China on Tuesday sent its draft personal data protection law to its legislature for deliberation, a press release from the National People’s Congress (NPC), the country’s parliament, said. Summarising the bill, the release warns countries and regions with “corresponding measures” if they take “unreasonable measures” against China in the name of data protection. The release has also cautioned international organisations of consequences if they harm Chinese citizens’ privacy. The bill is not yet publicly available. We have reached out to the Chinese embassy in Delhi for more information and a copy of the bill.
This bill, if enacted, will regulate how the personal data of more than 900 million internet users in China is processed and stored. As per the release, China has more than 4 million websites and more than 3 million apps.
It covers personal data which is related to identified or identifiable natural persons and has been recorded electronically or otherwise. It does not cover anonymised data. It makes informed consent mandatory for data processing, imposes obligations on data processors, and mandates certification for cross-border data flows among other things.
Violators of the proposed law will be ordered to “rectify” their behaviour, receive a formal warning, and have any illegal income confiscated, Caixin, an Chinese publication, reported. The eight-chapter bill with about 70 articles, as per Caixin, has proposed fines of up to ¥50 million (~₹54.5 crore) or the equivalent of up to 5% of their revenue from the previous year for companies that repeatedly flout the proposed law. Serial offenders could also reportedly have their business licences revoked or suspended.
International companies that process personal data must either establish offices in China or designate representatives who are responsible for personal data protection related matters.
Liu Junchen, the deputy director of the Legal Affairs Committee of the Standing Committee of the NPC, said that the this law is important to protect personal data, to maintain “a good ecology in cyberspace”, and to promote “healthy development of the digital economy”. The Standing Committee is a group of select legislators within the National People’s Congress who deliberate on specific laws. The Committee is in session from October 13 to 17.
The draft legislation on personal data protection has been long awaited. The country enacted its controversial Cybersecurity Law in June 2017 that mandated localisation of data collected within China. It also allows the Chinese government to essentially access companies’ networks and computers for review and are subjected to the state’s supervision. In August, the Chinese government also released a draft Data Security Law for consultation. This law specifies the data security obligations of government agencies and private companies, and mandates data localisation. It also proposes classifying and regulating data on the basis of “importance to economic and social development”. The country had also amended its criminal law in 2015 and criminalised illegal sale of personal data to a third party.
Applicable to data processing outside China, with caveats
As per the bill, apart from being applicable to personal data processing within the country, the law will be applicable to all personal data processing activities that happen outside China to provide products/services to people residing in China or to track their behaviour.
Informed consent is must, especially for sensitive personal data
The bill requires informed consent from users before their data is processed and they must be given “full notice in advance”. Consent must be capable of being withdrawn. If “important matters change”, consent needs to be taken again. A person cannot be denied products or services if they refuse to consent to share their personal data.
For certain kinds of personal data, stricter restrictions will be imposed. Sensitive personal data can only be processed after the processor has specified a purpose and “sufficient necessity”, and has taken the consent (or written consent) of the individual. The press release does not specify what kinds of personal data would be categorised as sensitive.
Exceptions for emergencies, public security
The press acknowledged the role of “big data applications” in controlling and preventing the spread of COVID-19, and in the “resumption of work and production” thereafter. Thus, the Bill has carved out legal exceptions for how personal data is processed to respond to public health emergencies, or to protect people’s lives in emergencies. The nature of these exceptions is currently now know: are they limited to only collecting and processing data without consent? Does it mean that users cannot exercise their rights if emergency exceptions are invoked?
Even under these exceptions, “we must also strictly abide by the processing rules stipulated in law and fulfill personal information protection obligations,” Liu said. Caixin reported that other exceptions include public interest such as journalism and monitoring public opinion. The bill reportedly limits recording of images and deployment of personal identification equipment (read: facial recognition, immunity passports) to only public security purposes.
The draft has a separate section to govern personal data processing by state agencies but its details are currently unknown.
Obligations of data processors
From the press release, which is only available in Mandarin, it is not clear if the bill distinguishes between data controllers/fiduciaries and processors like the European Union’s General Data Protection Regulation (GDPR) and Indian’s Personal Data Protection Bill do.
Purpose limitation: Data must be processed in a legal way for clear, reasonable and limited purposes. This means, they cannot collect personal data for any other purposes than those communicated to the user before the user’s consent is taken. These principles have to be followed throughout the whole chain of personal data processing.
Processing user rights: Data processors have to appoint a person within their organisation to process users’ applications exercising their rights such as right to know, right to decide, right to inquire, right to correct, right to delete, etc.
Data security, audits, risk assessments: Data processors have to ensure accuracy of information and take data security and protection measures. Data processors will have to comply with the security obligations set in the draft, formulate internal management systems and operating procedures, and essentially designate a Data Protection Officer to will supervise personal data processing activities. The processors also have to conduct regular compliance audits of their processes and carry out risk assessments before processing sensitive personal data or sending personal data overseas. They will have to report data leaks and breaches, and the draft defines remedial obligations for such cases.
Cross-border data flows require certification, government approval
To send personal data across Chinese borders, the Bill has “provisions for certification by professional institutions”. The threshold for informed consent also becomes stricter for cross-border data flows but the press release doesn’t specify how. Before providing personal information overseas for international judicial assistance or administrative law assistance, people will first have to seek approval from “relevant competent authority”.
No new regulatory body
The Central Cyberspace Affairs Commission, which formulates and implements internet-related policies in the country, will be the personal data protection regulator as per the draft. Cyberspace Administration of China (CAC), the country’s agency that regulates the internet and controls access to it which is housed within the Commission, and the State Council, and the State Council, the executive branch of the Chinese government which is comparable to India’s Union Cabinet, will be responsible for personal data protection within their respective portfolios. That might lead to some overlap.
Critical information infrastructure: Critical information infrastructure operators and processors have to pass the security assessment set up by the country’s Central Cyberspace Affairs Commission if they process personal data beyond the threshold prescribed by the Commission.
Read our complete guide to India’s proposed personal data protection law here.