Hoi Tak Leung, Counsel, Digital Economy, and Patrick Phua, Practice Head, Asia Global Loans and Global Markets, Ashurst, outline some key points of the first draft of the Mainland’s Personal Information Protection Law.
On 21 October 2020, the National People’s Congress (NPC) of the People’s Republic of China released a first draft of the Personal Information Protection Law (Draft PIPL) for public comment. This consultation closed on 19 November 2020.
In this update, we set out some of the key points of the Draft PIPL, along with brief comments from us on those points.
Introduction
The Mainland has historically had a patchwork of different laws – both in effect and in draft (but influential) form – containing different data protection requirements, including:
- Cybersecurity Law: effective on 1 June 2017.
- E-Commerce Law: effective on 1 January 2019.
- Personal Information Security Specification: updated on 6 March 2020 and effective on 1 October 2020 (note these are technical standards rather than mandatory regulations, though they are considered ‘best practice’ and are regularly considered by Mainland authorities in any action).
- Data Security Law: a draft was released on 3 July 2020, with public consultation having closed on 16 August 2020. This was the first law in the Mainland aimed at regulating the collection, processing, control and storage of data involving national security, business secrets and personal data.
The Draft PIPL attempts to consolidate various existing data protection obligations under those different laws and is particularly important given that, as the NPC noted, the Mainland had (as of March 2020) more than 900 million internet users, 4 million websites and 3 million mobile applications. However, it is important to note that the Draft PIPL does not replace those different laws, and therefore organisations will need to continue being cognisant that, while the Draft PIPL will be extremely important, it will also be just one element of that wider patchwork of laws.
Liu Junchen, deputy director of the Legal Affairs Committee of the Standing Committee of the NPC, noted the importance of the protection of personal information (our translation): ‘… the formulation of a personal information protection law is an objective requirement to further strengthen the legal protection of personal information protection; is a practical requirement for maintaining a healthy cyberspace; and is an important step in promoting the healthy development of the digital economy’.
The Draft PIPL, in its consolidation of those existing obligations, also means that various best practice obligations will become binding law. It is influenced in significant parts by the General Data Protection Regulation (GDPR) in the European Union, while retaining a significant Mainland flavour.
We expect that the Draft PIPL – even in draft, unimplemented form – will be effectively treated as law by the relevant government regulators. In that light, it is important that businesses understand what it requires – and we will continue to closely monitor developments, including any further drafts (given that many consultation responses have been received).
An important qualification to this update is that, given the Draft PIPL is in draft and consultation form, and given the importance of implementing regulations and regulator guidance to the interpretation of laws in the Mainland, there will remain a degree of uncertainty regarding how the Draft PIPL will be implemented (if and when it is implemented) until such regulations and guidance are released. For example:
- as discussed above, the relationship between the Draft PIPL and other relevant laws (and how any overlap or conflict will be interpreted) is to be confirmed, and
- from experience in other jurisdictions, some of the areas discussed below will require significant further details. As examples, we will be looking for further details regarding:
- the definition of ‘separate consent’
- how any personal information risk assessment (PIRA) will be carried out, and
- how data breach notifications will occur in practice (this has been a key issue in overseas jurisdictions that have implemented data breach notification requirements).
Clarification of the above areas may require further regulations or guidance from regulators.
Data protection principles and key terms
The Draft PIPL is based on seven data protection principles – legality, explicit purpose, minimum necessity, transparency, accuracy, accountability and data security. This is important for framing the wider effects arising from the Draft PIPL.
‘Personal information’ under the Draft PIPL refers to the various types of information recorded in electronic or other formats related to identified or identifiable individuals, and includes both information that can identify data subjects or which is related to the data subjects.
The Draft PIPL uses the term ‘data processor’ to reference what many other data privacy laws would describe as ‘data controller’ (the Draft PIPL does not use the term ‘data controller’). For clarity, we have used ‘organisation’ to describe the data processor (data controller) under the Draft PIPL.
Responsible governmental departments for the Draft PIPL
The departments responsible for the Draft PIPL include the Cyberspace Administration of China (CAC), the relevant department of the State Council and the relevant department of local government at county level or above.
One of the challenges that many multinational organisations face in complying with data privacy laws in the Mainland are the various regulatory authorities that may have oversight of (and power to enforce) those laws. This will likely continue under the Draft PIPL.
Extraterritorial effect
The Draft PIPL proposes to be applicable outside the Mainland to the extent necessary to protect the interests of data subjects in the Mainland.
In particular, and with a significant nod to the GDPR, the Draft PIPL will:
- apply to data processing activities outside the Mainland, where their purpose is to provide products or services to individuals in the Mainland, or to analyse and make assessments about the behaviour of individuals in the Mainland, and
- require organisations located outside the Mainland, but governed by the Draft PIPL, to establish entities or appoint representatives in charge of personal information protection, and that those representatives’ or entities’ details are registered with the relevant government department.
Cross-border transfer and data localisation
The Cybersecurity Law and the Personal Information Security Specification both specify significant cross-border data transfer restrictions. For example, as part of the Personal Information Security Specification, the Mainland government proposed mandatory security assessment obligations on all businesses in the Mainland operating networked IT systems.
Cross-border transfer restrictions remain one of the key issues that multinational organisations face in their compliance with data privacy obligations under Mainland law, and this issue has been a key contributor to many multinational organisations effectively segregating their Mainland IT systems from the rest of their international network.
The Draft PIPL attempts to prepare a more ‘unified’ cross-border data transfer legislative framework for organisations to follow. Broadly speaking, and subject to various restrictions as set out below, it proposes that an organisation will generally be permitted to access and transfer most personal data outside the Mainland, if it complies with all of the following:
- the organisation has obtained explicit consent from the relevant data subject for the access/transfer
- the organisation has undertaken a PIRA on such access/transfer (see the section on Personal information risk assessment, below), and
- the access/transfer satisfies one of the following requirements:
- contractual obligations have been undertaken with the offshore data processor that satisfy relevant requirements under the Draft PIPL
- a security impact assessment has been conducted that has been approved by the CAC (Security Assessment), or
- a personal information protection certification has been obtained via a certification body accredited by the CAC.
There are some notable exceptions/qualifications to the above:
- the following organisations will only be able to access or transfer personal information outside the Mainland if they have conducted a CAC security assessment:
- critical information infrastructure operators, and
- data processors meeting certain data processing volume thresholds (to be specified).
- the Draft PIPL does not indicate whether, when personal data is transferred outside the Mainland, retaining a local copy in the Mainland is also required, and
- the above framework does not override industry-specific data localisation rules, nor prohibitions of overseas transfers of certain other restricted (personal and non-personal) data, such as state secrets and ‘important data’.
Consent and lawful bases for data processing
The Draft PIPL continues to rely on consent as being one of the key bases for data processing. However, and in line with the GDPR, the Draft PIPL also references various lawful bases under which personal information can be processed without consent, including:
- the necessity for entering into/performance of agreement with the data subject
- complying with legal obligations or as required by law
- publication of news/public interest, and
- responding to public health incidents or protecting the safety of an individual’s life or property.
Separate consent will be required for processing of sensitive personal information (see below), overseas transfers (see above), disclosures to third parties, public disclosures and collection of biometric information.
We expect that organisations will need to update their data privacy policies to account for the above.
Sensitive personal information
The Draft PIPL sets out specific restrictions on the processing of sensitive personal information, defined as ‘information that once leaked or abused may cause damage to personal reputation or seriously endanger personal and property safety’, and includes race, nationality, religion, biometric information, health, financial accounts, personal whereabouts and other information.
Under the Draft PIPL, processing of sensitive personal information:
- will be only permitted if it is for a specific purpose and is sufficiently necessary, and if separate consent (or if required by law, separate written consent) from the data subject has been obtained, and
- requires the organisation to inform the data subject of the necessity of processing that information and such processing’s impact on the data subject. This requirement is in addition to the basic information that must be provided to the data subject under Article 18 of the Draft PIPL.
Personal information risk assessment
The Draft PIPL requires organisations to make a PIRA before conducting any of the following actions:
- processing of sensitive personal information
- using personal information to conduct automated decision-making
- providing personal information to any third party (to be confirmed whether such third parties will include group companies)
- appointing a third-party data processor
- disclosing any personal information publicly
- cross-border transfer of personal information, and
- any other processing activities that may have ‘significant impact on an individual’.
A national authority will only be able to transfer personal information outside the Mainland if it has conducted the PIRA (either by itself or with the assistance of other authorities).
Such an assessment report must be kept for at least three years. The Draft PIPL further sets out what content is required to be in a PIRA.
Data breach notifications
If there is a data breach, the organisation shall take remedial measures immediately and notify the relevant government department and data subjects. The Draft PIPL provides specific content to be included in the notification.
The Draft PIPL also specifies that the organisation will not be required to notify data subjects of a data breach if it has taken measures to effectively avoid damages caused by the disclosure of personal information, unless the relevant government department determines the disclosure may result in damage.
Liabilities arising from a breach of the Draft PIPL
The Draft PIPL significantly increases potential penalties beyond those provided in the Cybersecurity Law.
The Cybersecurity Law provides for various penalties, including rectification, confiscation of illegal gains, warnings, penalties under RMB1 million, business suspensions, business halts for rectification and the revocation of relevant permits or business licenses.
The Draft PIPL has added a few significant points in relation to liabilities and regulatory enforcement.
- Significant increase of the financial penalties: by reference to a maximum of 5% of the organisation’s previous financial year’s annual turnover, or RMB50 million. It is unclear whether the turnover reference is to the organisation’s global turnover (such as under the GDPR) or their local turnover (such as under the proposed Singapore Personal Data Protection (Amendment) Bill).
- Increase of regulators’ powers of investigation and enforcement: including if an organisation’s non-compliance impacts multiple data subjects.
- Prior regulatory approval: is required if an organisation is asked or required to disclose personal data overseas ‘to assist international enforcement or litigation’ – this will be a key point for multinational organisations, who may feasibly find themselves ‘between a rock and a hard place’. We will keep a close eye on how this point develops going forward.
Other key points of the Draft PIPL
The Draft PIPL also introduces other key points that organisations should be aware of.
Third-party data processors and subprocessors
In line with international trends, the Draft PIPL inserts specific obligations on third-party data processors. We note the following:
- broadly speaking, the obligations for appointing third-party data processors are similar to the current framework and international practices
- the Draft PIPL prohibits third-party data processors from appointing subprocessors without the prior consent of the data processor
- joint data processors are acknowledged. If multiple data processors process personal information together, the coprocessors shall bear joint liability for any infringements, and
- where an organisation appoints a third party to process personal information, both parties are required to execute a data processing agreement that includes the purpose of data processing, the processing mode, the types of personal information processed, protection measures and both parties’ rights and liabilities. The organisation will be responsible for supervising the data processing activities. After completion of the relevant data processing, the personal information must be returned or deleted.
Data subject rights
In addition to existing rights of access, correction, deletion and withdrawal of consent, data subjects’ rights are expanded to include (under certain circumstances) the right to request deletion of their personal information, the right to withdraw consent and the right to request that the organisation explain how any processing is to be conducted.
Data privacy officers
Organisations will be required to appoint a data privacy officer (DPO) if they meet certain data processing volume thresholds (to be confirmed), with the DPO to be registered with the relevant government department.
Hoi Tak Leung, Counsel, Digital Economy, and Patrick Phua, Practice Head, Asia Global Loans and Global Markets
Ashurst
With special thanks to Yeqi Fei (Trainee Solicitor) and Louisa Wang (Intern) for their contributions.
Copyright © Ashurst
Note: The full text of the DIPL is available from www.npc.gov.cn/englishnpc/index.shtml.