In 2020, China published a draft personal information protection law. Today we will figure out the details.
1. Scope of the draft application
Personal information (PI) refers to “all kinds of information” related to identified or identifiable natural persons as recorded by electronic or other means but excluding information after anonymization (the process of handling PI to de-identify a specific natural person and making its original status non-restorable). The handling of PI includes the collection, storage, use, processing, transmission, provision, disclosure, and other activities. The Draft refers to organizations and individuals handling the activities as “personal information handlers”(PIH) which autonomously determine the handling purpose, method, or any other related matter, and which are required by Article 9 to adopt safeguards necessary to secure the PI they handle.
The Draft language protects the PI of natural persons and applies to:
a. the activities conducted in China mainland by organizations and individuals which handle the PI
b. the activities conducted by organizations located outside of mainland China who handle the PI of natural persons physically in mainland China where such handling serves the purpose of
(i) providing products or services for natural persons in mainland China
(ii) analyzing and evaluating the behaviors of natural persons in mainland China, or
(iii) other circumstances as stipulated by laws and administrative regulations.
Per Article 52, for PIHs whose activities are conducted outside mainland China, a specialized entity must be set up or a representative appointed in mainland China to handle the matters concerning PI protection, providing the name and contact information of such entity or individual to the PI protecting government agencies.
2. Consent and Right to Be Informed
The Draft allows the handling of PI without consent under certain circumstances
(i) within the public interest within reasonable scope, such as for news reporting, or
(ii) it is essential for
(a) entering into or performing a contract with the person, or
(b) performing statutory responsibilities or obligations, or
(c) responding to public health incidents or for protecting the life, health, or property safety of natural persons in emergency situations
(iii) other circumstances as stipulated by laws and administrative regulations.
No PIH can refuse to provide products or services because an individual does not give consent to the handling, or withdraws consent, except if the PI is essential for the provision of such products or services. Consent must be obtained from the individual voluntarily and explicitly, with his/her full knowledge of such PI handling.
3. Sensitive PI
“Sensitive personal information” refers to the information including race, nationality, religious belief, personal biological features, medical history, health which, once leaked or illegally used, may lead to personal discrimination or serious harm to personal and property safety. The Draft, while similar to Europe’s GDPR in its heightened protections for sensitive PI, is potentially even broader in some regards – as it includes within its definition financial account information and individuals’ location – but narrower in others, such as by excluding trade union membership, political opinions, genetic and biometric data, and sexual life-related information from the definition. Separate consent from the individual must be obtained for sensitive PI.
Under the Draft, installation of image collection and personal identity recognition devices in public areas can be used for public security, and with clear signage. Such PI can only be used for safeguarding public security and cannot be disclosed to the public or any third party, unless the organization collecting the PI obtains the individual’s separate consent or laws or regulations permit such use or sharing.
The consent from the guardian of a minor must be obtained if the PIH knows or should know that the PI belongs to a minor under the age of 14, aligning with children’s privacy laws in the United States.
4. Cross-Border Transfer
If the PIH handles PI outside mainland China for business needs, the PIH must meet one of the following conditions:
(a) it must pass a security assessment organized by the national cyberspace authorities in accordance with the Draft (under Article 40 of which, critical information infrastructure operators and the PIH (which handles the personal information up to an amount as specified by the national cyberspace authorities) shall store the PI collected and generated from the mainland within the mainland, while the security assessment organized by the national cyberspace authorities shall be conducted and passed if necessary to provide such information outside the mainland unless otherwise specified by the laws and regulations); or
(b) it must have undertaken PI protection certification conducted by professional agencies; or
(c) it must have signed a contract with the overseas receiving parties which provides the rights and obligations of both parties, and supervising their activities of handling PI to ensure the relevant standards under the Draft are met; or
(d) it must meet other conditions stipulated by laws, administrative regulations, or the national cyberspace authorities. The Draft, unlike the GDPR, does not contain provisions for adequacy determinations in third countries.
5. Fines for violations of the Draft
Violations of the Draft will result in an administrative order for rectification, confiscation of the unlawful income, and a fine of up to 1 million Yuan imposed on the PIH, and a fine between 10,000 and 100,000 Yuan imposed on the directly liable person-in-charge or any other directly liable individual. In severe cases, the fine imposed on the PIH will be increased in an amount up to 50 million Yuan or 5% of last year’s annual revenue. In addition to the fines, a business could have its operations in China suspended and/or reported to relevant authorities for the cancellation of the related business permit, and the business employees responsible for compliance can be found personally liable and fined along with any other directly liable individual, up to 1 million Yuan. In addition, such violations will be recorded in the credit files and disclosed to the public.
* This posting is the summary of the article.
https://www.natlawreview.com/article/china-releases-draft-personal-information-protection-law