Businesses have been eagerly (or apprehensively, depending on their point of view) awaiting the revised drafts of the seminal Personal Information Protection Law and the Data Security Law.
These laws will complete the trifecta of cyber- and data security laws fundamental to the PRC government’s regulation of its robust digital economy – indeed, an ever-increasingly important part of the Chinese economy given its role in driving almost 40% of China’s GDP in 2020!
Late last week then, the wait was brought to an end with the release of the second drafts of the PIPL and DSL for a one-month public consultation.
As most laws promulgated in the PRC undergo no more than three readings before being finalised for launch, these versions should be pretty ready to go – other than if there is a significant change to macro policy in the interim period.
But, glancing at the new versions of the draft laws, it is notable that the level of changes and supplementary text is not as sweeping as some industry players might have hoped. The structure and general principles of both the second draft PIPL and DSL remain consistent with their respective first drafts (see my earlier commentary from November and July 2020.
Data export mechanics remain contentious
Looking at the PIPL, multinationals and other businesses operating on a cross-border basis will be pleased to see that model contractual clauses remain a key mechanism for exports of personal information. Interestingly, in response to industry feedback, the second draft PIPL also clarifies that contracts entered into with overseas recipients of personal data must be based on a standard form contract to be published by the Cybersecurity Administration of China.
If this form of contract follows international standards – such as the newly-revised standard contractual clauses (or SCC) published by the EU’s data protection authorities, this will be a further welcomed clarification. However, if the PRC’s requirements deviate such as to require PRC-based companies to adopt one form of data transfer agreement for compliance with the PIPL and another form for compliance with other major jurisdictions’ rules on data exports, business efficiency will be dented. No more details on the approach or timetable for these “China SCCs” has yet been disclosed though.
Platforms in the crosshairs again
As highlighted by the article below, what also stands out from the PIPL are the new rules imposing increased obligations on platform businesses such as those of the Chinese e-commerce giants. Reflecting the intense scrutiny and increased enforcement against Internet platform operators seen since the end of last year, the second draft of the PIPL proposes a series of additional responsibilities to be met by platforms with complex business models and that offer services to a significantly “large” number of users (that figure yet to be prescribed however):
- Establishment of an independent body responsible for overseeing personal information processing. How "independent"? Will auditors or lawyers who have worked for the company be permitted? Unclear for now.
- Periodic release of social responsibility reports on the protection of personal information will be required. This is in line with increasing adoption of ESG (environmental, social and governance) reporting requirements for PRC-listed and certain other enterprises in China. While this will be music to the ears of investors, unfortunately no details on content and dissemination requirements for these new reports are given.
- Ceasing provision of services to platform participants which process personal information in material violation of law. Although not a like-for-like concept to the digital “gatekeepers” of the EU’s new Digital Markets Act, the global trend is clearly to up the compliance responsibilities of Big Tech.
Ongoing love affair of anti-trust and data compliance
Following recent regulatory trends, the second draft of the DSL expressly provides for sanction of data processing activities that exclude or restrict competition.
On top of the new obligations on platform operators therefore, it is evident that the current investigations and supervision of e-commerce and consumer finance players for monopolistic use of data and other anti-competitive behaviours is set to continue in this area of cross-over between anti-trust law and data management compliance. Cross-functional collaboration within organisations will be vital to ensure that businesses are able to maintain compliant standards in the China’s dynamic digital market.
Balance is the endgame
Ultimately, regulators will be striving for balance between adequate supervision of a burgeoning market and ensuring that innovation is not stifled. Even without the incredible numbers generated by the digital markets last year, China understands how crucial the best tech is to the nation’s future. Harmony will be not be easily garnered, but Chinese regulators have set a clear priority in the double-release of these new laws.
The dates for publication of the final form laws and their eventual launch are still to be determined. Needless-to-say though, businesses will need to adapt as non-compliance is no longer going unnoticed. To help on that road, we will publish more commentary on both the Personal Information Protection Law and the Data Security Law in the next couple of days.
Beijing is building a data-governance regime that seeks to strike a balance between protecting user privacy, creating a viable market for data and a thriving digital economy, while maintaining strong government control.