Despite various legislative developments in recent years, the data protection regime adopted by the People's Republic of China (PRC) remains maze-like due to the absence of any unified legal framework.
But this will soon change; on 21 October 2020, the Chinese top legislator presented its draft PRC Personal Information Protection Law (PIPL) to the public.
Now that window for public comment on the draft has closed, it shouldn't take long for this law to come into force, especially since it's driven by China's eagerness to combat the misuse of data currently rampant in the region.
Compared with earlier legislation on data protection issues, the PIPL will have a much bigger and real impact on international operations. Here, we've summarised the key points you need to be aware of.
Recognition of and respect for Europe's GDPR is largely attributable to the high penalties it empowers the various law enforcement agencies in Europe to impose. By contrast, similar serious legal consequences have been historically absent from Chinese data protection laws – something the PIPL will address. Article 62 of the PIPL introduces many more severe administrative penalties; entities in violation of this article could now potentially face:
On top of this, criminal and civil liabilities could also be triggered separately, while the possibility of class action – which may be initiated by People's Procuratorates, relevant governmental bodies or government-endorsed organisations – is also covered explicitly.
Compared with corporate-level legal consequences under existing laws (eg up to RMB 1,000,000 under the PRC Cyber Security Law (CSL) and up to RMB 500,000 under the PRC Consumer Protection Law), these legal consequences, including possible class action, present a markedly more compelling deterrent and should be effective in curbing abuse of personal information. The penalty equivalent to 5% of annual turnover is even higher than that the GDPR ceiling at 4%, substantially increasing the compliance exposure of data-rich businesses.
Aside from legal penalties, the PIPL would also link a person’s compliance record with the PRC's corporate social credit system currently being developed, with a negative record potentially jeopardising a company’s ability to conduct business.
As well as this, the new law lays down the general principle for civil claims in a data breach case – ie the respective compensation shall be calculated based on losses suffered by the data subject or the profit/benefit gained by the one violating the law.
A legislative trend worth noting in recent years is that the PRC – in line with the US – is also attempting a "long arm" approach under its laws, particularly where cyber or data matters are concerned.
A recent example is the draft Data Security Law (DSL), which stipulates that data processing activities outside the PRC that threaten the national security of the PRC, the public interest, or the legitimate interests of Chinese citizens or organisations, will also be pursued under the DSL.
The PIPL reflects the same "long arm" principle under the DSL by stipulating in Article 42 that restrictive or even prohibitive measures may be taken by regulators against organisations and individuals outside China who engage in activities that harm the rights and interests of Chinese data subjects.
At the same time, the PIPL also lays down an even more general principle – similar to the European GDPR – by extending its application to all personal information processing activities conducted outside the PRC as far as:
The first two points above are almost identical to Article 3 of the GDPR. Like the requirements under the GDPR, Article 52 of the PIPL requires an offshore data processor which is required by this law to appoint a special onshore agency or an onshore representative to satisfy the PIPL compliance requirements. Names and contact details of the onshore agency or representative will be filed with the competent PRC authorities.
Furthermore – and again similar to the GDPR – a data protection officer could also be required according to Article 51 of the PIPL. This would depend on the quantity of personal information to be processed; the exact threshold involved would be determined by the respective data protection regulator, which could potentially refer to existing industrial standards.
Regardless of the above similarity in the "long arm" approach, the explicit application carve-out under the GDPR (eg exception of data collection by law enforcement agencies) is not mirrored in the PIPL. Instead, it pushes towards another direction which could potentially drive international companies into a dilemma.
For example, apart from the routine data export control requirement (see below), Article 41 of the PIPL clearly stipulates that any request by a foreign law enforcement agency to retrieve data stored within the PRC will be subject to prior clearance with the competent Chinese authorities. A retaliation clause (Article 42) also allows China to take counter measures against any countries and regions which treat China in a discriminative way in data protection matters.
To a degree, this could be interpreted as a "push back" by China against the" long arm" of other jurisdictions. Though understandable from a Chinese perspective, international companies will need to be even more cautious in categorising and managing their cross-border data flow issues.
The topic of data onshore storage requirement and data export control has become controversial since promulgation of the CSL in 2016. Attempts by the newly formed regulator, the Cyberspace Administration of China (CAC) to generalise and extend export control requirement under Article 37 of the CSL evoked a strong reaction from the business communities.
Several draft rules formulated by the CAC address this topic by introducing the concept of security assessment plus administrative clearance with different coverage. That is, certain draft rules stipulate that all cases of personal data export will require administrative clearance, while some other draft rules only apply clearance to data export case hitting a certain threshold.
The PIPL – as a higher-ranking law, rather than an administrative rule – now casts a more positive light on personal data export control, by stating that personal information export shall have good legal grounds if
The third point above is like the standard sample clause approach under the GDPR to achieve sufficient protection under the GDPR. Though points one and two reflect a strong administrative-driven approach in the Chinese environment, they are generally positive developments providing more alternatives for international companies to manage their cross border data transfers in a legally compliant manner (to some extent similar to the thinking behind binding corporate rules under the GDPR).
You should note that Article 39 of the PIPL escalates legal obligation of data export regarding awareness and consent requirements. A data exporter will need to inform the data subject about details of the export (eg identity of the recipient, contact detail, processing purpose and method, category of personal information and how to exercise data subject’s rights under the PIPL). A separate consent from the data subject will further be sought to enable such export.
There is much more to be learned from the draft PIPL. The good news is that those who are familiar with the GDPR won't find it a stretch to follow the concepts outlined in the PIPL.
For instance, the PIPL (as well as other Chinese laws) uses the term "personal information" which only slightly deviates from the term "personal data" used under the GDPR, and the it has a similar definition and very broad coverage as its GDPR counterpart.
Moreover, there is a special provision under there PIPL regulating the concept of "sensitive personal information" which (similar to the GDPR) would only allow processing for very limited and specific purposes while still subject to sufficient necessity to process, as well as requiring a separate/written consent from the data subject. The general processing principles under the PIPL could also find respective equivalents under the GDPR (such as legitimacy, purpose limitation, data minimisation, transparency).
On the other hand, the PIPL advocates a strong China, and therefore necessitates a different mindset when dealing with data protection issues in China.
Unlike the GDPR – which strictly limits any exceptions claimed by public authorities to process personal data – the PIPL provides for more leeway and general exceptions for governmental agencies to process personal information in their public functions while strictly following (other) laws and regulations.
Though deemed controversial, this more administration-driven system could bolster higher efficiency (as seen during the current pandemic) and make such exceptions more palatable to the Chinese people than to those in the West. Certainly, it would certainly public expectation for better protection and management by governmental agencies of personal information in their hands.
According to our sources, this topic has already been added to the agenda for legislative discussion.
The PIPL will be a significant leap forward for the Chinese data protection regime. There are complicated implications for companies – including those based outside the Chinese market that are nonetheless part of it – to be aware of. If you'd like to discuss the PIPL in more detail, please contact a member of our Data Protection & Cyber team.
Michael Tan, Julian Sun, Paul Voigt and Wiebke Reuter look at what China's new SCCs mean for businesses looking to export personal data from China to the EU.