In the past few years, China has been notoriously known to find ways to violate users’ data privacy. However, in a step towards strengthening its stance towards individual data, China announced the first draft of the Personal Information Protection Law (PIPL). This law is a part of the three fundamental laws on cybersecurity and data protection that China holds, the other two beings: Cybersecurity Law and Data Security Law (which is also in the draft version).
Dissecting the Personal Information Protection Law
The PIPL’s draft version consists of eight chapters and 70 articles, covering topics that include personal information processing, cross-border data transfer, rights of individuals for data processing, etc.
Various types of information recorded in electrical or other formats related to identified and identifiable individuals are referred to as personal information in PIPL. Some of the key provisions of the draft PIPL are mentioned below:
Departments Exercising Personal Information Protection
As per the Draft PIPL, the Cyberspace Administration of China (CAC), the Department of the State Council, and the relevant department of local government at the level of the county or above are all responsible for personal information protection.
Scope of Application
The Draft PIPL provisions say this law can be applicable outside of China to the extent necessary for protecting the interests of Chinese citizens. The Draft PIPL also comes into effect where the purpose of data processing outside of China is to provide products or services to individuals in China or to analyze their behavior in China.
The Seven Pillars of Data Processing
The Draft PIPL is based on seven data protection principles, including the legality, explicit purpose, minimum necessity, transparency, accuracy, accountability, and data security. Let’s take a closer look at them.
1. Consent and Exceptions for Consent
Under the PIPL, a data processor may process personal data based on:
- Consent of the individual.
- The necessity of executing or performing a contract.
- The necessity of performing a legal obligation or legal duty.
- A response to an emergency public health event or the necessity of protecting the safety of an individual’s life and property.
- The publication of news and the supervision by public opinion for the public interest within a reasonable scope.
2. Joint Data Processing and Data Processing by Entrustment
In the event of data processors processing personal information together, the co-processors shall also bear joint liability in cases of infringement of personal interests.
Where a data processor entrusts a third-party to process personal information, both parties shall execute an agreement that includes the purpose of data processing, the processing mode, the types of personal information processed, protection measures and both parties’ rights and liabilities.
3. Provision of Personal Information to a Third-Party
When providing personal information to a third-party, a data processor is bound to inform the data subject of the identity and contact information of the third-party, the purpose of data processing, the processing mode and the type of personal information covered, as well as obtain separate consent from the data subject.
4. Sensitive Personal Information
The Draft PIPL stipulates more restrictions on the processing of sensitive personal information. Sensitive personal information is defined as information that once leaked or abused may cause damage to personal reputation or seriously endanger personal and property safety, and includes race, nationality, religion, biometric information, health, financial account, personal whereabouts and other information. Only if the personal data processor has a specific purpose and sufficient necessity, and obtains separate consent or written consent from the data subjects, is processing sensitive personal information allowed.
The data processor shall also inform the data subject of the necessity of processing sensitive personal sensitive information and the impact on the data subject.
5. Personal Image Collected by the Equipment Installed in Public
A personal image and personally identifiable information collected by image acquisition and personal identification device installed in public may only be used for the purpose of maintaining public security and may not be disclosed or provided to others unless consent is obtained from the individual or otherwise provided by relevant laws and regulations.
6. Cross-Border Transfer of Personal Information
The Draft PIPL provides three methods for cross-border transfers of personal information. In general, cross-border transfers of personal information shall be certified by recognized institutions, or the data processor shall execute a cross-border transfer agreement with the recipient located outside of China and ensure that the processing meets the protection standard provided under the Draft PIPL. Where the data processor is categorized as a critical information infrastructure (“CII”) operator or the volume of data processed by the data processor exceeds the level stipulated by the CAC, the cross-border transfer of personal information must pass a security assessment conducted by the CAC.
In cases of cross-border transfer of personal information, the data processor shall inform the data subjects of the identity and contact information of the overseas receiving party, the purpose of data processing, the processing mode, the type of personal information to be processed, and the way data subjects can exercise their rights provided under the Draft PIPL, as well as obtain separate consent from the data subjects.
7. Rights of the Individuals with Respect to Data Processing
Individuals have the right to know, the right to decide on, and the right to limit or object to the processing of their personal information by others. They also have the right to access and copy their personal information from data processors and the right to request that data processors correct or complete their personal information. Under certain circumstances, individuals have the right to request deletion of their personal information, the right to withdraw consent, and the right to request that the data processor explains the processing rules.
The data processor shall establish the mechanism for the data subject to exercise his or her rights.
The Draft PIPL amplifies the range of penalties beyond those provided in China’s Cybersecurity Law. In addition to rectification, confiscation of illegal gains, warnings, penalties under 1 million RMB, business suspensions, business halts for rectification, and the revocation of relevant permits or business licenses under Cybersecurity Law, the draft version of the PIPL also stipulates that in serious cases, data processors also are subject to fines under 50 million RMB or under 5% of the previous year’s revenue.