One Step Closer! The Second Draft of the PRC Personal Information Protection Law Released

The changes proposed in the Second Draft are indicative as to the extent to which the provisions under the Draft PIPL will eventually be adopted.  As discussed in our China Data Protection Update series, the Draft PIPL is going to be the first piece of comprehensive and dedicated personal information protection law in China. It is noteworthy that although the Second Draft has not introduced any substantive changes to the first draft, some of the changes are nevertheless significant. We summarise in this newsletter the key changes set out in the Second Draft.

1. "Standard contractual clauses" for cross border transfer

   As discussed in our China Data Protection Update and Deep Dive (1), the Draft PIPL elaborated on the circumstances when organisations can export personal information out of China. One of the mechanisms which can be relied upon is that the exporting entity should enter into an appropriate contract with its foreign data recipients to ensure that the recipients process personal information in accordance with the standards of the Draft PIPL.

   In this regard, the Second Draft specifies that such contract should be a "standard contract" prescribed by the Cyberspace Administration of China ("CAC"). This approach appears to follow closely with the approach under the General Data Protection Regulation ("GDPR") of the European Union. Although such "standard contract" is not yet available, it seems possible that the CAC will draw reference to the standard contractual clauses prescribed by the European Commission and if so, this approach will be welcomed by organisations that are already GDPR-compliant.
   
   

2. Personal information protection for deceased persons

   Perhaps one of the most significant changes in the Second Draft is the express provision for the exercise of data subject rights of deceased persons. The Second Draft provides that the data subject rights (including rights to be informed, rights to access, rectify and erasure, rights relating to automated decision-making and rights to explanation and reason (see Deep Dive (3))) available to individuals who are deceased may be exercised by the "close relatives" of the deceased persons.

   In most jurisdictions, data protection law only applies to protection of personal data of living individuals. Nevertheless, the extension of data subject rights of deceased persons to their close relatives are also available in certain jurisdictions such as Italy, Hungary and Spain. However, the Second Draft lacks additional supporting guidance such as providing for an express definition of "close relatives".
   
   

3. Regulation of data processors

   Under the Draft PIPL, an "entrusted party" refers to an entity that processes personal information on the instructions of personal information processors ("PI Processors"). Thus, "entrusted party" is akin to "data processor" and "PI Processor" is akin to "data controller" under the GDPR. Under the Second Draft, entrusted parties have direct obligations to comply with the data protection obligations such as the appointment of a Data Protection Officer, conduct Data Protection Impact Assessments, conduct data protection audits as well as obligations to notify personal information security breaches under specific circumstances. This will mean that entrusted parties will not only be subject to contractual obligations which PI Processors are likely to impose on them, but also will be directly subject to specific obligations under the Draft PIPL.
   
   

4. Specific obligations on "Large" Internet Platform Providers

   The Second Draft introduces a broad requirement on Internet platform providers that processes "large" volume of user data with "complicated" business operations to comply with additional obligations to set up an external and independent organisation to monitor data processing activities, to regularly publicise reports on personal information protection and to terminate their services to specific product or service providers that seriously breach relevant laws and regulations on protection of personal information. These additional measures appear to require such Internet platform providers to demonstrate social responsibility by monitoring the data protection compliance of the users of their platforms but further guidance will be required on what constitute "large" volume of user data and "complicated" business operations.
   
   

5. Additional data protection measures
   
   Some additional provisions introduced by the Second Draft include clarifying that withdrawal of consent should not affect processing activities prior to withdrawal (Article 16), the requirement for PI Processors to provide non-targeted messages or an opt out channel when using of automated decision making (Article 25), and the CAC having the power to issue specific guidance and standards on sensitive personal information, facial recognition and use of AI technology and applications (Article 61).

Observation

The Second Draft appears to refine many of the provisions of the Draft PIPL without making very substantive changes. Whilst some of the changes bring the Draft PIPL closer to international e.g. GDPR standards, there are still many areas which remain to be clarified. For example, the Second Draft does not provide further guidance on the procedures and implementation of cross border data transfer requirements, what constitutes "separate consent" (distinct from general consent), or specific requirements on responding to data subject rights etc. It would appear likely that, that instead of setting out further clarifications in the law itself, the detailed guidance and requirements may be set out in separate implementing regulations. If this is the case, China is getting very close to a final version of the PIPL.