China's draft Personal Information Protection Law ("PIPL") – why it is, and isn't, like the GDPR

The first draft of the PIPL (the “Draft PIPL”) was submitted to the National People’s Congress of the People’s Republic of China (“PRC”) for review on 13 October 2020. There has been no official statement about when the law will come into effect; however, we currently estimate that this may be in early 2022. The PIPL (when enacted) will be the first comprehensive and principle-based law governing the protection of personal information in China.

In general, the Draft PIPL is consistent with the 'Privacy Rights and Personal Information Protection' section of the Civil Code of PRC (the “Civil Code”). The Draft PIPL sets out civil, administrative and criminal rules that provide for the protection of personal information. To some extent, the Draft PIPL is inspired by international data protection laws such as GDPR, which in turn will render the PIPL itself more international.
 
Scope of application
Under Art. 3 of the Draft PIPL, the PIPL will apply to organisations and individuals who process personal information in China. Additionally, the law will also apply to organisations and individuals located outside China:

• who process personal information for the purpose of providing products or services to individuals located within China;
• who process personal information for the purpose of analysing or assessing individuals located within China; and
• in certain other situations, where required by applicable laws and regulations.

Definition of "personal information", "processing" and "data processor"
Under Art. 4 of the Draft PIPL:

• "personal information" refers to various types of information related to any identified or identifiable natural person. This is similar to the concept of "personal data" under the GDPR;
• "processing" refers to the collection, retention, use, processing, transferring, sharing and disclosing of (and other activities relating to) personal information.

The two definitions above are almost identical to those contained in the Civil Code.
 
There is a potential source of confusion for those familiar with the GDPR. The definition of "data processor" under Art. 69 of Draft PIPL is very different from the concept of "processor" under the GDPR. Under the Draft PIPL, data processor refers to the organisations and individuals who decide the purpose and manners of processing. This is more similar to the concept of data controller under GDPR, rather than data processor. The obligations of a data processor under the Draft PIPL are similar to the obligations of a data controller under the GDPR.
 
The principles of processing personal information

1. Legality, fairness and good faith

Under Art. 5 of the Draft PIPL, the manner of processing must be lawful, fair, and follow the principle of good faith. It should not be fraudulent and misleading.

2. Purpose limitation and data minimisation

Under Art. 6 of the Draft PIPL, the purpose of processing should be made explicit and specific. The processing should be limited to the scope of this purpose, and any processing that is not relevant to such purpose should not be carried out.

3. Publicity and transparency

Under Art. 7 of the Draft PIPL, processing activities must be carried out in accordance with the principle of publicity and transparency. The nature of the processing of personal information must be explicitly disclosed.

4. Accuracy

Under Art. 8 of the Draft PIPL, the personal information should be accurate and updated when required.

5. Accountability and security

Under Art. 9 of the Draft PIPL, organisations will be held accountable for their processing activities. They must take any measures necessary to protect the security of the personal information that they process.
 
Legal bases of processing
Under Art. 13 of the Draft PIPL, there will be six legal bases for processing personal information in China.

1. Where the individual has consented to the processing
2. Where the processing is necessary for the performance of a contract between the data processor and the individual
3. Where the processing is necessary for the signing or performance of a legal obligation or legal power
4. Where the processing is necessary for responding to public health incidents or protecting the physical and proprietary interest of individuals in urgent situations
5. Where the processing takes place for the purposes of reporting news or conducting public supervision in the public interest (within a reasonable scope)
6. Where required by applicable laws and regulations

The legal bases under the Draft PIPL are similar to those under GDPR. The Draft PIPL in its current form significantly expands the options available. Under current Chinese law, obtaining the consent of individuals has been the primary legal basis for data processing.
 
Note also that the standard of consent required is different from that under GDPR, as there is no requirement for consent to be "specific" or given by an "affirmative action". However, there are still some notable similarities to the GDPR standard: under Arts. 13- 17 of the Draft PIPL, the standard of consent will be as follows.

• Before obtaining consent, data processors must inform the individual about details of the processing activities.
• The consent should be freely given and explicit.
• Other laws and regulations may require consent to be given separately or in writing: for example, in the case of giving consent for the processing of "sensitive information". This is defined in Art.29 as referring to personal information which, if the security is breached or the information used unlawfully, could easily lead to damage to the physical health or property, or discriminatory treatment, of the individual to which it relates. Examples include the individual's race, ethnicity, religious beliefs, personal biometrics, health, and financial information.
• Individuals shall have the right to withdraw their consent at any time.
• The processing of a child's personal data on the basis of consent will be lawful where (i) the child is at least 14 years old; or (ii) where the child is under the age of 14, only if (and to the extent that) consent is given or authorised by the child's parent or legal guardian.
• If an individual does not give their consent to the processing, the data processor must not refuse to provide services or products to that individual, except where the products or services rely on such processing.

Contracts required under PIPL
Under Art. 21 of the Draft PIPL, if two or more organisations jointly decide the purpose and/or manner of processing personal information, then there must be a contract in place between those organisations. This is similar to the joint controller arrangements under Art. 26 of GDPR.
 
Under Art. 22 of the Draft PIPL, if a party is required to process personal information on behalf of an organisation according to the organisation’s instructions, then there must be a contract between that party and the organisation. This is similar to the requirement to have a controller-to-processor agreement under Art. 28 of GDPR. 
 
Storage limitation
Under Art. 27 of the Draft PIPL, the period of data retention should be limited to the shortest time possible for the purpose of the processing, except where applicable laws and regulations require otherwise.
 
Transferring personal information outside of China
If the organisation needs to transfer personal information to a country outside China, it shall provide information about this transfer to the individuals concerned and obtain consent separately, including the identification and contact details of the recipient, processing purposes and manners, information categories, and the way to request the individuals’ rights mentioned below.
 
In addition to obtaining consent to the transfer, the organisation must take one of the following measures when transferring personal information outside of China:

• if the organisation is a "critical information infrastructure operator" (e.g. the operator of  information infrastructure in the energy or transportation sector), conduct the risk assessment under the Cybersecurity Law of PRC;
• obtain certification from the certification bodies approved by the cyber security administrative authorities;
• sign an agreement with the recipient to set out the parties' rights and obligations, and how it will monitor the recipient's compliance with the requirements of the PIPL;
• take other measures as required by applicable laws and regulations.

Individuals' rights
The individuals' rights set out under the Draft PIPL are similar to data subject rights under GDPR.
 
Individuals will have the right to:

• know and understand the processing activities, and to decide whether to give consent to, restrict, or object to that processing;
• access and receive a copy of the personal information that is processed by the organisation, including the right to inquire about the details of their personal information under Art. 18;
• have inaccurate or incomplete personal information amended;
• have their personal information deleted in the following situations:
  • the personal information is no longer necessary for the purposes of the processing;
  • on expiry of the storage period that the organisation has committed to;
  • the organisation no longer provides products or services to the individual;
  • the individual withdraws their consent;
  • the organisation violates related requirements of applicable laws and regulations or the contract between the organisation and the individual;
  • where required by applicable laws and regulations;
• request the organisation to explain its privacy notice or policy;
• make a complaint when the organisation does not comply with the requirements of the applicable laws or regulations; and
• object to automated individual decision-making and to direct marketing.

The Draft PIPL does not set out a timeframe in relation to the exercise of these rights – this may need to be clarified in future.
 
Compliance obligations
Under Art. 50 of the Draft PIPL, organisations must take the following measures.

• Implement relevant internal policies and procedures.
• Manage personal information according to its nature.
• Take security measures, such as encryption and de-identification.
• Set reasonable operational controls, and provide regular training to staff.
• Formulate a security incident response plan and carry out a simulation exercise.
• Other measures as required by laws and regulations.

“DPO” and “Representative”
Similar to the concept of a DPO under GDPR, Art. 51 of the Draft PIPL sets out that, if an organisation meets the relevant standard that will be set by the cyber security administrative authorities, it will need to appoint a person to manage its protection of personal information. The contact details of this person will be notified to the relevant authorities.
 
In addition, under Art. 52 of the Draft PIPL, if an organisation in scope of PIPL is located outside China, it must appoint an office or representative located in China to take responsibility for its processing activities. The contact details of this office or representative will be notified to the relevant authorities.
 
Audit
Under Art. 53 of the Draft PIPL, an organisation must regularly audit its compliance with Chinese personal information protection laws and regulations.
 
Privacy impact assessment (PIA)
Under Art. 54 of the Draft PIPL, organisations must conduct a PIA before carrying out activities that will have a significant impact on the individual(s) concerned. For example, this includes the processing of sensitive personal information, automated individual decision-making, sharing or otherwise providing personal information to a third party, and data exportation. The results of the PIA must be retained for at least three years.
 
Data breaches
Under Art. 55 of the Draft PIPL, if the organisation becomes aware of a data breach, it shall take remedial measures and report the breach to the relevant authorities. The organisation must also tell the individual where there is a possibility of the suffering any damage (unless there is no real damage).  However, even in those circumstances, the relevant authorities may require the organisation to inform the individuals.
 
The Draft PIPL does not set out any timeframes for the steps to be taken in the event of a data breach – as such, these may need to be clarified in future.
 
Penalties and other liabilities
Under the Draft PIPL, if an organisation does not comply with the requirements of the PIPL, it will be liable to pay a fine of up to CNY 50 million (approximately UK£5.8 million or US$7.5 million) or 5% of its annual turnover from the preceding financial year. However, the level of the fine issued will depend upon the circumstances, and the competent authority will follow the principle of proportionality when deciding this.
 
In addition to this administrative penalty, the organisation and any relevant persons may also be subject to other civil and criminal liabilities under the Civil Code and Criminal Law of PRC.
 
Interestingly, under Art. 66 of the Draft PIPL, if an organisation infringes the rights of multiple people by means of its violation of PIPL, a competent authority or other relevant body can bring a legal claim against the organisation on behalf of the injured parties.
 
Conclusion
Whilst the style of the Draft PIPL is similar to GDPR, the substance of the two is not identical.
 
The framework of the Draft PIPL will better facilitate activities involving the processing of personal information. However, it should still be borne in mind that the Draft PIPL is, indeed, a draft – as such, some of the requirements set out therein may be subject to change in the next stage(s) of the drafting process. Furthermore, there are still some questions about the content and effect of the PIPL that will need to be clarified. We will continue to monitor legislative developments and prepare updates accordingly.
 
As for how to get ready for PIPL, that is not so easy to set out.  Much is delegated to future instruments.  However, those organisations that are meeting GDPR standards will be well-placed to navigate the requirements as they are finalised.

 With thanks to Alexandra Hague for her helpful comments on this blog.