The Standing Committee of China’s National People’s Congress on October 21 released the draft Personal Information (PI) Protection Law (the Draft Law)1 for public comments through November 19. It consists of 70 articles across eight chapters: General Principles, Rules for the Processing of PI, Rules for the Cross-border Provision of PI, Rights of Individuals in the Processing of PI, Obligations of PI Processors, Discharge of PI Protection Duty by Departments, Legal Liability, and Miscellaneous.
The key provisions of the Draft Law are as follows:
Definition of PI:
PI is defined in the Draft Law as various information recorded by electronic or other means related to identified or identifiable natural persons, but excluding information which has been anonymized.
This definition is not an exact replication of the PI definition in the Cybersecurity Law (2017) and the Civil Code (2021) which define PI as various information recorded by electronic or other means and used alone or in combination with other information to recognize the identity of a natural person. The definition of PI in the Draft Law corresponds more closely to Article 4 of the General Data Protection Regulation (2016) of the European Union which has a broader scope to include information which not only identifies a natural person, but also includes information related to the identifiability of a natural person. The definition of PI in the Draft Law also incorporates the exclusion of anonymized information2 from PI from the Information Security Technology—Personal Information Security Specification (2020) (PI Specification).
Extraterritorial effect:
The Draft Law, if adopted in its current form, would apply not only to the processing of natural person PI inside China, but also to the processing outside China of in-China natural person PI for (1) the purpose of providing products and services to in-China natural persons; (2) analyzing/assessing the behavior of in-China natural persons; and (3) such other circumstances as provided by laws and administrative regulations (unspecified in the Draft Law) (Art. 3).
PI processors who process PI outside China would be required to set up within China special organizations or designate representatives in China to be responsible for PI protection-related matters and submit the name of the organization, e.g., a China subsidiary, or the representative and its contact information to the authorities which bear PI protection duty (Art. 52).
Overseas organizations or individuals which process PI in a way that would harm the PI interests of Chinese citizens or endanger China’s national security or public interest may be placed by the Cyberspace Administration of China (CAC), which bears principal regulatory authority, on a public list of those restricted or prohibited for the provision of PI, and subject to measures for the restriction or prohibition of cross-border provision (Art. 42).
Corresponding action may be taken against countries or regions which adopt discriminatory prohibitions, restrictions or other similar actions with respect to the protection of PI in China (Art. 43).
Cross-border data transfer:
PI processors which need to provide PI outside China for business or other requirements must meet at least one of the following conditions: (1) pass a security assessment organized by the CAC; (2) undergo a PI certification by a CAC-accredited professional institution; (3) enter into a contract with the overseas recipient and monitor the recipient’s processing activity to meet the protection standards stipulated in the Law; or (4) such other conditions as specified in law, administrative regulation or CAC rules (Art. 38).
Compared to some earlier drafts of cross-border PI transfer regulations, the Draft Law provides more flexibility and does not mandate that cross-border transfer of PI be subject to a government security assessment or PI certification; rather, a government security assessment or PI certification are among the alternatives with which the PI processor may choose to comply. However, the requirements for an exemption remain to be specified.
Where it is necessary to provide PI outside China for international judicial assistance or administrative law enforcement assistance, an application shall be filed with the relevant competent department for approval in accordance with law. Where China has concluded or participates in international treaties or agreements that contain provisions concerning the provision of PI outside China, those provisions shall be followed (Art. 41). This echoes a similar requirement for government approval before handing data over to foreign law enforcement agencies in the draft Data Security Law (Art. 33).
Data localization:
Critical Information Infrastructure operators and PI processors which process PI that reaches the volume set by CAC would be required to undergo a security assessment for truly essential cross-border PI provision unless otherwise stipulated by law, administrative regulation or CAC (Art. 40). The volume threshold has yet to be specified by CAC.
PI processed by government offices would be required to be stored in China, and would also be subject to a risk assessment if cross-border provision is truly needed (Art. 37).
Personal Sensitive Information:
In addition, PI processors must have particular purposes and sufficient necessity to process Personal Sensitive Information (PSI) which would include among other categories medical and health information, personal biometrics, financial accounts, and ethnicity (Art. 29). Examples of non-sensitive PI include name, date of birth, gender, nationality, occupation and education background.
A risk evaluation would be required in advance before processing PSI, PI-enabled automated decision-making, providing PI to third parties, and cross-border provision of PI (Art. 54).
Authorities:
CAC and the applicable departments under the State Council at the central and local levels would be the departments responsible for the exercise of PI protection duty (Art. 56). Such departments would be empowered under the Draft Law to handle PI-related complaints and reports, and investigate and punish illegal PI processing activity (Art. 57) through such actions as questioning of the party concerned, review and copying of PI processing-related contracts, books and records of the party concerned, onsite inspections, examination of PI processing-related equipment and articles and seizure or detention of the same if there is evidence that may prove illegal PI processing (Art. 59).
Penalties for violations:
Processing of PI in violation of the Law or failure to adopt necessary security protection measures and refusal to take corrective actions may result in fines of up to RMB 1 Million imposed by the department that exercises PI protection duty, and a fine of RMB 10,000 to 100,000 on the supervisor and other personnel directly responsible; in serious cases, the departments that exercise PI protection duty may impose fines of up to RMB 50 Million or 5% of business revenue during the previous year, order a suspension of relevant business, order a suspension of operations for corrective action, notify the applicable regulator to revoke the relevant operating license or business license, and impose a fine of RMB 100,000 to 1 Million on the supervisor and other personnel directly responsible (Art. 62). Violations of the Law would be placed in the social credit file (Art 63), and procuratorates, departments which exercise PI protection duty and organizations identified by CAC may file suit against PI processors who violate the Law in processing PI and infringe the rights and interests of a large number of individuals (Art. 66).
Conclusion:
The Draft Law, the first comprehensive legislation dedicated to PI protection, once issued, would constitute a significant milestone in China’s legislation in the PI and data protection area, together with the promulgation of the Cybersecurity Law, relevant section regarding privacy and PI protection in the Civil Code, the PI Specification and the recent Draft Data Security Law.
In particular, the Draft Law for the first time addresses at the legislative level the rules regarding cross-border PI transfer. As discussed above, compared to earlier drafts of PI cross-border transfer regulations, the rules in the Draft Law provide more flexibility in terms of cross-border transmission of PI for business needs. However, when it comes to cross-border transfer of PI to overseas law enforcement agencies, the stringent requirement for government approval applies. We anticipate seeing additional implementation regulations and national standards in the coming months. WilmerHale continues to monitor developments in this regard.