China: The Draft PIPL and the GDPR - A comparative perspective
Due to significant changes which are coming to China's data protection legal framework, organisations should carefully study how this new legislation compares to that of other jurisdictions with comprehensive data protection regulations in order to appropriately adapt their processing activities. Dora Luo, Partner at Hunton Andrews Kurth LLP, discusses this with reference to the provisions of the draft Personal Information Protection Law ('the Draft PIPL') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in order to illuminate a way forward.
China's data protection laws are in a period of development and change. On 21 October 2020, the Chinese legislator released the Draft PIPL for public comments. The Draft PIPL provides comprehensive measures, including civil protection and administrative regulations in the field of personal information. The Draft PIPL, together with other two fundamental laws on cybersecurity and data protection, the Chinese Cybersecurity Law 2016 ('CSL') and the Data Security Law of the People's Republic of China (Draft) ('the Draft DSL'), bring about a new data protection legal regime in China. The CSL is the fundamental law regulating cyberspace, covering personal information and important data. The Draft DSL is the fundamental law regulating data security, establishing a legal framework for data security. The Draft PIPL marks the introduction of a comprehensive system for the protection of personal information in China which does not merely incorporate or replace rules that are already enshrined in other Chinese laws, but also draws inspiration from the GDPR of the EU.
In this article, we will address several key legislative issues under the Draft PIPL by undertaking a comparative analysis of the Draft PIPL and the GDPR and assessing the similarities and differences between them. In particular, we will focus on the following points:
- key definitions;
- scope of jurisdiction;
- legal grounds for personal information processing;
- data protection principles;
- rights of data subjects;
- obligations of data processors;
- cross-border transfers of personal data; and
- legal liabilities.
Personal information vs. personal data
The definition of 'personal information' is a core and fundamental concept of the Draft PIPL as it directly defines the scope of protection. Pursuant to Article 4, the Draft PIPL defines 'personal information' as 'various types of electronic or otherwise recorded information relating to an identified or identifiable natural person,' which is generally consistent with the definition of 'personal information' under the CSL referring to 'various types of electronic or otherwise recorded information that can be used separately or in combination with other information to identify a natural person including but not limited to the name, date of birth, ID number, personal biometric information, address, phone number, etc. of natural persons.' Nevertheless, the use in the Draft PIPL of the concept of 'relating to' renders the coverage of personal information under that statute much broader in scope.
The core legal concept of personal information lies in 'the ability to identify the personal identity of a natural person alone or in combination with other information.' Some scholars believe personal information includes information that needs to be combined with other information to identify a natural person, i.e. 'indirect personal information.' In terms of 'identification,' those components that can individually identify the personal information of natural persons are easier to define, for example the ID number or personal biometric information of a natural person. However, understanding the indirect concept, 'in combination with other information,' needs further discussion.
The term 'personal data' under the GDPR is broadly defined as any information relating to an identified or identifiable natural person (data subject)1. Furthermore, it specifies 'an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.' The wide interpretation of such definition is criticised as somewhat ambiguous, resulting in a potential uncertainty of interpretation. Thus, although the GDPR is more comprehensive and prescriptive than the Draft PIPL, personal information as defined under the Draft PIPL is more consistent in terms of practical application.
Personal sensitive information vs. special category data
The Draft PIPL recognises the category of 'personal sensitive information' as 'personal information that, once leaked or illegally used, may lead to personal discrimination or serious harm to personal and property safety, including race, nationality, religious belief, personal biological features, medical history, health, financial account, personal whereabouts and other information.' This category of data is subject to tighter restrictions on collection and processing.
Based on this definition, financial account information, and personal whereabouts will be treated as 'personal sensitive information.' However, it is worth noting that financial account information and personal whereabouts are regularly processed by personal information processors and these tight restrictions would hinder many common processing operations in practice. For instance, workplaces often process financial account information for payroll and salary purposes. Furthermore, financial account information is processed in the context of fraud prevention. The personal whereabouts of individuals is regularly processed in relation to various of location-based services, including rideshare, taxi services, GPS and map applications, etc. The requirement of obtaining consent from data subjects to process such whereabouts information may prove overly burdensome for organisations and may raise concerns of 'consent fatigue' among individuals. Moreover, there is an open-ended category of 'other information' under the definition of 'personal sensitive information.' Given that it is not clear how to and who can define such 'other information,' the inclusion of such a vague and broad category may create legal uncertainty in practice.
Meanwhile, personal sensitive information is not defined under the GDPR. The GDPR does however recognise 'special category data' as 'data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation which is subject to tighter restrictions2.' Processing of 'special category of personal data' under the GDPR adopts permissible methodologies based on the principle of prohibition and exception. The Draft PIPL adopts a similar approach of specific restrictions and only processing as authorised for specific purposes and sufficient necessity, subject to obtaining the separate consent of the data subjects.
Personal information processor vs. data controller
The Draft PIPL describes 'personal information processors' as 'the organisations or individuals that independently determine the purposes, means and or any other matter relating to the processing of any personal information,' which are known as 'data controllers' in some other privacy laws. The GDPR provides concepts of controllers and processors, controllers referring to 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law,' the controller or the specific criteria for its nomination may be provided for by EU or EU member State law, with processors referring to those who process data on behalf the controller. The GDPR distinguishes between the controller who has the right to determine the means and purposes of processing personal data and the processor who processes personal data on behalf of the controller. The data processor as defined under the Draft PIPL is similar to the data controller under the GDPR.
A third party entrusted by the data processor to process personal information (e.g. a third-party service provider) under the Draft PIPL is similar to the data processor under the GDPR. If data processors process personal information together, the co-processors shall bear joint liability in cases of infringement of personal interests.
Where a data processor entrusts a third party to process personal information, both parties generally shall execute an agreement that includes the purpose of data processing, the processing mode, the types of personal information processed, protection measures, and both parties' rights and liabilities. In these cases, the data processor is responsible under the Draft PIPL for supervising the data processing activities. However, the Draft PIPL does not list specific supervision methods. After completion of performance of the contract or termination of entrustment, personal information must be returned or deleted.
With respect to the personal information processor role, the GDPR provides a more prescriptive and specific definition than the Draft PIPL.
Automated decision-making and profiling
The Draft PIPL introduces 'automated decision-making' and specifically defines it as 'addressing personal information to be automatically analyzed and evaluated by means of computing algorithms for decision-making.' Data processors are required to ensure the transparency of the decision and the fairness of the result. In the event that data subjects consider the automated decision-making to have a significant impact on their interests, they are entitled to request that the data processor justifies the outcome, and the data subject has the right to refuse to permit the processor to make a decision solely by automated means. If the data processor adopts automated decision-making to conduct marketing and push messages, the data subject also may choose to have the processor not conduct marketing and push messages which target the personal characteristics of an individual.
Under the GDPR, automated decision-making and profiling ensures that the rights and freedoms and legitimate interests of individuals are safeguarded where such processing leads to a legal and significant impact on an individual, thus enhancing an individual's control over the use of personal data. The rights of data subjects may thus escape decisions based solely on automated processing, including profiling which has legal effects or other significant consequences. In accordance with general principles under the GDPR, automated decision-making is based upon the subject's right to be informed rather than being reviewed under the significant impact standard. The right to object relies on the data subject's active execution.
The GDPR defines profiling as 'any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements3,' but does not provide a definition of automated decision making, as in Article 69 of the Draft PIPL. The Draft PIPL merely focuses on the analysis and evaluation of profiling processes, but does not address its predictive aspects. It appears that the Draft PIPL's concept of profiling is intended to be included within the definition of automated decision-making; however, the profiling process is based solely on personal information, while the automated decision-making process does not rely only on personal information.
Scope of jurisdiction
Extraterritorial or long-arm jurisdiction is applied under the Draft PIPL. Pursuant to Article 3 of the Draft PIPL, the law applies to the processing of personal information within the territory of the PRC, and also to cross-border processing activities of personal information of PRC individuals if the purpose of the processing is:
- to provide products or services to the PRC individuals;
- to analyse and evaluate the activities of the PRC individuals; or
- covered under other circumstances prescribed by laws and administrative regulations.
Furthermore, the data processors which are located outside of China but governed by the Draft PIPL are required to establish an entity or appoint a representative in charge of personal information protection. The name of the entity or name and contact information of the representative must be filed with the relevant Chinese authorities.
The GDPR's territorial scope covers the processing of (i) personal data by an organisation established in the EU, regardless of whether the processing takes place in EU, and (ii) data processors outside EU if that processing relates to either offering goods or services to data subjects in the EU or monitoring the behaviour of data subjects, as far as their behaviour takes place within the EU. Thus, the Draft PIPL is generally consistent with the GDPR regarding territorial scope.
Legal grounds for personal information processing
Personal information processing can be useful for individuals and organisations as well as for the economy and society as a whole. They have greatest benefits with enhancement of efficiencies, resource savings, customisation of services and products, and optimisation of public governance. However, these processes may present significant challenges and threats for individuals' rights and freedoms. These processes can be used without the knowledge of the individuals concerned or their understanding of what is involved. Protection of personal data plays an important role in light of the fundamental right to respect for private life. Increasingly, high tech capabilities are consistently breaching the privacy and autonomy of individuals.
In response to such risks, pursuant to Article 13 of the Draft PIPL, data processors are permitted to process personal data solely based on:
- voluntary and informed consent of the data subject;
- the necessity to execute or perform a contract;
- the necessity to perform a legal obligation or legal duty;
- response to an emergency public health event or the necessity to protect the safety of an individual's life and property;
- news publication and supervision by public opinion for public interests within reasonable scope; or
- other circumstances as stipulated by laws and administrative regulations.
Further, the Draft PIPL provides a higher-level consent requirement, such as separate consent and written consent, in several places. According to Article 14, any consent must be expressed by individuals voluntarily and explicitly with full knowledge. Such requirements resemble the consent requirements under the GDPR, which defines consent under Article 4(11) as any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Although the Draft PIPL introduces the above six legal grounds for processing, it is nonetheless the case that certain forms of important personal information processing in the current era of Big Data may not be contained within the scope of such legal grounds.
Apart from consent, the processing grounds provided in the Draft PIPL all relate to very specific information processing situations which are common in daily life. Though consent may be a legal basis for data processing, in many circumstances it would be impractical, impossible, or ineffective to obtain consent, either because there is no direct interaction with the data subject, or because it would be counterproductive to obtain consent if the data processing is for cybersecurity or prevention of crime.
The provisions of the GDPR governing the consent to processing of personal data are set out under six legal grounds as below4:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The data processing activities must be based in at least one of above grounds. Under EU law, these legal bases carry equal weight. Note that in comparison to legal grounds for data processing under the GDPR, there is no legal basis of the legitimate interest legal under the Draft PIPL. A balancing test will be carried out to determine the priority between the legitimate interests of the data controller or third party and the interests or fundamental rights and freedoms of the data subject. The legitimate interest processing ground is not only essential for processing related to fraud and crime prevention. Other processing scenarios that may be addressed by such a ground include information, network, system, and cybersecurity; processing personal information in employment contexts; corporate operations and due diligence; product development and enhancement; communications, marketing, and business intelligence5. Indeed, in the growing data economy, the legitimate interest ground for processing will become increasingly important to enable a broad range of data processing activities not covered by other grounds but essential for a well-functioning digital economy and for organisations' ability to innovate.
Data protection principles
The Draft PIPL establishes seven principles for data processing, including legality (Article 5), explicit purpose (Article 6), minimum necessity (Article 6), transparency (Article 7), accuracy (Article 8), accountability and data security (Article 9), and storage limitation (Article 20). The Draft PIPL is similar to the GDPR in this respect.
Under the GDPR, personal data processing is subject to the principles of lawfulness, transparency and fairness6, further processing and purpose limitation7, data minimisation8, accuracy9, storage limitation10, integrity and confidentiality11, and accountability12. In any event, the principles of data protection still apply and serve as a boundary for abusive practices.
Rights of the data subject
The Draft PIPL provides extensive rights to data subjects. Pursuant to Article 44, data subjects have the right to know, right to decide on, and right to limit or object to, the processing of their personal information by others. Data subjects also have the right to access and copy their personal information from data processors (Article 45) and the right to request that data processors correct or complete their personal information (Article 46). Under certain circumstances, data subjects have the right to request deletion of their personal information (Article 47), the right to withdraw consent, and the right to request that the data processor explain the processing rules (Article 48).
By contrast, the GDPR empowers more fundamental rights for data subjects than the Draft PIPL. In addition to right to be informed, right to objection to or restriction of processing, right to access, right to rectification, and right to erasure, the right to data portability is not prescribed in the Draft PIPL, which is a right that allows data subjects to receive and transmit data to another controller. The GDPR also provides for exceptions, in that 'the exercise of the right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and shall not adversely affect the rights and freedoms of others'13. These rights reflect the philosophy that the data subject or individual should maintain full control of one's personal data.
The obligations of data processors
The Draft PIPL enumerates the obligations of data processors with respect to data processing in an independent chapter. The obligations include establishing internal administrative policies and operating procedures, implementing the classified and hierarchical administration of personal information, making reasonable determinations regarding permission for data processing, conducting regular training and education, establishing and implementing contingency plans, adopting technical security measures such as anonymisation and encryption, and conducting regular audits of personal information processing activities.
According to Article 51 of the Draft PIPL, if the volume of personal information processed reaches a threshold level as identified by Chinese regulators, the data processor must appoint a data protection officer ('DPO') responsible for personal information processing.
The data processor is required to make an advance risk assessment before processing sensitive personal information, making cross-border transfers of personal information, performance of automated decision-making on personal information, personal information processed by a third party, providing personal information to a third party, and disclosing of personal information.
The Draft PIPL tracks most of the GDPR provisions related to the obligations of data processors, with the exception of notification of time limits. In cases of a data breach, the data processor is required to undertake remedial measures immediately and to notify the relevant regulator and data subjects. The Draft PIPL provides the specific content to be included in the notification. If the measures taken by the data processor could effectively avoid damages caused by the disclosure of personal information, it is not necessary for the data processor to notify the data subjects unless the regulator determines otherwise.
Under the GDPR, the controller is responsible for implementing appropriate technical and organisational measures, including appropriate data protection policies such as anonymising, pseudonymising, and encrypting data to ensure data processing in compliance with GDPR.
The GDPR also requires both controllers and processors to appoint a DPO in certain circumstances, such as where the processing is carried out by a public body, or where the organisation's core activities deal in large amounts of personal data, regular and systematic monitoring of individuals, or large scale processing of special categories or data/data relating to criminal convictions and offences.
The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. The data controllers will bear responsibilities for the implementation of a Data Protection Impact Assessment ('DPIA'). Article 35 of the GDPR prescribes the obligation of a data controller to conduct DPIA prior to processing in order to assess the particular likelihood and severity of the risk, taking into account the nature, scope, context, and purposes of the processing and the sources of the risk. Pursuant to Article 35(3)(a) of the GDPR, a DPIA is required in the case of a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. That DPIA should include, in particular, the measures, safeguards, and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with the GDPR.
Under the GDPR, notification must be provided no later than 72 hours after the event. In contrast, the Draft PIPL requires 'immediate' notification without providing a specific time limit. Finally, the GDPR provides more comprehensive measures to ensure data protection such as adherence to codes of conduct and certification mechanisms.
Cross-border transfer of personal data
The Draft PIPL provides three compliance options for cross-border transfers of personal information. First of all, for critical information infrastructure ('CII'), any cross-border transfer of personal data shall be subject to a mandatory security assessment before transferring any personal data outside of China. For other general network operators which are not CII, there are two other options: one is to undertake a personal information protection certification conducted by recognised institutions in accordance with regulations of the Cyberspace Administration of China ('CAC'); the other is that the data processor shall sign a cross-border transfer agreement with the recipient who is located outside of China and ensure that the processing meets the protection standard provided under the Draft PIPL. Note that, if the volume of data processed by the data processor exceeds the level stipulated by the CAC, then the cross-border transfer of personal information must comply with the security assessment conducted by the CAC.
For any cross-border transfer of personal information, in addition to the above compliance requirement, the data processor must also inform the data subjects of the identity and contact information of the overseas receiving party, the purpose of data processing, the processing mode, the type of personal information to be processed, and the way data subjects can exercise their rights provided under the Draft PIPL, as well as obtaining separate consent from the data subjects.
In terms of cross-border transfer of personal information for the purpose of providing international judicial assistance and law enforcement assistance, the transfer shall be approved by a competent authority.
Under the Draft PIPL, if an entity or individual infringes the personal information interests of Chinese citizens or if any nation or region adopts unreasonable measures towards China with respect to personal information protection, the CAC may take certain countermeasures.
Under the GDPR, a controller or processor may transfer personal data outside the EU without obtaining consent from the data subject, provided that adequate level of protection is ensured or appropriate safeguards are implemented in the form of Standard Contractual Clauses ('SCCs'), Binding Corporate Rules ('BCRs'), compliance with Codes of Conduct, or certification schemes. In the absence of adequate levels of protection and appropriate safeguards, explicit consent from the data subject must be given to the proposed transfer. The mechanism of execution of transfer agreements under the Draft PIPL may be similar to SCCs and certification by recognised institutions pursuant to the Draft PIPL may be similar to 'approved certification mechanisms'. These standards will be subject to further analysis pending the release of implementation rules relating to the Draft PIPL. The provision of Codes of Conduct and BCRs are not included in the Draft PIPL for the purpose of data transfers to third countries.
The Draft PIPL enlarges the range of penalties beyond those provided in the CSL. In addition to rectification, confiscation of illegal gains, warnings, penalties under RMB 1 million (approx. €126,340), business suspensions, business halts for rectification, and the revocation of relevant permits or business licences under the CSL, the Draft PIPL also stipulates that in serious cases, similar to the GDPR, data processors may be subject to fines up to RMB 50 million (approx. €6,316,830) or up to 5% of the prior year's revenue. The PIPL also imposes liability on any person in charge or other directly liable individual for serious violations.
As for the GDPR, if data processes are challenged and subsequently upheld, controllers may face the highest penalties pursuant to Article 83(5): administrative fines up to €20 million, or up to 4% of the total worldwide annual turnover of the preceding financial year. In addition, EU Member States may lay down their own regulations imposing penalties that apply to breaches of articles that are not subject to the fines under Article 83 of the GDPR.
Even though most parts of the 8 perspectives above mentioned in the Draft PIPL are similar with those under the GDPR, there are some differences in legal grounds, rights, obligations, and cross-border data transfers. While the GDPR provides a wide arrange of legal grounds as mentioned above, it is noted that the legitimate interests justification is not included in the Draft PIPL. With respect to rights of the data subject contained in the GDPR, the right to portability is missing in the Draft PIPL. In addition to notification time limit in case of data breach, more measures are taken under the GDPR, such as adherence to codes of conduct or certification mechanisms in terms of obligations of data subjects. Regarding cross-border data transfers, the Draft PIPL falls short of Codes of Conduct and BCRs; however, in some cases, the GDPR does not require the consent of the data subject for cross-border data transfers. It is noted that while some definitions vary between both laws, different wording expresses similar meanings: for instance, personal sensitive information in the Draft PIPL is similar to special category data under the GDPR. The definition of automated decision-making is not provided in the GDPR and the profiling definition is included in the definition of automated decision-making without explicit description in Draft PIPL.
In the current era, the development of advanced technology and the capabilities of Big Data analytics make data storage larger and data transmission and computing power faster, so as to facilitate the collection of more personal information than before. Data processing is widely applied in both private and public sectors such as banking and finance, healthcare, taxation, insurance, marketing and advertising, etc. as well as in Big Data technology, artificial intelligence and Internet of Things devices. Although the benefits are obvious, the accompanying challenges and threats are attracting increased attention from competent authorities. The Draft PIPL has adopted and referenced the GDPR while reflecting particular Chinese characteristics.
As a single unified and integrated personal information protection law in China, once the Draft PIPL is finalised and comes into force, it will play a vital and comprehensive role in governing and regulating personal information protection in China in the very near future. Together with CSL and the Draft DSL, the Draft PIPL will bring about a relatively complete data protection legal framework in China.
Dora Luo Partner
Hunton Andrews Kurth LLP, Beijing
1. Article 4(1) of the GDPR.
2. Article 9(1) of the GDPR.
3. Article 4(4) of the GDPR.
4. Article 6(1) of the GDPR.
5. See CIPL White Paper on Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR, 19 May 2017, available at: https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_recommendations_on_transparency_consent_and_legitimate_interest_under_the_gdpr_-19_may_2017-c.pdf
6. Article 5(1)(a) of the GDPR.
7. Article 5(1)(b) of the GDPR.
8. Article 5(1)(c) of the GDPR.
9. Article 5(1)(d) of the GDPR.
10. Article 5(1)(e) of the GDPR.
11. Article 5(1)(e) of the GDPR.
12. Article 5(2) of the GDPR.
13. Article 20(3) and (4) of the GDPR.