Privacy: Searching for guidance in China’s legal landscape - PwC China Compass

The PIPL could become China’s most comprehensive data law

The CSL establishes the legal principles of legality, necessity and propriety in the collection and use of personal data. Following these principles, network operators are required to notify data subjects of the purpose, means and scope of the collection and use of their personal data; they must also obtain consent from users before collecting personal data. The CSL also mandates that network operators safeguard the secrecy of any personal data collected and take proper measures to avoid disclosure, loss or damage. In the event of a data breach, network operators must notify the affected users, inform the relevant Chinese regulators and take remedial action. 

The PI Specification fills information gaps

The data privacy requirements set out in the CSL are, however, very general, and the law lacks detailed information on implementation. The National Information Security Standardization Technical Committee, a quasi-governmental institution, issued a non-binding guidance document titled Personal Information Security Specification (PI Specification) to fill the information gaps. Since its first issuance in 2017, there have been three rounds of amendments to the PI Specification, with the most recent version coming into force on October 1, 2020. 

The PI Specification was drafted based on the EU’s General Data Protection Regulation. It sets out many detailed requirements for data handling, including: 

• specific requirements for obtaining consent from data subjects; 
• determination of sensitive personal information and enhanced protection; 
• specific procedures for the collection, storage, processing and sharing of personal data; 
• special considerations for user profiling, data aggregation and automated decision-making functions; 
• detailed requirements for handling data incidents; and 
• organizational and management control for protecting personal data.

The PI Specification sets out many requirements for data handling

It is notable that certain requirements in the PI Specification are not fully consistent with the CSL. For example, the CSL does not provide for any exception to the requirement that users must consent to the collection of their personal data, but the PI Specification enumerates such exceptional circumstances (such as protecting the public interest and executing contracts). However, given that the PI Specification is non-binding, it is not clear how exemptions provided there would reconcile with the CSL in practice.

Key provisions of the Draft PIPL

On October 21, 2020, China’s top legislative body issued the draft Personal Information Protection Law (Draft PIPL) for public consultation until November 19, 2020. This can be seen as a major step towards finalizing China’s national data law. 

The Draft PIPL lays down significant new obligations in relation to the collection, use, processing and transfer of personal information.  If enacted, the PIPL will become China’s most comprehensive data law and will have a far-reaching impact on businesses both in and outside of China.

• Processing of personal data. The Draft PIPL also sets out the principles of legality, appropriateness, accuracy, transparency, use minimization and good faith for data processing. 
• Extra-territorial application. The Draft PIPL will apply to data processing outside China if such processing is for the purposes of providing products or services to Chinese individuals or for analyzing or evaluating the behaviors of individuals in China.
• Legal basis for data processing and exemptions from consent. The Draft PIPL provides a six-fold legal basis for processing personal data: (a) where data subjects have provided consent; (b) where processing is essential for entering into or performing contracts; (c) where processing is essential for performing statutory responsibilities; (d) where processing is essential for responding to public health emergencies or for protecting life, health or property safety under emergency situations; (e) where processing occurs for the publication of news and supervision of public opinion in the public interest; or (f) where processing is required in other circumstances as permitted by the relevant laws and regulations. The above legal foundation appears to be a major development from the CSL, which states that data collection and use must be based on consent given by data subjects and does not contain any express exemptions from the consent requirement, something that has generated considerable debate in the industry on whether such a rigid requirement is workable in practice.
• Cross-border data transfer. Under the Draft PIPL, where data processors need to transfer personal information abroad for business reasons, they must satisfy one of the following conditions: (a) if the data processor is categorized as a critical information infrastructure operator or processes personal information exceeding the volume prescribed by Chinese cyberspace regulators, the data process must pass a security assessment before the transfer, unless otherwise required under applicable laws and regulations; or (b) where a data processor does not fall into the above category, it may either arrange for the cross-border data transfer to be certified by a professional institution, or enter into an agreement with the foreign data recipient which specifies the rights and obligations of the parties involved and allows for monitoring of the data recipient located outside China, thereby ensuring that the processing meets the Draft PIPL protection standard. 
• Automated decision-making. The Draft PIPL requires that if an automated decision-making process is used for marketing or for push delivery of information to data subjects, data processors must offer data subjects the option of not having their personal characteristics targeted.
• Penalties and liabilities. One of the most eye-catching provisions in the Draft PIPL is the augmented enforcement against non-compliance. Companies found to be in violation of the legal requirements under the draft law will be subject to administrative fines of up to CNY50 million (approximately $7.6 million) or 5% of the preceding year’s annual turnover plus civil compensation. Individuals at such companies who are directly responsible could be fined up to CNY1 million (approximately $152,000). The Draft PIPL also states that Chinese regulators will adopt a blacklist system, where organizations or individuals found to have violated the rights of Chinese citizens or harmed China’s national security or the public interest will be put on a blacklist which will be made public.

Conclusion

As digital applications become more commonplace and digital systems more complex, businesses active in China will have to pay increased attention to how they handle personal data. At the same time, the guidance provided in this area by the country’s authorities has been sporadic and even inconsistent, despite China’s increasing focus on issues relating to digital security. The CSL does set out privacy requirements to a limited extent, and the non-binding PI Specification provides additional information, even if it is not entirely compatible with the CSL.

The Draft PIPL introduces significant new obligations companies must comply with in their business operations, and its augmented liability and penalty provisions clearly demonstrate the Chinese authorities’ intention to strengthen the protection of personal data. It is anticipated that Chinese regulators will remain active in enforcing the law against non-compliance. The costs resulting from violations are much higher compared to previous laws and regulations. Therefore, it is imperative that companies formulate data compliance and risk management strategies, or update existing strategies, for their operations in the Chinese market.