Almost 4 years after the release of the PRC’s controversial Cybersecurity Law (“CSL”), China’s top legislature is deliberating on the highly anticipated draft of the nation’s first Personal Information Protection Law (“PIPL”). Supposedly comprising eight chapters and 70 articles, the full text of the PIPL is yet to be released to the public, however a helpful summary was put out in official media channels yesterday. What can tech and other businesses learn from it?
The topics that jump out of the summary are the potentially ominous data export restrictions and a steep increase in financial penalties for non-compliance with the rules. More generally, and continuing the momentum across Asia, the draft suggests that the EU’s General Data Protection Regulation (“GDPR”) remains a strong influence in the development of China’s and other APAC jurisdictions’ data protection regimes.
My first thoughts on each of the key points are as follows:
- Objective – As in the draft Data Security Law published in July (“DSL”), there is a clear acknowledgement of the growth of connectivity in China and that, given the extensive collection and use of personal information, it is crucial to strengthen regulatory systems, increase obligations on data controllers and processors, and better protect individuals’ rights. Covid-19 is noted in the PIPL as bringing this reality into even sharper relief.
- Core principles – These will not change: the need to balance rights with responsibilities; have a clear and specific purpose for data processing; minimise data collection and processing; formulate and communicate transparent rules; and ensure robust data security. Companies should be used to these tenets in China and abroad but the sanctions for non-compliance (see below) will mean that having good data management and security practices – and following them – will be key to businesses in a market traditionally seen as lax on data privacy.
- Cross-border transfers – Draft measures released in June last year proposed to impose mandatory security assessments obligations on all businesses in mainland China operating networked IT systems. Although such a broad restriction is not repeated under the PIPL, the concept of critical information infrastructure operators is re-introduced from the CSL. However, crucially, no definition or further explanation is given. International businesses have no further clarity on whether they may be caught by the localisation rules under the CSL. Just as importantly, security assessments conducted by the PRC authorities also appear to be applicable to personal data exports by businesses which process such information in excess of an amount yet to be specified by the authorities. Understanding what this threshold is will be critical to businesses operating on a cross-border basis. That said, there is also reference to other cross-border data transfers requiring certification by professional institutions, although it is unclear in the summary whether this is a one-off or ongoing test. Combined with the suggestion in the PIPL of stricter notification and consent requirements for these data transfers more generally, multinational businesses will be eager to hear more on these proposals as soon as possible because continual assessment and other operational barriers will be a contentious issue.
- Extraterritoriality – Much like the DSL, the narrow geographic application of the CSL will seemingly be widened to impose liabilities on individuals or organisations outside mainland China whose processing activities damage the interests of those within China’s borders. In addition, the PIPL would regulate overseas persons that seek to provide products or services into mainland China or monitor the behaviour of individuals within China. Clearly influenced by the GDPR in that respect, the PIPL would follow the EU model of requiring those processing Chinese personal data outside of China to appoint an in-country representative to take responsibility for these actions. A similar obligation was ordinarily proposed under the draft measures on data security management released in May 2019 but was never enacted. Businesses outside of China would therefore need to be more cautious if, for example, looking to target consumers in the Chinese market but wishing to stay outside of its regulatory regime.
- Processing conditions – Consent has until now remained the sole condition for collection and processing of personal data. In a nod towards business efficiency, it appears that other processing conditions will be introduced under law, to resolve the current tension where the exceptions to obtaining consent only exist under the Information security technology – personal information security specification (“Specification”). As the Specification does not have force of law, enterprises that have used it as a shield from compliance with the CSL’s obligations to obtain consent have always done so with a degree of risk. That should soon change.
- Sensitive personal data – Sensitive personal data will be given a statutory footing for the first time under general data protection law in China. This data type is already distinguished under the Specification, which well-advised businesses are in most cases complying with as best practice. As such, any additional obligations should not come as a shock to them but may raise compliance costs and burden for others.
- Individuals rights – Following the approach recommended under the Specification, individuals’ rights are expanded as a matter of law, akin to those rights given to individuals in the EU, including the right to withdraw consent, the right to erasure, the right of access, and the right to have access to clear complaint mechanisms. Again, this statutory footing should not concern international businesses used to GDPR principles, but it will be a costly compliance burden for smaller domestic enterprises.
- Enhanced compliance protocols – As proposed under the May 2019 measures and again under the DSL, having a data protection officer is likely to become a statutory requirement (it now only being a recommendation in certain circumstances under the Specification). This officer will need to formulate internal management systems and operating procedures, ensure adequate technical security measures are implemented, coordinate various compliance audits and risk assessments, and ensure swift reporting of data breaches. As these more robust procedures were also proposed under the DSL, businesses should expect these to become law, although many should already be familiar with these obligations through their compliance with the CSL.
- Disclosures to overseas law enforcement agencies – As proposed under the DSL, disclosure of personal data to overseas enforcement agencies and judicial bodies will require the prior approval of the PRC authorities. This is possibly a reaction to the extraterritorial legislation of other jurisdictions, such as the US CLOUD Act, and (depending on the final interaction with international treaties) could be an additional data export restriction for businesses to build into their data management processes.
- Retaliatory measures – Ominous for international enterprises, as when included in the DSL, the summary describes powers allowing the Chinese government to impose retaliatory measures against any country or region that formulates unreasonable measures against mainland China. With the backdrop of geopolitical tensions, these powers are a recurring theme in new legislation in China (as in the new Foreign Investment Law which came into force on 1 January).
- Regulatory enforcement – Increased sanctions for violation of data protection principles is a trend in China and Asia more widely. Importantly, the PIPL takes a GDPR-esque approach to enforcement with serious violations potentially resulting in fines of up to RMB50 million (roughly EUR6.3 million, compared to the EUR20 million threshold in the EU) or up to 5% of annual turnover (although presumably on a China-wide rather than worldwide basis, unlike under the GDPR), in addition to potential civil liabilities for enterprises and fines of up to RMB1 million (approximately EUR127,000) for the relevant in-charge managers. Even if not as high as their European equivalents, these levels of fines for businesses at fault should ensure that data protection in China is a boardroom issue from the launch of the PIPL.
The last point above may alone be enough for tech and other businesses to appreciate that this draft law will be business critical. We will continue to monitor developments and are happy to discuss immediate reactions with interested stakeholders.