China unveils its personal data protection law

On 13 October 2020, Draft of the Personal Data Protection Law ('Draft') was submitted to the 22nd meeting of the 13th National People's Congress ('NPC') Standing Committee for first reading. On 21 October 2020, the full texts of the Draft was released on NPC website  soliciting public opinions. The Draft is open for public comments until 19 November 2020.

Once promulgated, the Personal Data Protection Law (in draft form), Data Security Law (in draft form) and Cybersecurity Law (in effect from 2017) will form a triangulated safeguard for data protection and cyber security in China. The Draft is the first draft primary law focusing on personal information protection. The Draft sets out key principles and rules in relation to the processing of personal information, processing of sensitive personal information, personal information cross-border transfer, special rules of data processing by governmental authorities, individuals' rights in relation to their personal information, obligations of personal information processor, roles and responsibilities of personal information protection regulatory authorities, liabilities and enforcement, etc.

Key points of the Draft include the following:

• The Draft does not adopt the GDPR differentiation of 'data controller' and 'data processor' and instead uses the term "data processor" to refer to any organisation or individual who controls and determines the purpose and method of its processing of personal data. Nonetheless, the Draft set out some specific rules on the legal obligations and responsibilities for those entrusted to undertake personal data processing on behalf of data processors.

• For the first time in any law in China, the Draft explicitly allows for more lawful basis for the processing of personal information other than the individuals' consent. These include that the processing is necessary for the entering into or performance of a contract to which the individual is a party, or compliance with legal duties and obligations to which the data processor is subject, or in response to public health incidents or to protect the vital interests of natural persons, or to the extent reasonably necessary, for news reporting and media supervision for the purpose of protecting public interests.  

• 'Informed-consent' is the standard when organisations rely on individuals' consent to carry out processing of personal information. Individuals shall be given comprehensive privacy information and has the right to withdraw consent at any time. Any change of important matters should be informed to the relevant individuals and renewed consents shall be obtained for the same. Data processors cannot refuse to provide products or services on the grounds of individuals' refusal of their personal information being collected (unless such collection is necessary for the relevant provision of products or services).

• The Draft will have extraterritorial effect once it becomes effective. The applicability scope extends to overseas processing of personal data of individuals within China where the processing activities are for the purpose of offering products or services to, or for analysing and assessing the behaviours of such individuals.

• The Draft sets up a special section to make more stringent restrictions on the processing of sensitive personal information. Sensitive personal information can only be processed when the processing serves a specific purpose and sufficient necessity, and individuals' consent or written consent should be obtained. However, the concept of 'sensitive personal information" is not defined in the Draft. One may take reference from the national standard "Information Security Technology -- Personal Information Security Specification (GB/T 35273 - 2020)'.

• The Draft grants a significantly enhanced enforcement power than previous piecemeal rules relating to personal data protection, and on top of that, way heavier personal liabilities for responsible personnel which are not available under current Chinese law. Violations may lead to an administrative fine up to RMB 50 million (approx. GBP 5.5 million) or up to 5% of the annual turnover of the preceding financial year in case of an enterprise and an administrative fine up to RMB 1 million (approx. GBP 110,000) can be imposed to person-in-charge or other personnel directly responsible.  However note in the calculation of the aforesaid turnover it refers to the relevant data processor instead of its group or affiliates, which is a key difference from that under GDPR.

The Draft has taken quite some reference from some well established concepts and designs under the GDPR while balancing the unique local practice, culture and business needs. Overally speaking, the Draft has clarified ground rules of personal data protection and made important breakthroughs which better aligns with the fast developing data industry. No doubt the Personal Data Protection Law will be a significant milestone in China's data protection legal regime. Any business who is already established or is looking to enter or attempted by this enormous and dynamic market should keep a close eye on the progress of the law.