2020.10.29 DONG, Xiao (Marissa)、GUO, Chao、DONG, Junjie
On October 21, 2020, after deliberation at the 22nd meeting of the Standing Committee of the 13th National People's Congress (“NPC”), the full text of the Personal Information Protection Law of the People's Republic of China (Draft) (“Draft”) was officially published on the NPC’s website for public comments.
The legislative process of the Draft consists many important stages: on September 7, 2018, the Draft was included for the first time in the legislative plan of the 13th NPC Standing Committee1; in the same year, the Legal Work Committee of the NPC Standing Committee and the Cyberspace Administration of China started the research and drafting work; on December 16, 2019, through the 44th chairperson meeting of the 13th NPC Standing Committee, the formulation of the Draft was clearly included in the 2020 Legislative Work Plan of the NPC Standing Committee2. The official release of the Draft means the acceleration of the promulgation of the first unified law on personal information protection in China and there will now be a more complete, comprehensive, and systematic legal protection scheme for personal information.
The Draft has eight chapters and 70 articles in total. On the whole, the Draft focuses on the current outstanding issues of personal information protection, and comprehensively and systematically integrates the relevant provisions regarding personal information protection scattered throughout the Cybersecurity Law, Civil Code and other laws and regulations, further implementing the responsibilities for personal information protection and strengthening punishment for illegal acts. The key points of the Draft are summarized as follows:
In addition to the stipulation that “organizations and individuals processing personal information of natural persons within the territory of the People's Republic of China apply to this law", the Draft also confers necessary extraterritorial applicability. The second paragraph of Article 3 of the Draft stipulates that this Law also applies to personal information processing activities conducted outside of China for the purpose of providing products or services to domestic natural persons, or for analyzing and evaluating the behavior of domestic natural persons. Article 52 stipulates that the overseas personal information processor mentioned in the second paragraph of Article 3 above shall establish a specialized agency or designated representative within the territory of the People’s Republic of China, responsible for handling personal information protection related matters, and reporting the relevant information of such agency or representative to the competent authority for personal information protection.
Article 4 of the Draft defines "personal information" and "personal information processing" respectively. Specifically, personal information refers to "all kinds of information related to identified or identifiable natural persons recorded in electronic or other forms, excluding anonymized information". "Personal information processing" includes the collection, storage, use, processing, transmission, provision, disclosing and other activities of personal information.
Most of the legal obligations stipulated in the Draft target personal information processors. According to Article 69, a "personal information processor" refers to an organization or individual that independently determines the processing purpose, processing method and other personal information processing matters.
The second chapter of the Draft stipulates the rules for the processing of personal information. The key points and brief analysis are as follows:
The legal basis for personal information processing. Personal information can only be processed in compliance with legal circumstances, including “an individual's consent”, “necessary for the execution or performance of the contract to which the individual is a party”, “necessary for the performance of statutory responsibilities or obligations”, “necessary for responding to public health emergencies or protecting the life and health of natural persons or property safety in emergency situations”, “news reports and public opinion supervising” and other personal information processing within a reasonable range and other situations as required by the laws and regulations. (Article 13)
Inform and consent requirements for the processing of personal information. Before processing personal information, personal information processors should inform individuals of certain matters in a conspicuous manner and in clear and easy-to-understand language; an individual’s consent to the processing of their personal information should be voluntarily and clearly made on the basis of their full knowledge. Where laws and administrative regulations provide that “separate consent” or “written consent” should be obtained for the processing of personal information, those provisions should prevail. Personal information processing activities should be kept confidential or not be required to be informed in situations as required by the law or the regulation. (Articles 14, 18 and 19) The concept of "separate consent" is proposed for the first time under law.
Processing personal information of children: the processing of personal information of minors under the age of 14 shall be consented to by their guardians. (Article 15)
Joint processing. The Draft stipulates that where the purpose and method of personal information processing are jointly determined by two or more personal information processors, they must agree on their respective rights and obligations, but such agreement does not prejudice the individual's claim to exercise his/her rights under this Law against any of the personal information processors. Where the joint processing of personal information by personal information processors infringes upon the individual’s rights or interests in his/her personal information, the personal information processors shall bear joint and several liability. (Article 21) The above content provides for the first time that the personal information subject has the right to claim the rights of any party of the co-processors of personal information and the issue of joint liability between the processors.
Entrust processing. The Draft requires that where a personal information processor entrusts the processing of personal information to a trustee, the personal information processor should agree with the trustee on the purpose, method and other matters of the entrusted processing, and the trustee should process the personal information within the agreed scope. (Article 22)
Sharing of personal information. The Draft further provides that where a personal information processor provides a third party with the personal information processed by it, it must inform the relevant individuals of the identity and contact information of the third party, the purpose of processing, the method of processing and other information, and obtain separate consent for such sharing from the individuals. The third party receiving the personal information shall process the personal information within the scope of the above-mentioned matters. (Article 24)
Transfer of personal information during mergers and divisions. If the personal information processor needs to transfer personal information due to mergers, divisions and other reasons, it shall inform the individual of the recipient’s identity and their contact information. The recipient shall continue to perform the obligations of the personal information processor after the merger or division. If the recipient changes the original processing purpose and processing method, the individual’s consent should be re-obtained. (Article 23)
The Draft specially stipulates the processing rules regarding sensitive personal information. Specifically, sensitive personal information is defined as personal information that, once leaked or misused, may result in discriminatory treatment or cause serious personal injury or property damage to the individual, including inter alia, race, nationality, religious belief, personal biometric data, health data, financial account data and personal geolocation data. (Article 29) The processing of sensitive personal information requires a specific purpose and sufficient necessity, and requires separate consent of the individual; and consent should be in written form if so required by laws and regulations. In addition, if the processing of sensitive personal information is subject to administrative license or more severe restrictions in accordance with laws or administrative regulations, the provisions of such laws or administrative regulations shall apply. (Articles 30 to 32)
The Draft clarifies the legal rules for cross-border transmission of personal information, including at least one of the following conditions: (a) “passing the security assessment organized by the national cyberspace administration”; (b) “personal information protection certification conducted by professional institutions”; (c) “entering into contracts with overseas recipients to set forth their respective rights and obligations and overseeing the processing operations by such overseas recipient to ensure conformity to the standards for personal information protection set forth hereunder”, or (d) “fulfilling other conditions provided for under the laws or administrative regulations or the rules of the state cyberspace administration”. (Article 38)
Critical information infrastructure operators and processors that process personal information amounting to the threshold specified by the state cyberspace administration are specifically required to locally store personal information they generate and collect within China, and if personal information is to be provided overseas, to pass the security assessment organized by the national cyberspace administration. (Article 40)
The Draft also imposes stricter requirements on “informed consent" for the cross-border transfer of personal information. (Article 39)
In addition, the Draft also stipulates the approval requirements of the competent authorities for providing personal information abroad due to international judicial assistance or administrative law enforcement assistance, the negative list requirements for organizations and individuals that damage the rights and interests of Chinese citizens’ personal information, and the anti-discrimination requirements for countries and regions that have adopted discriminatory and unreasonable measures against China in terms of personal information protection. (Articles 41, 42 and 43)
As one core aspect of the personal information protection legal system, the Draft comprehensively stipulates the rights of individuals in personal information processing activities on the basis of previous laws and regulations. These include the right to know and make decisions, the right to access and obtain a copy of the information, the right to correction and supplementation of the personal information, and the right to delete. In addition, the Draft emphasizes the relevant rights of individuals to withdraw their consent to personal information processing, refuse the processing of their personal information, and refuse the processing methods of automated decision-making. The Draft also clearly requires the personal information processor to establish an acceptance and processing mechanism for requests from individuals on exercising their rights.
The Draft clarifies the obligations of personal information processors such as:
compliance management and protecting the security of personal information, including requiring them to take necessary measures in accordance with the regulations to ensure the compliance and security of personal information processing activities;
designating personnel in charge of personal information protection to supervise the personal information processing regularly if processing an amount of personal information reaching the threshold specified by the state cyberspace administration,
regularly conducting compliance audits on personal information processing activities;
conducting risk assessment before high-risk processing activities such as the processing of sensitive personal information, sharing or entrusting third parties to process personal information, and providing personal information abroad; and
notification and remedying obligations in case of leakage of personal information.
The sixth chapter of the Draft stipulates the content relevant to the departments that perform personal information protection duties, which establishes the basic system of personal information protection administration:
The national cyberspace department is responsible for the overall coordination.
The relevant departments of the State Council, and the local people's governments at or above the county level are responsible for personal information protection and the supervision and management within the scope of their respective authority.
The sixth chapter also stipulates the corresponding administrative measures that the departments responsible for information protection may take.
The Draft has strengthened the penalties for violations and set strict legal responsibilities. For example, “in case of infringement of personal information rights and interests, if the circumstances are serious, the illegal income shall be confiscated and a fine of less than RMB 50 million or less than 5% of the previous year’s turnover shall be imposed”, “a fine ranging from RMB 10,000 and 100,000 shall be imposed upon the directly responsible officer and other directly responsible persons." (Article 62) The Draft also adds the penalty mechanism of being included in the credit record. (Article 63) Compared with the previous Cybersecurity Law and other related regulations, the Draft imposes a more stringent penalty for violations relevant to personal information protection.
The Draft also provides for civil compensation and criminal liability for the infringement of personal information rights. Where personal information processing activities infringe on the rights and interests of personal information, the compensation amount shall be determined based on the loss suffered by the individual or the benefits obtained by the personal information processor. If the above amount cannot be determined, the People's Court shall determine the amount of compensation based on the particular situation. If the personal information processor can prove that it is not at fault, its liability may be reduced or it may be exempted from liability; (Article 65) if the violation of this law constitutes a crime, criminal responsibility shall be investigated. (Article 67)
The Draft also includes the following new requirements and special regulations:
Special requirements for collecting images and personal identification information in public areas. The Draft provides that the installation of image capture and personal identification collection equipment in public areas shall be necessary for maintaining public security, shall comply with relevant national regulations, and prominent reminders shall be set up. The collected personal images and personal identification information can only be used for the purpose of maintaining public security, and shall not be disclosed or provided to others, unless separate consent is obtained or the laws and regulations provide otherwise. (Article 27)
The processing of personal information by state agencies is also clearly included in the scope of supervision. For the first time, the Draft clearly incorporates the processing of personal information by state agencies into the scope of regulation, and stipulates the basic rules for the state to handle personal information for the fulfillment of statutory duties, including: “following prescribed authority and procedures”, “not exceeding the scope and limits necessary for performing statutory duties”, “informing individuals and obtaining consent (except in situations where the law requires confidentiality or the performance of duties will be obstructed)”, “in principle, state agencies shall not disclose or provide personal information processed by them to others”, “personal information processed by state agencies shall be stored within the country” and other requirements (Article 34 to 37)
The Draft, as the first special law on personal information protection in China, will become an important legal basis for the establishment of the personal information protection legal regime of China. Based on the content of the Draft, it maintains a certain degree of consistency with the current laws, regulations or drafts (including the Civil Code, Cybersecurity Law, etc.) that provide for personal information protection, but also provides many new requirements and regulations at the same time. How the specific provisions of the Draft will be connected with the existing laws and regulations and how the scope of application will be divided remains to be clarified. Some of the Draft’s content has yet to be clarified and improved, such as the definition of "separate consent", the security assessment of the cross-border transfer of personal information, and how the protection certification is to be carried out, which are not clear at present. The clarification of these contents may require subsequent legislative improvement or the further introduction of related implementation rules and interpretations.
The promulgation of the Draft will further strengthen the protection of the personal information of Chinese citizens, and at the same time, it will pose more challenges to the personal information protection and compliance work of enterprises. Compared with the previous legal provisions, the Draft not only proposes many new requirements, but also stipulates strict penalties. We recommend that companies fully understand the relevant content of the Draft and prepare to summarize and rectify incompliance in the current corporate compliance work before the promulgation of the Personal Information Protection Law as soon as possible. For the systems or regulations that have not yet been implemented in practice but are provided in the Draft, such as security assessment for the cross-border transmission of personal information, it is advised that enterprises timely prepare in advance.