At the current pace of technology advancement and consequently increase in cybercrime, personal information protection is inevitably becoming a critically important issue for all users. Yet, there is no single data protection law in the People’s Republic of China (“PRC”). On 21 October 2020, the Standing Committee of the National People’s Congress released the first draft of Personal Information Protection Law (“the Draft”). The Law seeks to impose restrictions on entities and individuals, including those operating outside of the PRC, that collect and process personal data and sensitive information on subjects in the PRC and thus could have a significant impact on businesses targeting markets in the PRC.
(A) Application of the law
Article 3 provides that the Draft not only applies to organizations and individuals who handle personal information within the PRC, but also have an extraterritorial effect to personal information processes taking place out of the country if the activity falls within any of the following :-
(i) the purpose of personal information processing is to provide products or services to individuals in the PRC;
(ii) the purpose of personal information processing is for analysing and assessment of individuals in the PRC; or
(iii) any other circumstances as provided by laws and regulations.
Also, the Draft has expressly defined “Personal Information” and “Sensitive Personal Information” respectively. Article 4 provides that Personal Information means any information which is recorded electronically or otherwise and relates to natural persons who are identifiable or can be identified but excluding anonymized information.
According to Article 29, Sensitive Personal Information includes information relating to race, ethnicity, religious beliefs, biometric features, medical health, financial accounts and individual location tracking, etc. Once Sensitive Personal Information is leaked or used illegally, it may lead to discrimination or cause serious harm to personal safety or property damage.
Article 4 also defines the processing of personal information as including the collection, storage, use, processing, transmission, provision, and disclosure of personal information and such other activities.
(B) Informed Consent
Articles 5 to 9 establish the following major principles for personal information protection :-
(i) The collection and processing of personal information should be carried out in a legal and proper way;
(ii) Personal information shall be collected with a clear and reasonable purpose and shall be at a minimum scope for such purpose;
(iii) Personal information processing policy must be transparent and publicly known;
(iv) Personal information shall be kept accurately and updated in a timely manner;
(v) Personal information processors shall adopt security protection measures to protect personal information.
The Draft has also established that data subject’s consent is the core principle to processing of personal information. More specifically, Articles 13 provides the legal basis that personal information shall only be processed when any of the following conditions is met :-
(1) The consent of data subject has been obtained;
(2) It is necessary for the conclusion or performance of a contract to which the data subject is a party;
(3) It is necessary for the performance of statutory duties or obligations;
(4) It is necessary to respond to public health emergency or for the protection of life and property of an individual in an emergency;
(5) To a reasonable extent, for the purpose of news reporting or public opinion monitoring in the interests of the public; or
(6) Any other circumstances as provided by laws and regulations.
When the government is requested to implement any public health measures in response to the COVID-19 pandemic and it becomes necessary to process any personal information, this will fall within situation (4) above. The government being a personal information processor shall then comply with the requirements and obligations set out in the Draft pursuant to Articles 33 to 37.
Articles 14 to 19 further provide for certain requirements in obtaining consent. If there is any material change in the handling of the personal information, consent should be obtained from the data subject again. Also, the personal information processor shall not refuse to provide products or services on the ground that the data subject refuses to provide consent. The Draft also sets out specific consent requirements in other situations such as “separate consent” or “written consent” is required when processing of Sensitive Personal Information. Separate consent and written consent are not defined and it will remain to be seen how they shall be interpreted in practice.
(C) Cross-border transfer of personal information
Chapter 3 of the Draft has set out the requirements for cross border transfer of personal information. Article 40 provides that for Critical Information Infrastructure Operators (“CIIC”) and processors that process personal information up to a certain volume (to be prescribed by the Cyberspace Administration of China (“CAC”) which is not known at the moment), they must store the personal information in China. If any transfer of personal information overseas is necessary, CIIC must pass a security assessment administered by the Cyberspace Administration of China. There are also other requirements to be fulfilled, for example to execute an agreement with the foreign receiving party to ensure that personal information processing will fully comply with the requirements stipulated by the Draft. Also, CIIC shall comply with more stringent requirements in obtaining prior consent from data subjects in the case of transferring personal information out of China.
Article 52 further requires foreign personal information processors to set up specialized entities or appoint designated representatives in China to be responsible for protection of personal information and related matters.
(D) Rights of data subjects
Articles 44 to 49 expressly stipulate the rights of data subjects in personal information processing, including the right to know, the right to decide, the right to access and copy, the right to correct and the right to delete. Data subjects also have the right to withdraw consent and the right to request the data processor to explain the processing rules.
The Draft has imposed heavy penalties for personal information processors who are in violation of the laws. Article 62 provides that unlawful personal information processing or failure to take necessary security measures may be fined up to RMB1,000,000 and any illegal gains should be confiscated. For any individual who directly handles such personal information processing may be fined from RMB10,000 up to RMB100,000. In cases of serious violations, a company in breach of the law may be fined up to RMB50,000,000 or 5% of the last year’s annual profit of the company; and any individual who directly handles such personal information processing may be liable to a fine between RMB10,000 and RMB1,000,000.
In addition, the Draft provides that civil litigation may be instituted against personal information processors for damages if they have infringed the personal information rights of individuals.