GDPR with Chinese characteristics: China's draft data protection law
On 21 October, mainland China’s top legislature published the long-awaited first draft of its Personal Information Protection Law (PIPL) for a month-long public consultation.
This law will work alongside the existing Cybersecurity Law and July’s draft data security law as one of the key pillars of security in President Xi Jinping’s framework for China’s cyberspace. Despite this very China-centric purpose, the extent of the influence of the GDPR remains strong in China and other Asia-Pacific markets where governments wish to formulate data protection rules to better protect their citizens’ interests.
Ability to process data
China’s authorities have announced the objective of further driving the nation’s vibrant digital ecosystem of 900 million internet users to continue China’s economic rebound after covid-19. One example of this nod towards business efficiency is the introduction of grounds for collection and processing of personal information other than consent, which until now has generally remained the sole statutory processing condition. However, the need to obtain “separate” consent to process personal information for various key activities – including cross-border transfers, transfers to any third party (with no express carve-out for intragroup transfers), and certain handling of sensitive personal data – may mean that businesses have to continue to solicit consent for many interactions with customers and employees.
Businesses in China operating on a cross-border basis have been awaiting clarity on the requirements applicable to data exports. The draft PIPL regrettably does not resolve all issues and the overarching position remains that data controllers are steered towards data onshoring (although that is a trend also seen in the EU with the implications of Schrems II). Although proposals released in June 2019 that sought to impose mandatory regulator- administered security assessments on all businesses are not repeated under the draft PIPL, critical information infrastructure operators (still unhelpful undefined) and businesses which process personal information in excess of an amount yet to be specified will need to submit to such assessments. Businesses falling below this critical threshold will instead likely choose to put in place contractual terms with overseas recipients that ensure that protection standards provided under the draft PIPL are met. Furthermore, as proposed under the data security law and possibly a reaction to foreign extraterritorial legislation such as the US CLOUD Act, the draft PIPL proposes that the disclosure of personal data to overseas enforcement agencies and judicial bodies will require the prior approval of the Chinese authorities. Businesses would need to build this restriction into their data management processes.
As seen in the data security law, the long arm of the draft PIPL reaches outside of the Middle Kingdom to impose liabilities on overseas organisations and individuals whose processing activities damage the interests of individuals in China. Clearly influenced by the GDPR, the draft PIPL also proposes that businesses outside mainland China appoint a representative or establish an entity in China to take responsibility to the Chinese authorities where those businesses seek to provide services or products into China or monitor the behaviour of individuals within its territory. Foreign businesses would need to be cautious if, for example, looking to target some of China’s 1.4 billion potential consumers but wishing to stay outside of its regulatory net.
The suite of individuals’ rights is expanded as a matter of law under the draft PIPL, and is akin to that under the GDPR. The Chinese legislation prescribes the right to withdraw consent, the right to limit processing activities, the right of access and to request a copy of personal information, and the right to erasure. Again, this statutory footing should not concern international businesses used to similar principles in the EU, but it will be a costly compliance burden for smaller domestic enterprises – especially with the enhanced awareness that citizens have of their legal rights and ability to raise grievances, as promoted by the coming into force of China’s Civil Code on 1 January 2021.
As proposed in the data security law, appointing a data protection officer is likely to become a statutory requirement for some businesses. This officer must ensure adequate technical security measures are implemented, coordinate various compliance audits and risk assessments, and ensure that data leaks are reported swiftly.
The draft PIPL notably follows the GDPR to make data protection compliance a boardroom issue through a clear threat of substantial financial penalties. Under the draft PIPL, serious violations can result in fines of up to 50 million yuan (€6.3 million) or up to 5% of annual turnover, in addition to potential civil and criminal liability for enterprises and fines of up to 1 million yuan (€127,000) for managers. This is a marked jump in the magnitude of sanctions in a jurisdiction that has traditionally had a reputation for lax enforcement for data privacy.
No definitive timeline has been set for the final law, but all businesses should monitor developments and, where appropriate, seek to submit comments to the consultation. The government has publicly stated that this law is a priority, so there may not be multiple rounds of consultation or a long lead-time to implementation.
By Alex Roberts
This article was first published in Global Data Review, available here.