China: New draft national, harmonised data protection law for Mainland China

By Carolyn Bigg, Venus Cheung, Fangfang Song

A first national level personal information protection law for Mainland China has been published, reinforcing and heightening existing data protection compliance obligations for organisations doing business in China. Compliance obligations previously considered recommended practice will now become binding law, and new compliance steps – including some registrations with the local authorities – must be taken.

The regulators’ own view is that the draft PRC Personal Information Protection Law (“Draft PIPL”) has the same effect as other countries’ data protection laws, including the GDPR, but recognise there are nuances.

In our view, the Draft PIPL should be seen as a harmonisation, clarification and in some ways consolidation – but not entirely a replacement of – the current data protection framework sitting across numerous laws and regulations (including the PRC Cybersecurity Law, the PRC Civil Code, the PRC E-Commerce Law and the Personal Information Security Specification (as amended) (“PIS Specification”)).

Key highlights of the Draft PIPL are:

  • Data localisation and overseas data transfer: most organisations will be relieved by the proposal for overseas transfers of personal information in the Draft PIPL, and especially the certainty it brings, even though there are additional new compliance steps.  In short:
    • Most organisations will be free to access and transfer most personal data outside of Mainland China provided the organisation undertakes the following (the new obligations are in bold):
      • has obtained explicit data subject consent; and
      • has undertaken a PIIA (see below); and
      • satisfies one of the below requirements:
        • puts in place a contractual obligations with the data processor that meets the standards stipulated in the Draft PIPL; or
        • conducts a security impact assessment which has been approved by the Cyberspace Administration of China (“CAC”); or
        • has obtained a personal information protection certification via a certification body accredited by the CAC. (It is unclear if this certification is available per transfer or per organisation).
      • Organisations that are: (1) designated as critical information infrastructure operators, (2) national authorities, or (3) data controllers meeting certain data processing volume thresholds (as yet unspecified) will only be able to access or transfer personal information outside of Mainland China if they have conducted a security assessment which has been approved by the CAC. Otherwise the personal information in question cannot be transferred or accessed overseas.
      • It is unclear from the Draft PIPL whether retaining a local copy of the data in Mainland China is also still generally required.
      • Industry-specific data localisation rules, and prohibitions of overseas transfers of certain other restricted (personal and non-personal) data, such as state secrets and “important data”, will remain.
    • Extra-territorial effect and registered legal representative: the Draft PIPL is expressly extended to cover processing of personal information of PRC residents outside of Mainland China for the purposes of sale of goods or services or analysis or assessment of PRC residents’ behaviour (i.e. similar to the extra-territorial effect of the GDPR). In addition, similar to GDPR, organisations undertaking such processing activities must appoint a legal representative in Mainland China to be responsible for personal information protection matters, and register them with the relevant data protection authority.
    • Consent and lawful bases for processing: the primary basis for processing personal information remains consent. However, the Draft PIPL introduces limited circumstances (i.e. lawful bases) in which personal information can be processed without consent, including:
      • entering into or fulfilling a contract where the data subject is a named party;
      • fulfilling legal obligations (which may be helpful in the context of regulatory investigations);
      • in response to public health incidents;
      • for public security and public interest reasons; and
      • as required by law (e.g. where required to disclose information under another PRC law).

We anticipate organisations will for the time being continue to rely on consent in most situations. It is important to note that the formalities for obtaining consent have been changed, in that “separate consent” (as yet unspecified) must now be obtained for sensitive personal information, disclosures to third parties, public disclosures, collection of image or ID information (i.e. biometric data) and for overseas data transfers. Therefore, organisations may need to review and update their privacy consent forms.

  • Personal information impact assessments (“PIIA”): the Draft PIPL confirms the situations in which a PIIA must be undertaken and retained (for three years), namely:
    • processing of sensitive personal information;
    • using personal information to conduct automated decision-making;
    • appointing a data processor;
    • providing personal information to any third party (likely to include sharing with group companies);
    • public disclosure of personal information;
    • overseas data transfer of personal information; and
    • any other processing activities that may have “significant impact to an individual”.

The Draft PIPL lists the content required to be included in a PIIA.

  • Data processors and sub-processors: while obligations regarding appointment of data processors (including need for contractual measures and PIIAs) are broadly similar to the current framework and international practices, one key distinction is that the Draft PIPL prohibits data processors from appointing sub-processors without the prior consent of the data controller. Organisations are, therefore, advised to review their data processor agreements.
  • Joint data controllers: this concept is now helpfully recognised, and joint liability has been introduced.
  • Anonymisation and de-identification: these concepts are finally clarified (after years of uncertainty), meaning that organisations may now feel more confident in using truly anonymised data outside of the personal information protection laws.
  • Data subject rights: the existing rights of access, correction, deletion and withdrawal of consent remain, but the circumstances in which deletion of personal information can be requested has been clarified.
  • DPO: organisations must now appoint a DPO if they meet certain data processing volume thresholds (as yet unspecified). The DPO must also now be registered with the relevant data protection authority.
  • Sanctions: potential fines have been increased, by reference to a maximum of 5% of the organisation’s previous financial year’s annual turnover (unclear if global or national turnover) or RMB 50,000,000.
  • Enforcement: regulators’ powers of investigation and enforcement have been enhanced (including if an organisation’s non-compliance impacts multiple data subjects). While the CAC is named the lead regulator for this new law, other supervisory authorities will continue to have supporting roles in enforcement (including likely the MPS/PSB and industry regulators).
  • Requests for personal data from overseas regulators: prior regulatory approval is now required if an organisation is asked or required to disclose personal data overseas “to assist international enforcement or litigation”. We anticipate this may be challenging for international businesses to juggle with other regulatory obligations outside of Mainland China.
  • Other data protection principles: principles around personal information accuracy, security, retention, minimisation/necessity and automated decision-making are broadly similar to the existing framework.

While about 90% of the compliance obligations in the PIS Specification have been incorporated into the Draft PIPL, the status of the remaining 10% – notably on governance requirements, including appointment and role of DPO and record-keeping; and on certain data subject rights (de-registration of accounts, complaints and data portability) – is unclear. For now, organisations should consider these as recommended best practice.

Finally, specific data protection compliance obligations under other laws and regulations – notably the PRC E-Commerce Law, PRC Cybersecurity Law, apps regulations, employment and consumer protection laws and industry regulations – have not disappeared, and we still await finalisation of the Draft PRC Data Security Law. As such, the Draft PIPL will still only form one part of a complex data protection framework.

The draft PIPL was published for consultation on 21 October. We anticipate there will be further drafts in due course – within 48 hours of the consultation opening, over 60 sets of comments had already been submitted in response – and the implementation date remains unclear. Organisations should monitor developments.

Please contact the authors of this article if you have any questions or to see what this means for your organisation.