The status quo

Currently, China's rules concerning data protection and data security are scattered across various laws, regulations, and national standards. The Cyber Security Law (CSL), with its primary focus on cybersecurity, introduced some very general data protection measures that have taken on more detailed elaboration in the law's enforcement. The Personal Information Security Specification (Specification), adopted as a non-binding national standard on 1 May 2018, has provided some more detailed reference points that are useful to interpreting the CSL, but the draft PIPL is intended to close an important gap in the existing regulatory framework.

Key reforms under the draft PIPL

Extraterritorial application.

The CSL provides a legal basis for extraterritorial enforcement in cases of disruption of critical information infrastructure in China by foreign parties, but this has generally been understood to mean the CSL is solely concerned with the cybersecurity of systems physically located in mainland China. The draft PIPL would upset this understanding, tracking GDPR's extraterritorial application in cases where offshore data processing activities are for the purpose of (i) providing services or products to individuals resident in China; or (ii) analyzing or evaluating the behavior of individuals resident in China. The draft PIPL allows for further extensions of extra-territoriality, where laws or administrative regulations stipulate that this is the case.
Multinational businesses collecting personal data from offshore must establish an agency or appoint a representative in mainland China responsible for administering requirements under the law.

Regulation of cross-border transfers of personal data. 

The CSL mandated localization of personal data and certain other types of data for organizations designated as operators of critical information infrastructure. Successive drafts of the Measures on the Security Assessment of Cross-Border Transfer of Personal Data (draft Data Export Measures) released by the Cyberspace Administration of China (CAC) have proposed that all outbound transfers of personal data from China would be subject to a security assessment, but the draft Data Export Measures have never been finalized, leaving the status of international transfers uncertain. 

The draft PIPL would regulate international transfers of personal data on a slightly less comprehensive way than the approach proposed under the draft Data Export Measures.

Specifically, the draft PIPL would scale down the scope of application of the security assessment to data transfers, which are either: (i) made by an operator of critical information infrastructure (CIIO); or (ii) involve a volume of data that meets or exceeds materiality thresholds to be set by the CAC. 

Non-CIIO transferors falling below the CAC's materiality thresholds could satisfy the international transfer restrictions by one of the following:

(i) A certification by a third party professional institution.
(ii) An agreement between the Chinese data transferor and the offshore data recipient with obligations sufficient to ensure the transferred data will continue to be processed in accordance with the standards under the draft PIPL.

The draft further introduces a blacklisting mechanism by which the CAC may prohibit cross-border transfers to foreign organizations and individuals whose data processing activities harm Chinese citizens' interests in their personal data or endanger Chinese national security or public interest.

Basis for processing.

The draft PIPL would take consent as the principal basis for processing personal data, with limited specific exemptions for conclusion or performance of contracts with data subjects, compliance with applicable laws, public health, and public interest processing. Notably, the draft PIPL does not follow GDPR in providing for legitimate interests processing. Consent under the draft PIPL would be revocable and data controllers would not be permitted to refuse to provide products or services if the data subject withholds or withdraws his or her consent to non-essential processing.

The draft PIPL also requires separate/"unbundled" consent in the following situations:

• Transfer of personal data by data controllers to third parties (Article 24).
• Publication of personal data (Article 26).
• Publication or provision of personal data collected by equipment installed in the public places for security purposes, such as personal images (Article 27).
• Processing of sensitive personal data (Article 30).
• Cross-border transfers of personal data (Article 39).

Regulation of sensitive personal data. 

The draft PIPL broadly follows the Specification in defining "sensitive personal data" conceptually by reference to the possibility of the data subject suffering discrimination or serious harm. Race, ethnicity, religion, biometrics, medical and health data, financial accounts, and personal whereabouts are listed as examples. 

The processing of sensitive personal data would be subject to the following requirements:

• The processing is only allowed where there is a specific purpose and sufficient necessity to do so.
• A data subject has been informed of the necessity of the processing of his/her sensitive personal data and its implications.
• Before processing sensitive personal data, the data controller must perform a risk assessment.
• As noted above, data controllers processing sensitive personal data must obtain a separate/"unbundled" consent from data subjects.

Mandatory data breach notification obligation.

The draft PIPL would require organizations to notify relevant authorities and impacted individuals of data leakage incidents. Organizations would not be required to notify breaches in relation to which remedial measures may be taken without harm being caused to individuals.

Significantly increased monetary fines.

Under the CSL, the violation of personal data protection could trigger the confiscation of illegal income derived from the violation, a fine of no less than one and not more than ten times the illegal income, or a fine up to RMB1,000,000 where there is no illegal income. Individuals responsible for the violation may be subject to a fine of RMB10,000 to RMB100,000.

The draft PIPL would significantly increase the financial penalties. In most cases, fines of up to RMB1,000,000 could be imposed on companies, with fines of RMB10,000 to RMB100,000 imposed on responsible individuals. In more serious cases, the fine could be increased to RMB50,000,000 or five percent of the company's total turnover in the preceding year, with fines of RMB100,000 to RMB1,000,000 imposed on responsible individuals.

Accountability.

The draft PIPL would introduce a number of the accountability measures introduced under GDPR. 
Organizations controlling the processing of personal data would be required to (i) adopt necessary security measures in accordance with its internal policies and procedures to safeguard the personal data they process; (ii) designate a data protection officer to take charge of personal data processing activities if the volume of data being processed reaches certain threshold to be specified by the CAC; (iii) conduct regular audits on data processing activities, and (iv) carry out risk assessments before conducting high risk data processing activities, such as the processing of sensitive personal data and cross-border transfer of personal data.

Public comments on the draft PIPL will close on 19 November 2020. We expect that there will be further amendments to the draft PIPL before the Personal Information Protection Law is officially promulgated. We will be closely tracking developments and will provide our observations on the updates as they come.

Authored by Mark Parsons and Sherry Gong.