China's First DPO-like Pilot Roll-out
In the Personal Information Protection Law (Draft) ("PIPL") first published in October 2020, the responsible person for personal data protection was introduced. If a data controller processes an amount of PII larger than the number designated by the China Cyberspace Administration, the data controller would need to appoint a responsible person for PII protection to supervise the data processing and safeguarding measures.
In response to the introduction of the Responsible Person, the Guangdong Municipal Government announced the Guangdong Proposal for Pilot Trial at Selected Cities for Chief Data Officer. This is the first sub-state-level implementation of the PIPL regarding the Responsible Person. The Proposal selected six provincial government departments and ten cities for pilot trial. According to the Proposal, the responsibilities of this Chief Data Officer includes:
(1) Promotion of digital government. Execution of decisions and tasks deployed from the government. Preparation of development plans, standards and guidelines and implementation plans for the establishment of the digital government.
(2) Coordination for innovative data management and integration. Formulation of medium and long-term development plans and associated regulations for data governance. Coordination for the registration of government data, their collection, processing, usage, quality management, security control, and the performance evaluation of these works. Coordination of data needs internal and external to the government, promotion for the open and sharing of data, promotion of integration between government and public data, and the promotion of innovative use cases and their applications.
(3) Supervision. The Chief Data Officers will coordinate and resolve the data governance and operation issues encountered in the government digitalization projects. The Officer has "veto power" at project inception and acceptance stages for projects that might breach the relevant data governance and privacy laws. They are to detect, stop and rectify actions that might result in significant loss due to breaching of these laws.
(4) Talent build-up. The Chief Data Officers for the pilot cities and government departments are responsible for driving the build-up of the data processing skills and security training. They are responsible for promoting data governance in their departments, building the operations team and organizing the training for the entire department's data processing and security skills.
On the other hand, the Proposal is lacking the competence requirements needed to be the Chief Data Officer and the penalties if the requirements of the Proposal are not met.
In a summary, the responsibilities of the Chief Data Officer are not just the supervision of data processing like that of Data Protection Officer in GDPR. After all, the Chief Data Officer is an officer for the government. Nevertheless, it is still the first government-issued documents that attempts to answer to the Responsible Person of the PIPL. It is expected that other provinces and state-level departments will follow suit to establish their respective draft laws to implement the Responsible Person provision of the PIPL.
Article provided by: Chris Yau (SGS, Hong Kong)
Dr. Tobias Höllwarth (Managing Director INPLP)