China Issued Second Draft of Personal Information Protection Law
China Data Protection Commentary
China published the second version of its draft Personal Information Protection Law (PIPL) recently to seek public comments until May 28, 2021. Most of the articles of the previous draft PIPL have been maintained in this second draft (Second Draft) but there are important modifications made to address the new challenges to the personal information protection. Here we summarize the highlights in the Second Draft:
1. Personal Information Processing Principle and Rules
The Second Draft PIPL further clarified and detailed the principles and rules for the processing of personal information:
1. New Processing Principles. The Second Draft clarified the principle of “data minimization” for processing of personal information. It also stated that the processor of personal information (Data Processor) must use the method that will minimize the impact on the rights and interest of the subject of personal information (Data Subject). It also added a new principle, i.e. principle of “accuracy”, which requires that the Data Processor shall ensure the quality of the personal information and avoid causing adverse implications to personal rights due to the inaccurate or incomplete personal information.
2. New Lawful Processing Grounds. In the previous PIPL draft, a Data Processor may process the personal information based on either of the following lawful grounds:
- consent of Data Subjects;
- for concluding or performing the contract to which the Data Subject is party;
- for performance of legal duties or legal obligations;
- for taking responsive measures to public health emergency, or to protect life, health and property of natural person in emergency situation;
- for conducting news report, media supervision or other activities for the public interest and shall be conducted within the reasonable extent;
- Other situation as provided by the laws and administrative regulations.
Second Draft has added another lawful processing ground, i.e. a Data Processor may process personal information disclosed to the public within the reasonable extent. However, such lawful ground only allows the processing for the purposes under which the personal information is disclosed to the public. In case the processing goes beyond such purpose and may cause material implication to the Data Subject, the Data Processor will have to acquire consent.
In the meantime, the Second Draft emphasized the importance of the consent of the Data Subjects, in particular it has required that such consent is necessary for disclosure of personal image and identification information collected by image collection and identification devices installed at public places to the public. Furthermore, the Data Processor has also been required to provide a convenient way for Data Subjects to withdraw consent.
3. New Rules for the Special Category of Personal Information. The Second Draft clarified that Data Processor must obtain the consent of the minor’s parents or other guardian to process the personal information of the minor, regardless of whether the Data Processor knows or should know that it processes personal information of a minor. It also added that the rights to the personal information of a deceased person may be exercised by near relatives of such deceased person.
4. Standard Contract Clauses for Cross-Border Data Transfer. Cyberspace Administration of China (CAC) will provide a standard contract for the international transfer of personal information between Data Processor and the offshore recipient of personal information, which may enable Data Processor to transfer relevant personal information to recipients outside of China.
5. Compliance Audit. It is added that the Data Processor shall have the obligation to perform regular compliance audit.
2. Enhance Data Protection Obligations for the Mega Internet Platforms
The Second Draft specifically enhanced the regulatory measures over the internet platforms, which requires that the Data Processors that provide basic online platform services to a huge number of users and have complex business modes shall perform the following additional obligations:
- set up an external independent supervisory board to supervise personal data processing;
- stop providing services to the providers of products or service that have seriously violated laws and regulations in processing personal information; and
- publish periodic social responsibility reports.
We assume that relevant implementation regulations will be issued after the PIPL to provide the criteria for the above “Internet Platforms” and clarify the details of the obligations (e.g. the qualification of the member of supervisory board, necessary content and frequency of social responsibility report).
3. Cyberspace Administration - the Leading Data Protection Authority
It is further explained in the Second Draft that CAC shall be the authority to lead and coordinate the personal information protection affairs. So far, CAC, communication authority and public security authority (i.e. cyber police force) have been enforcing the personal information protection related laws within their respective functions. Therefore, the coordination function of CAC may avoid the chaos and overlapping of different authorities in the future law enforcement.
4. Data Rights Infringement – Shift of the Burden of Proof
The Second Draft has also changed the burden of proof for the parties in the civil legal action against personal data infringement. According to the new rules, in case of any damages caused in the processing of personal information, Data Processor will be liable for a tort and the relevant compensation in case it could not prove that it is not at fault in data processing activities. The compensation will be decided based on the damages suffered by the Data Subject or the benefit obtained by the Data Processor.
According to the legislation plan of the Chinese legislative authority, the PIPL is expected to be enacted in 2021. It implies that the Chinese lawmakers will perform a final review and pass the bill into law in a couple of months. Taking into account the comprehensiveness and the broad scope of application, PIPL will significantly change the compliance framework of Chinese companies and even foreign companies that process personal information of natural person in the Chinese territory in their business activities. We recommend our clients to consider the imminent legal changes to be introduced by the PIPL in reviewing and updating the current data protection compliance program. Garrigues will follow the legislation process closely and share with you the latest developments.