China's First DPO-like Pilot Roll-out

28.06.2021

Similar to GDPR, China’s draft Personal Information Protection Law also requires the designation of a Responsible Person for Personal Information. China’s southern Guangdong Province is the first to roll out a draft law that first implements a Chief Data Officer in 6 pilot government departments and 10 cities.

In the Personal Information Protection Law (Draft) ("PIPL") first published in October 2020, the responsible person for personal data protection was introduced. If a data controller processes an amount of PII larger than the number designated by the China Cyberspace Administration, the data controller would need to appoint a responsible person for PII protection to supervise the data processing and safeguarding measures.

In response to the introduction of the Responsible Person, the Guangdong Municipal Government announced the Guangdong Proposal for Pilot Trial at Selected Cities for Chief Data Officer. This is the first sub-state-level implementation of the PIPL regarding the Responsible Person. The Proposal selected six provincial government departments and ten cities for pilot trial. According to the Proposal, the responsibilities of this Chief Data Officer includes:

(1) Promotion of digital government. Execution of decisions and tasks deployed from the government.  Preparation of development plans, standards and guidelines and implementation plans for the establishment of the digital government.

(2) Coordination for innovative data management and integration. Formulation of medium and long-term development plans and associated regulations for data governance. Coordination for the registration of government data, their collection, processing, usage, quality management, security control, and the performance evaluation of these works. Coordination of data needs internal and external to the government, promotion for the open and sharing of data, promotion of integration between government and public data, and the promotion of innovative use cases and their applications.

(3) Supervision. The Chief Data Officers will coordinate and resolve the data governance and operation issues encountered in the government digitalization projects. The Officer has "veto power" at project inception and acceptance stages for projects that might breach the relevant data governance and privacy laws. They are to detect, stop and rectify actions that might result in significant loss due to breaching of these laws.

(4) Talent build-up. The Chief Data Officers for the pilot cities and government departments are responsible for driving the build-up of the data processing skills and security training. They are responsible for promoting data governance in their departments, building the operations team and organizing the training for the entire department's data processing and security skills.

On the other hand, the Proposal is lacking the competence requirements needed to be the Chief Data Officer and the penalties if the requirements of the Proposal are not met.

In a summary, the responsibilities of the Chief Data Officer are not just the supervision of data processing like that of Data Protection Officer in GDPR. After all, the Chief Data Officer is an officer for the government. Nevertheless, it is still the first government-issued documents that attempts to answer to the Responsible Person of the PIPL. It is expected that other provinces and state-level departments will follow suit to establish their respective draft laws to implement the Responsible Person provision of the PIPL.

 

Article provided by: Chris Yau (SGS, Hong Kong)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.