China has issued a second version of the draft Personal Information Protection Law. Following consultation, a third and final draft version of the law is expected to be passed this year. Data protection professionals in China have suggested that the most challenging aspects of the law include its extraterritorial jurisdiction as well as cross-data transfer restrictions.
What’s the draft law about?
The draft Personal Information Protection Law is a far-reaching law that regulates the collection, storage usage and sharing of personal information in China, with many aspects that are similar to the EU’s General Data Protection Regulation (GDPR).
A key component of the draft law is the informed consent by the user, which requires companies to get user consent to collect their information, inform them of how their information will be used and provide users to opt out. Users can also request to view their personal data held by the company and request any corrections, or for their information to be deleted. Fines of up to RMB50 million ($7.7 million) or up to five percent of annual turnover can be enforced on companies that violate the law.
Since the first draft of the law was released in October 2020, a number of changes have been made in the second draft. One is the proposed requirement for companies to establish independent oversight bodies, which are to be staffed by external personnel, to monitor compliance with data protection rules. Another change is to require companies to publish public social responsibility reports to share with the public about their data privacy actions.
Annie Xue, partner at Gen Law Firm, said that the draft law is built on the preliminary experience gained via the enforcement of the Cybersecurity Law and its implementing rules, the personal information protection clauses of the Civil Code, the crimes in connection with data protection and information system security stipulated in the Criminal Law and a number of guidelines and national standards in the past years.
“Many business operators, especially the risk-averse multinationals, have gradually become aware of the regulatory requirements and kicked off compliance efforts,” said Xue.
See also: New GDPR-like rules challenge Singaporean businesses
What will be most challenging for businesses?
One of the most challenging aspects of the law for businesses is its exterritorial jurisdiction. “The draft law expressly expands the jurisdiction to overseas domiciled companies which target the mainland China market or track individuals’ behaviors as far as their behavior takes place within mainland China,” said Xue.
Overseas business operators falling into the jurisdiction of the law will have to comply with China’s massive regulatory requirements, including assigning representatives in China and reporting to the supervisory agencies. “This will pose significant challenges to multinationals as many Chinese laws do not have an English version and the transparency of law enforcement is yet to be improved,” said Xue.
Another challenge is cross-border data transfer. While the Cybersecurity Law officially kicked off the regulation of international data flow at the law level in 2017 and later on, supervisory agencies rolled out draft departmental rules and national standards, most of the rule making activities have paused ever since then, said Xue.
“Despite the draft law setting out the pre-conditions for a legitimate transfer in Chapter III, it remains a black box regarding the threshold for triggering government approval, what the government approved certification mechanism is, when the standard contracts will be released, and more importantly, what business operators shall do before all those pre-conditions happen,” she said.
Additionally, Article 41 of the draft law prohibits providing personal information stored within the territory of China in response to the requests of foreign judicial or administrative institutions without prior government approval from China. “This constitutes a practical barrier in the international dispute resolution setting and for companies’ daily operation in relation to cooperation with law enforcement,” said Xue.
Yan Luo, partner at Covington & Burling, said: “Unfortunately, the Personal Information Protection Law will only add a layer of complicity to the issue of cross-border transfer, but will not provide a unified solution.”
Companies still need to follow different requirements depending on their status and types of data that they intend to transfer overseas. At the same time, specific requirements introduced by sectoral regulations would further complicate the data transfer requirements.
For the cross-border transfer of personal information, even for personal information processing entities that are not operators of critical information infrastructure, which is a similar concept as the "data controller" under the GDPR, will need to obtain separate consent from personal information subjects before transferring personal information overseas, carrying an internal risk assessment, and choosing one of the lawful mechanisms.
Luo added: “The draft law specifically requires data processing entities that transfer large volumes of personal information to undergo a security assessment. However, it is unclear what the criteria is for large volumes are at the moment, so companies have to be mindful of their data transfer strategies.”
The draft law also imposes extra responsibilities on platforms. “Following the US experience, Article 57 of the draft law is an innovation at the law level, requiring big platforms to set up an independent supervision committee chiefly consisting of external members, cut services to in-platform business operators that seriously breach privacy protection laws, and release social responsibility reports on personal information protection on a regular basis,” said Xue.
See also: Japanese companies grapple with stricter personal data requirements
How does the law compare with the GDPR?
While previous personal data related laws, regulations and national standards have already incorporated many principles and practices of the GDPR, the new draft additionally incorporated GDPR’s approaches in material and geographic jurisdictions, lawful basis, cross-border data transfer and fine-setting.
“However, it also maintains certain Chinese characteristics, such as multi-layered enforcement agencies which are not independent, lack of clear distinction between data controller and processor, and lack of clear cooperation and consistency mechanisms across agencies,” said Xue.
The second draft of the law, more specifically, article 57, requires companies to establish independent oversight bodies staffed mainly by external personnel. “These oversight bodies are similar to the role of a data protection officer in the GDPR, which is a position responsible for monitoring compliance with data protection rules,” said Sherry Gong, partner at Hogan Lovells.
However, the draft law does not clarify the specific requirements or legal responsibilities for these representatives, such as what kind of agency can act as representative of an overseas information processor and whether a law firm or professional consulting agency can serve as a representative.
Furthermore, in light of the limitation of the consent principle as well as increasingly complex processing scenarios, the draft law takes an approach similar to the GDPR which provides multiple lawful basis for processing personal information in addition to consent, said Gong. For instance, the draft law includes an additional legal basis for personal information processors, similar to data processors under GDPR, that allows for “legitimate interests” processing in relation to public available information within a “reasonable scope”.
Luo said that there are still some divergences between these two laws. For example, the second draft of the law does not provide a "legitimate interests" ground for processing personal information as allowed under GDPR, thus it may require a more consent-oriented approach for companies processing personal information in China.
Another difference is the prior risk assessment as required by article 55 of the draft law. “Although the obligations to conduct a prior risk assessment under the law are similar to data protection impact assessment under article 35 of the GDPR, the conditions that would trigger a risk assessment, for instance, processing sensitive personal information and transferring personal information overseas, are different from those of under the GDPR,” said Luo.
What practical strategies should businesses apply to ensure compliance?
According to Gong, when designing technical solutions for personal information protection, companies should consider both business functional operation and user experience in the development phase.
When reviewing and updating existing data protection policies and procedures, it is important to update them so that China-based operations include provisions contained in the draft law. The relevant systems and business should contain functionality or flexibility to meet individual rights requests.
In analysis of international information transfer mechanisms and safeguards, including information transfer agreements, Gong said that it is important to determine existing transfer mechanisms for key processing operations, both on an intra-group basis and among third party service providers and vendors. “Businesses should determine whether personal information processing would be caught by data localisation provisions, record potential risks involved in transfers for relevant processing operations, and prepare remediation and mitigation actions where practicable,” said Gong.
What enforcement challenges could there be?
Instead of independent data protection authority, several regulators, such as the Cyberspace Administration of China and the Ministry of Public Security, are in the position of being regulators and enforcement agencies at the same time. “Combined with the overlapping personal data rule since the Cybersecurity Law, the Personal Information Security Specification, the Civil Code, among others, officials will have much to navigate, and likely have a high degree of discretion,” said Gong.
Looking back at law enforcement track records, Xue expected to see a number of challenges. One is insufficient awareness of personal information protection compliance. Another is the practical difficulty of overseas controllers and processor in becoming aware of the Chinese regulatory requirements and complying with them. Finally, she observed that there has been a lack of transparent and effective cooperation and consistency mechanisms across enforcement agencies.
What areas are confusing?
As there are a lot of concepts that need further clarification in the second draft of the law, market participants can expect further guidance from regulators, most likely in the form of implementing regulations, in the coming months. There remain a number of areas that are confusing. “For example, one of the lawful mechanisms for transferring personal information abroad is to enter into a transfer agreement with the recipient based on a "standard contract",” said Luo. “However, the standard contract has not been published by the Cyberspace Administration of China, the government agency responsible for coordinating personal information protection work.”
In terms of definitions that need clarity, it is necessary to distinguish different types of consent based on different scenarios from a legislative perspective. “However, as how different types of consent are defined will significantly affect the rights and interests of relevant subjects, it remains to be further clarified by relevant regulations or guidelines on the specific definitions of consent and its application,” said Gong.
See also: Vaccine passports bring unprecedented GDPR challenges
