China data protection insights series - part 1

The Personal Information Protection Law (draft PIPL) has gone through the second reading and is now near final form and expected to be finalised very soon. Once promulgated, it will be the first comprehensive law on personal data protection in China and one of the three pillars of China data protection legal regime. It applies to the processing of both internal employee data as well as processing of external customer / user data. The draft PIPL borrows many key concepts from the GDPR, including but not limited to:

• it proposes extra-territorial effect on overseas processing of personal data of China-based individuals for the purpose of offering products or services to, or for analysing and assessing the behaviour of such individuals;
• it adds more legal bases for the processing of personal data, in addition to consent, which is the only lawful basis under existing law;
• it introduces the concept of “risk assessment”, which is an equivalent to the Data Protection Impact Assessment under the GDPR but with lower triggering thresholds;
• it sets out obligations to respond to data subject rights requests, which are very similar to those under the GDPR;
• it requires certain organisations to appoint a DPO and/or China representative; and
• similar to the GDPR, it sets out a very high threshold of administrative fines, up to 5% of the annual turnover or RMB 50 million, only secondary to antitrust violations in China which can be subject to up to 10% of the annual turnover.

In the meanwhile, the draft PIPL maintains an equal amount of unique features to reflect local regulatory and business needs, such as:

• legitimate interest is not included as one of the legal bases for processing personal data;
• it proposes restrictions on the cross-border transfer of personal data. While GDPR is taking a destination-oriented approach on the issue, the draft PIPL focuses more on the nature of transferors. Companies operating critical information infrastructures and/or processing a large quantity of personal data would be subject to heavier compliance obligations, such as completion of security assessment organised by data authorities; and
• in addition to administrative fines and civil compensation, serious breach of data protection rules may be subject to criminal liabilities.

In addition, the new China Data Security Law (DSL) has just been promulgated and will take effect from 1 September 2021. Being the first fundamental law on data security in China, the DSL sets out the overall principles and structure of China’s data security legal regime from a national security and sovereignty point of view. A key concept under this new law is the categorised and hierarchical data protection system. The specific scope and catalogues of “important data” are to be formulated and published by regional and sectoral regulators. Cross-border transfer of such “important data” is subject to specific requirements.