Published in IAPP.org, 4.02.2021
By Yanhong Yin and Vagelis Papakonstantinou
China’s draft Personal Information Protection Bill was published Oct. 21, 2020, after its finalization by the Standing Committee of the National People’s Congress. The bill is made up of eight chapters and 70 articles in total, including general provisions, personal information handling rules, rules on the cross-border provision of personal information, individuals’ rights in personal information handling activities, personal information handlers’ duties, departments fulfilling personal information protection duties and responsibilities, legal liability, and supplemental provisions.
Essentially, it combines China’s domestic circumstances and international practices, adopts a problem-solution approach, and closely relates personal information protection law with other relevant laws.
Article 1 protects personal information rights and interests, to standardize personal information handling activities, safeguards the lawful, orderly, and free flow of personal information, and, stimulates the reasonable use of personal information. “Personal information” is defined similarly to Article 4 of the EU General Data Protection Regulation. It is information recorded by electronic or other means related to identified or identifiable natural persons, however, excluding such information after anonymization processing.
The bill deals with sensitive personal information, the scope of which also mimics that of the “special categories of personal data” under the GDPR. According to Article 29 of the bill, sensitive personal information means personal information that, once leaked or illegally used, may cause discrimination against individuals or grave harm to personal or property security, including information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, and individual location tracking. On the other hand, the bill does not follow the GDPR’s controller-processor distinction but refers only to “processors” instead.
The bill does not apply when a natural person processes personal information for personal or household affairs as detailed in Article 68, which resembles the similar exemption of the GDPR. In the same manner, the processing of archiving data is subject to GDPR-like provisions. Article 33 of the bill also applies to state personal information processing, however, in compliance with paragraph 2 of Article 68, laws that contain provisions on statistical or archival processing activities organized and implemented by the government or relevant state departments are followed.
Transborder data flow
Also similar to the GDPR, the bill applies both within and outside the borders of China. Article 3 stipulates that it applies to organizations and individuals handling personal information activities of natural persons within the borders.
Paragraph two of the same article sets that when one of the following circumstances is present in processing activities outside the borders of the PRC, the Bill applies when: 1. The purpose is to provide products or services to natural persons inside its borders; 2. Conducting analysis or assessment of activities of natural persons inside its borders; 3. Under any other circumstances provided in laws or administrative regulations.
Particularly, Article 42 specifies that when foreign organizations or individuals engage in personal information processing harming the rights and interests of citizens of the PRC or the national security or public interest of the PRC, the state cybersecurity agency may either put them on a list limiting or prohibiting personal information or issue a warning or adopt any other measures.
Besides broadening its territorial scope, the bill also takes the international cooperation on data protection into serious consideration and treats international treaties or agreements as its priority. Article 41 specifies that when necessary to provide personal information outside of the PRC for international judicial assistance or enforcement purposes, an application shall be filed with the relevant state department for approval. Additionally, if the PRC has participated in international treaties or agreements containing provisions on personal information processing outside PRC borders, those provisions take precedence.
Generally, obtaining individuals’ consent is the prerequisite to process personal information. However, according to Article 13, processing may take place without consent to conclude or fulfill a contract in which the individual is an interested party, where necessary to fulfill statutory duties and responsibilities when processing personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest.
Article 30 also states that personal information processing can be performed without the consent of individuals in order to respond to sudden public health incidents or protect natural persons’ lives and health, or the security of their property, under emergency conditions. When handling sensitive personal information, specific consent in writing is required under Article 30, while Article 32 emphasizes that, if other laws or administrative regulations provide for stricter restrictions, the latter should be followed. These provisions complement the bill’s special protection to sensitive personal information. However, if compared to the GDPR, it may seem that the balance between personal data protection and the freedom of expression for journalistic and academic research purposes is missing.
Similar to the GDPR, the bill addresses the consent of minors. Under Article 15, processors that know or should know they are processing the personal information of minors (under the age of 14) and need to obtain the consent of their guardians. The bill follows Chinese civil and criminal laws, which have a different threshold than EU law.
The right of notification
Closely related to consent is the individuals’ right of notification. Generally, to obtain an individual’s consent, the right of notification should be fulfilled in advance or at the same time. However, according to Article 19, if other laws or administrative regulations provide for an obligation to secrecy or when notification is not necessary or under emergency circumstances, there will not be a notification, but in the latter case, the individuals should be notified after the conclusion of the emergency circumstance.
Under Article 55, in the event of a personal information breach, processors should notify the competent state departments that have assumed monitoring duties and responsibilities but not necessarily the individuals, when processors can adopt effective protective measures.
This regulation is also similar to the GDPR’s requirements regarding personal data breach notifications. Besides the rights of notification, the individual also enjoys several other rights described in Articles 44 – 49, including the right to know and the right to decide relating to its personal information, the right to access its personal information from processors, the right to request processors to correct or update their personal information, the right to request processors to delete personal information in certain circumstance, etc. All of the above rights can also be found in the text of the GDPR.
Relating to processors’ liability, including state agencies, according to Chapter 7 infringers may receive administrative punishment, including issuing warnings, confiscation, fines, listing into credit files, etc. State agencies failing to fulfill their data protection duties may be ordered to take corrective action and the responsible person may be disciplined. Under certain circumstances, the persons involved will be punished by criminal law.
The final draft of the bill is responsive to the practical situation in China, as well as to the global market situation now. However, its shortcomings are also evident. The articles relating to the scope of “personal information” lack sufficient detail and some important personal information categories such as criminal records are not addressed in its text. Additionally, the personal information protection principles could be clearer, and the individual rights listed could be more comprehensive, particularly as regards the right to restriction of the processing or the right to object to automated decision-making.
At the same time, personal information protection could be more closely related to freedom of expression and information, including processing for journalistic purposes and the purpose of academic, artistic, or literary expression. What’s more, monitoring and supervision powers could have been better described in the bill, in order to achieve a more transparent, comprehensive and efficient personal information protection.