//by Takaya Terakawa// China has been actively updating its data protection legislations since 2017. Due to the limited English information, many privacy professionals outside of China are in trouble with understanding the overview of data protection related legislations in China. So, before explaining about the draft China’s Personal Information Protection law (PIPL), let me summarise recent key movements to help you get a big picture. Below is the summary of recent remarkable movements in China.
Overview of data protection legislations in China
June 2017: Cybersecurity Law (CSL) was enacted.
December 2019: Classified Cybersecurity Protection Scheme (CCSP, a.k.a. MLPS), a part of CSL, was updated to MLPS 2.0.
January 2020: Encryption Law was enacted.
October 2020: First draft Personal Information Protection Law (PIPL) was promulgated.
April 2021: Second draft Personal Information Protection Law (PIPL) was promulgated.
June 2021:Data Security Law was enacted.
Those laws have common interest on data protection, which is Data security, Personal information protection (PI protection), and Cross-border data transfer.
CSL covers all the three topics. Encryption Law covers data security and PI protection. PIPL covers PI protection and cross-border data transfer. Data security law covers data security and cross-border data transfer. The key elements used in those laws are technical measures (i.e., MLPS 2.0) and governance. So, when you operate in China, you need to be certified with MLPS 2.0 and establish a solid governance structure inside your organisation.
In the real life, cybersecurity related issues are mainly administrated by Ministry of Public Security, and privacy related issue is mainly administrated by Ministry of Industry and Information Technology.
China’s Personal Information Protection Law (2nd draft)
China’s PIPL, first promulgated on Oct. 21st, 2020, and then updated on Apr. 29th, 2021, will be the first Chinese comprehensive personal information protection law. It is expected to be enacted in late 2021.
In general, PIPL is true to global data protection principles, and it resembles GDPR at many parts, such as definition, transparency requirement, exterritorial application, representative, or vendor management. Of course, PIPL has some unique features, such as cross-border data transfer and data localisation.
Scope: PIPL applies to processing of PI within the borders of the People’s Republic of China. It does not apply to those processing activities happening in Hong Kong, Taiwan, and Xiamen (Art. 3 PIPL).
Basic Definitions: Personal Information, Sensitive Personal Information, and Processing
“Personal information” (PI) means electronic or non-electronic information about identified or identifiable natural persons (Art. 4 PIPL).
“Sensitive personal information” (sensitive PI) means “personal information that, once leaked or illegally used, may cause discrimination against individuals or grave harm to personal or property security.” (Art. 29 PIPL). The sensitive PI under PIPL includes “financial account” and “individual location tracking”, so it has wider coverage compared with GDPR.
“Processing” means “personal information collection, storage, use, processing, transmission, provision, publishing, etc.” (Art. 4 PIPL).
Controller and Processor
While PIPL does not have the concept of “controller” or “processor”, the term “個人情報処理者” (PI handler) equals to “controller”. The PI handler is responsible for PI processing and required to implement necessary security measures (Art. 9 PIPL).
PIPL specifies processing principles, which are lawfulness (Art. 5 PIPL), purpose limitation and data minimisation (Art. 6 PIPL), openness and transparency (Art. 7 PIPL), and data quality (Art. 8 PIPL).
Legal Bases for Processing PI
Processing PI requires a legal basis. PIPL has six legal bases, which are, consent, performance of contract, statutory duties, vital interest, public interest, and legal requirements (Art. 13 PIPL).
Under PIPL, an individual must be fully informed and voluntarily make a clear manifestation of consent. (Art. 14 PIPL) An individual has a right to withdraw consent. Withdrawing consent must be as easy as giving consent (Art. 16 PIPL). A PI handler cannot refuse to provide goods or services just because an individual withdrew his/her consent (Art. 17 PIPL).
When a PI handler processes PI of a minor who is under the age of 14, the PI handler must obtain parental consent (Art. 15 PIPL).
When a processing of PI poses higher risk to individuals, the PI handler must obtain explicit consent, or separate consent. A PI handler must obtain explicit consent when it discloses PI to a third party or to public, when it performs monitoring in a public space, when it processes sensitive PI, or when it transfers PI outside of mainland China.
A PI handler must present the privacy notice before starting its processing activity. The language must be clear and easy to understand, as well as prominent. It must include identity of the PI handler and contact method, purpose of PI processing, how PI was collected, what category of PI is collected, how long the collected PI are retained, and method of exercising individual’s right (Art. 18 PIPL). For processing sensitive PI or transferring PI outside of China, some additional information is required (Art. 31 and Art. 39 PIPL).
Where a PI handler outsources some PI processing, the PI handler must conclude a contract with the entrusted party that specifies the purpose for outsourced processing, the time limit, the processing method, categories of PI, safeguard measures, as well as the rights and duties of both sides. The PI handler must supervise the entrusted party so that the entrusted party processes PI as agreed. The entrusted party cannot outsource a part of or entire PI processing to another party without obtaining a consent from the PI handler (Art. 22 PIPL).
PIPL grants variety of rights to individuals, which are the right to be informed (Art. 44 PIPL, Art. 48 PIPL), access including obtaining copy of PI (Art. 45 PIPL), correct (Art. 46 PIPL), delete (Art. 47 PIPL), and right to not to follow solely automated decision making (Art. 25 PIPL).
Interestingly, PIPL states the right of relatives about the deceased person, saying “when a natural person is deceased, the rights of the individual as to PI processing activities shall be exercised by relatives.” (Art. 48. PIPL).
Those PI handlers that process a large amount of PI must designate a responsible person for processing PI. The person oversees PI processing practices and introduces appropriate safeguards. The threshold of “a large amount of PI” will be decided by the state cybersecurity and information department. The contact information of the responsible person must be published and be registered to supervising authorities (Art. 52 PIPL).
Where a PI handler engages in high-risk PI processing, the PI handler must perform PIA before starting its processing activity. Those high-risk PI processing includes, processing of sensitive PI, using automated decision making, outsourcing PI processing, disclosing PI, publishing PI, and performing cross-border PI transfer.
The PI handler must assess the lawfulness of purpose and methods, as well as impacts and risk of the PI processing to individuals so that it can evaluate if safeguards provided are legal, effective, and suitable to the degree of risk. The PIA result must be retained at least three (3) years (Art. 55 PIPL).
When a breach occurs, a PI handler must immediately adopt remedial measures and notify supervisory authorities, and, if necessary, individuals. The notification must include cause of the breach, the categories of affected PI and the harm that may be created, adopted remedial measures, how individuals may mitigate the risk, and contact information of PI handler (Art. 56 PIPL).
A PI handler may transfer PI outside of China using the China SCCs (Art. 38 PIPL). If a PI handler processes more than 500k individuals’ PI or 1,000 GB PI a year, cross-boarder PI transfer must go through security assessment by the supervisory authority and those data must be stored locally inside China (Art. 40 PIPL). When a PI handler processes individuals PI in China but does not have entity inside China, the PI handler must designate representative inside China (Art. 29 PIPL).
Takaya Terakawa, Privacy & Security Professional (CIPP/E, CIPM) (ISMS), Book author, Head of Country, Japan, for The Cybersafety Group.