China Issues Draft Legislation on Personal Information Protection

On October 21, the Standing Committee of the 13th National People’s Congress reviewed and issued the draft Personal Information Protection Law (中华人民共和国个人信息保护法 (草案)) to solicit public comments. Comments are due by November 19, 2020.  If passed, the law will become China’s first national legislation on personal data.

Overall, the draft has 70 provisions which cover five primary areas: The scope of application, the rules on personal information processing, rules on personal information cross-border flow, the rights of information owners and the obligations of information processors, and the obligations of relevant government agencies.

The draft places tight limits on the transfer of personal data outside the country.  Any company seeking to take users’ personal data outside China will undergo screening by cybersecurity authorities, according to the draft. Businesses involved in “critical information infrastructure,” such as telecommunications or finance, and those that handle large quantities of personal information, will have to store such data within China and undergo risk assessments before sending it abroad. The law would apply to all companies and organizations operating in China, as well as any overseas businesses that handle the data of Chinese nationals.

The draft also specifies the rights of individuals and obligations of processors in personal information processing activities, establishing a set of rules for personal information processing. Centered around the principle of  “notification – consent,” the draft requires the personal information to be processed on the premise of full notification and consent, and allows the individuals to withdraw the consent. Consent should be obtained again in case of significant changes. The provision of products or services may not be rejected because the individuals refuse their consent.

In addition to data protecting clauses, the draft explicitly states that retaliatory measures can be taken against countries or regions that impose discriminatory measures against China in this area. Considering the timing of this bill, which follows efforts by the United States to ban video-sharing platform TikTok and chat app WeChat for national security and privacy reasons, this bill leaves room for China to take action against the United States for any moves that restrict Chinese apps and companies for data security reasons.

This draft is not the first piece of Chinese legislation on data exports. China passed the Cybersecurity Law in 2017, which requires important information and personal information collected by critical information infrastructure operators to be stored domestically, or undergo a security review before transferring to a third country when needed (Article 37). In addition, in July of 2020, the Standing Committee of the National People of Congress published a draft Data Security Law (unofficial translation here). The draft establishes an export control regime for data related to national security and international obligations (Article 23), and stipulates that reciprocal measures can be taken against other countries or regions which have allegedly taken discriminatory restrictions or bans on trade and investment (Article 24).

The law, once finalized, will work in conjunction with several other regulations on data review that Beijing is formulating. For instance, the Cyberspace Administration of China (CAC) released the Measures on Cybersecurity Review, which regulates the processing of large amounts of data as well as critical information infrastructure operators. The data covered under the Measures could include personal information.

The CAC also issued the draft Personal Information Cross-Border Security Review Measures in June of 2019, which requires provincial agencies’ security assessment for all cross-border transfer of personal information. Before personal information can be transferred across the border, network operators shall report to provincial cyberspace agencies for a security assessment. The security assessment will evaluate whether the transfer complies with the relevant national laws, regulations and policies; whether the contract fully protects the legitimate rights and interests of individuals; whether the contract is fully carried out; whether the network operator or recipient has a history of damaging the legitimate rights and interests of individuals; and whether the network provider obtained the personal information through a legal method (Article 6). In addition, the law requires network operators to create and maintain a record of cross-border transfer of personal information for at least 5 years. Implementing regulations, which took effect this past June, stipulate that IT equipment purchases by critical information infrastructure operators must be reviewed if national security could be affected.