A Privacy Law for 25% of the World’s Population: China’s Personal Information Protection Law
China published the Personal Information Protection Law (Draft) ("PIPL") for public consultation on 21 October 2020. Although a few voluntary national standards (e.g., GB/T 35273-2020, JR/T 10171-2020) on personal data protec-tion have been published before, this is the first legal framework to address personal information protection in China. One can find many similarities between the Draft and the EU GDPR. However, there are still significant differences between the two, owing to the practical institutional differences between the two political systems. It's beyond the scope of this article to provide a clause-level comparison between the two. Instead, this article highlights the similarities and differences between the Draft and the EU GDPR from both the macroscopic and microscopic viewpoints.
GDPR is not the first EU legal framework to introduce the rules for the use and processing of personal identifiable information (PII); one of its major objectives is to overcome the differences in implementation of the Data Pro-tection Directive 95/46/EC between the EU Member States.
On the other hand, the Draft is the first law in China that addresses processing of personal information. Its objectives are to mitigate the risks related to PII raised by the rapid development of internet applications and proliferation of online users in China. The Draft takes advantage of the experiences of PII protection laws enacted prior to PIPL around the world.
Although the China Cybersecurity Law (came into effect in 2017) touches on the protection of personal information, the language of the Cybersecurity Law regarding personal information is rather broad and general, and only touched on the surface of PII protection. Furthermore, in parallel of draft-ing the Personal Information Protection Law, China is also preparing the Data Security Law (Draft). These two laws, together with the Cybersecurity Law, forms China’s framework for information security.
To ensure uniform enforcement within the EU, GDPR established one single entity, the European Data Protection Board, to ensure uniform enforcement of the Regulation. When there are any disputes in interpreting the Regulation, the GDPR utilizes the resolution mechanism as stipulated in Article 65.
The Draft appoints the Cyberspace Administration of China as the coordinat-ing and overseeing authority. However, the Draft continues the usual practic-es of allowing various executive Bureaux under the State Affairs Department to enforce the respective responsibilities under their jurisdictions (e.g., the State health department will oversee patient related PIIs, the central bank will enforce PIIs related to banks and financial institutes). This structure prevents the risks that if one single entity were to be established, it might not be conver-sant on the practices and PIIs risks of each industry. One might argue that this structure would lead to difference in interpretation of the Law. Nevertheless, the detailed organization structure of the enforcement mechanism as well as the mechanism of dispute resolution, has not been defined yet in the Draft. It is believed that additional supplementary regulations will be released in the future.
Definition of Personal Information
GDPR defines that PII as any information relating to an identified or identifiable natural person.
The Draft defines personal information as information recorded electronically or otherwise in relation to identified or identifiable natural persons, excluding anonymized information. The Draft further defines that PII processing includes activities such as collection, storage, use, processing, transmission, provision and release of PII. In this regard, the Draft and GDPR are very similar.
The Draft does not define a term similar to that of Data Subject in GDPR.
GDPR established six principles of PII processing: including: lawful-ness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality.
The Draft in general retains these six principles, although the texts are not as elaborated. Additionally, the Draft askes the Government to actively partici-pate in international exchange and cooperation in drafting international PII protection regulations, and to strive for mutual recognition of PII regulations between states, regions, and international bodies.
Rights of Natural Persons
GDPR defines eight data subject rights: to be informed, access, rectification, erasure, restriction of processing, data portability, to object, automated indi-vidual decision-making.
The Draft defines these same rights in Article 25, 44-47. There is no right to data portability in the Draft.
Obligations of the Data Processor
GDPR has clear and detailed requirements for the controller and the proces-sor respectively. It also established specific requirements such as data pro-tection impact assessment and the appointment of the Data Protection Officer.
The Draft does not distinguish between data controller and processor -- both are collectively defined as data processors. Unlike GDPR, the Draft only calls for the appointment of a Data Protection Officer when the quantity of PII processed is larger than an amount defined (not yet defined in the Draft) by the Cyberspace Administration of China. This includes data processors that are located outside of China who processes PII of natural persons in China. The Draft also requires a risk assessment to be conducted prior to the following scenarios:
1. processing sensitive data (Article 29)
2. automated decision using PII
3. Sub-processing of PII or to a 3rd party, and release of PII
4. Transfer of PII outside of China
5. Other processing that may have significant impact to the natural persons.
Notification of Data Breaches
GDPR stipulates the 72 hours ceiling for informing the supervisory authority.
The Draft has not stipulated any time limit for informing the authority.
GDPR established two conditions under which PII can be transferred to 3rd countries / international organizations:
- Countries accepted by EU as having appropriate level of protection;
- Processors in 3rd countries or international bodies with which the organizations transferring the PII have a corpo-rate binding rules;
- The controller / processor has provided appropriate safe-guarding of the PII, including the use of corporate binding rules.
The Draft manages the cross-border transfer differently. Processors intended to transfer PIIs outside of China shall meet one of these conditions:
- Operators of critical infrastructure, and processors who process PIIs in the quantity larger than (not specified yet) that set down by the Cyberspace Administration of China (CAC), shall retain the PIIs within China, or pass the secu-rity assessment conducted by the CAC;
- Other processors shall either
- pass the security assessment, conduct-ed by professional assessors, set down by the CAC; or
- enter into a contract with the PII receiver stipulating the rights and obligations of the PII processing.
GDPR defines the penalties in terms of circumstances of each individual case:
- Max EUR 10M, or up to 2% of the total worldwide annual turnover for violating Articles 8, 11, 25 to 39, 41 to 43
- Max EUR 20M, or up to 4% of the total worldwide annual turnover for violating Articles 5, 6,7, 9, 12 to 22, 44 to 49, 58.
Similarly, the Draft also defines the penalties in two levels:
- Confiscation of revenue owing to invalid processing of PII; if not rectified, fines up to RMB 1M (~EUR 128K) to the pro-cessor, and fines between RMB 10K and RMB 100K (~EUR 1.28K to EUR 12.8K) to the management.
- Confiscation of revenue owing to invalid processing of PII, and fines up to RMB 50M (~EUR 6.4M) to 5% of total an-nual turnover to the processor, or suspension of business permits, and fines between RMB 10K and RMB 100K (~EUR 1.28K to EUR 12.8K) to the management.
However, the basis of prosecution of each level has not yet been defined in the Draft. The determination of "revenue owing to invalid processing of PII" is also not defined at this point.
The Draft contains all the essential elements of that of GDPR. Although the level of details is less than that of GDPR and many implementation details are yet to be defined, it is indeed a good starting point for China's effort to manage PII protection. Considering China is comprised of 20% of the world's online population and many apps bear 1.2 billion users, the Draft is a welcome and essential addition to China's legal framework.
Article provided by: Chris Yau (SGS Hong Kong Limited, Hong Kong)
Dr. Tobias Höllwarth (Managing Director INPLP)