PI Processors") should be open and transparent in personal information processing and rules on personal information processing.
- Accuracy (Article 8): To fulfil the purpose of data processing, personal information to be processed shall be accurate and be updated in a timely manner.
- Accountability and Security (Article 9): PI Processor shall be responsible for their data processing activities and shall take necessary measures to protect the security of personal information being processed.
- Storage limitation (Article 20): The retention period for the personal information shall be the minimum period necessary to fulfil the purpose of data processing. If laws or regulations include other requirements on retention period, such requirements shall be followed.
It is noted that the above principles largely follow the scope of DPPs included in the highly influential (though non-binding) national standard GB/T 35273—2020 (“PI National Standard”) which took effect on 1 October 2020, with minor adjustments. By including these principles in the law, such principles would become legally binding obligations. Interestingly, the above principles echo many of the key principles under the GDPR and this will likely give assurance to international companies which are already GDPR compliant.
Legal Basis of Personal Information Processing
Consent has long been the only legal basis of personal information processing under PRC law, even before the PRC Cybersecurity Law came into force in 2017. This inflexible approach adopted in China has resulted in one of the most discussed and thorny issues encountered by MNCs in their data protection compliance efforts in China, in particular those who are used to navigate the multiple legal bases available under the GDPR. Having consent as the single legal basis also raises a lot of uncertainty in business dealings, e.g. what legal remedies would be available to a PI Processor and how should PI Processors respond if the data subjects decide to withdraw their consent on using their personal information during the terms of the contract?
In the PRC Civil Code which will take effect on 1 January 2020 (see our previous newsletter here), the legal basis for data processing has been mildly expanded to include two other grounds (i.e. (i) processing that is already disclosed by a natural person; and (ii) processing that is necessary to safeguard public interest or lawful interest of the natural person to which the personal information relates) apart from data subject’s consent. The Draft PI Protection Law now goes further to include six legal bases of data processing in total as follows:
- contractual necessity;
- compliance with legal responsibilities or obligations;
- responding to a public health emergency, or in an emergency to protect the safety of natural persons’ health and property;
- for purposes of carrying out news reporting and public opinion monitoring for public interests; and
- other circumstances permitted by laws and regulations.
The most notable and welcoming change is that “contractual necessity” is finally recognized as a legal basis of processing (not just by a national standard which is not directly binding). If implemented in the finalised law, it is expected that many PI Processors are likely to rely on “contractual necessity” as the legal basis instead of consent in the context of contractual relationships e.g. in the employment context. However, unlike the GDPR, the Draft PI Protection Law does not adopt “legitimate interest” as a legal basis of processing, which is understood to be the most commonly relied-upon legal basis of processing under the GDPR.
Consent requirements – any clarification or anything new?
If consent is required, what amounts to a valid consent under PRC law has always been a focus of data protection compliance by organizations due to the lack of specific requirements set out under the existing laws. While consent is not specifically defined under the Draft PI Protection Law, according to Article 14, valid consent should bear three essential features:
- individuals must be fully informed;
- consent must be freely given; and
- consent must unambiguous.
The detailed interpretations are summarised below. Such requirements bear a resemblance of the consent requirements under the GDPR, which defines "consent" under Article 4 (11) as "any freely given, specific, informed and unambiguous indication of the data subject’s wishes…". Accordingly, it would appear that entities relying on GDPR consent are likely able to apply the same mechanisms for obtaining consent in China.
This means that data subjects should at least be notified about the information set forth under Articles 18 and 31 (regarding processing of sensitive personal information) prior to their consent.
We will be discussing the information to be provided to data subjects in the next newsletter.
This means that consent should be given on a voluntary basis without unreasonable pressure or influence which would deprive the data subject from a real choice.
For example, Article 17 provides that PI Processors should not refuse to provide products or services to data subjects on the ground that data subjects refuse to give his/her consent, unless the personal information is necessary for provision of services or products.
This is linked to the act of consent given by the data subjects, and suggests that consent cannot be merely implied. While an "opt-out" option is not explicitly prohibited by the Draft PI Protection Law, depending on the specific context where consent is obtained, it could potentially be argued that without an affirmative or positive action taken by the data subjects, the consent obtained is "ambiguous".
As mentioned in our earlier newsletter, the requirement for "separate consent" ("单独同意") is a new concept created by the Draft PI Protection Law, which is not founded in any previous data protection regulations or guidance, and is required to be obtained in a number of specific scenarios e.g. processing of sensitive personal information, data sharing and transfer of personal information outside of China.
In the PI National Standard, only "explicit consent" is defined and required under specific circumstances. It appears that the new concept of "separate consent" will replace the requirement for "explicit consent". However, as the meaning of "separate consent" is not specified under the Draft PI Protection Law, how this requirement differs from "explicit consent" and how it should be implemented by organizations in real practice remains to be seen. For instance, should PI Processors adopt the notion of "granularity" as recommended by guidelines to the GDPR to address the separate consent requirement? Despite all uncertainties, PI Processor should take note of two things: (i) the "separate consent" should at least meet the requirement specified under Article 14 (i.e. fully informed, freely given and unambiguous); and (ii) it is likely that where "separate consent" is required, such requirement cannot be fulfilled by "bundled consent" i.e. where PI Processors seeks to combine different consents together.
New Consent Required?
Article 14 also stipulates the circumstances when personal information processors are required to obtain "new" consent, i.e. when there are changes in (i) the data processing purpose; (ii) the data processing method (“处理方式”) or (iii) kinds of personal information being processed. Whilst it comes as little surprise that the new consent requirement applies in the event of occurrence of (i) and (iii), there is little guidance on the parameter of "processing method" and what constitutes a "change" of processing method. For example, does adopting of AI technology in data processing amount to a change of processing and therefore trigger the new consent requirement? Unlike assessing whether a purpose is a new purpose or is compatible with existing purposes, the line between a new and an existing "processing method" appears harder to draw.
Consent from minors
To those who might process personal information relating to minors, the Draft PI Information Law specifies that if processing entities know or should have known the personal information of minors under 14 years old will be processed, the processing entities are required to obtain prior consent from the guardians of the minors. This is consistent with the Regulation on Children’s Personal Data Protection promulgated in 2019.
While the Draft PI Protection Law adopts a number of approaches taken by data protection laws e.g. the GDPR, similar to many PRC laws and regulations, it maintains its distinct "Chinese character" in a number of aspects, such as the separate consent requirement and what constitutes a legal basis for data processing. These differences will likely be the compliance focus for international companies operating in China, who are expected to formulate or update their data protection compliance strategies in China in anticipation for the promulgation of the Draft PI Protection Law in the near future.